MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf36607a670996c7b8b275132bef9e8faacf5f97a3268edaa23b5e2e5a3fdf29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 12 File information Comments

SHA256 hash:	cf36607a670996c7b8b275132bef9e8faacf5f97a3268edaa23b5e2e5a3fdf29
SHA3-384 hash:	2c673e01c771cba7a9052eeac4b290c697bb10b583d8a7b1f04e53ae2abdfaceb5744be2c94eaf375b6c3d73df3713f1
SHA1 hash:	f4a908218a7209770da6e1f42953cd8be7af78b1
MD5 hash:	cce31796d67a72ffb303713268d6f21a
humanhash:	tennis-river-london-lion
File name:	cf36607a670996c7b8b275132bef9e8faacf5f97a3268edaa23b5e2e5a3fdf29.zip
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	3'312'780 bytes
First seen:	2026-03-17 13:23:08 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	98304:RtHCkju4+QJbXLC+H16lfRDjJOwthM1PhR6+dN1shDZ:RMLwCgmZjJpMVmCoht
TLSH	T137E533A1C0446345E9661BE8249ECE33B79FF30584359131AF44E0BF812ABA76ED45FE
Magika	zip
Reporter	JAMESWT_WT
Tags:	43-160-214-122 ValleyRAT ywdtwss-icu zip

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
43.160.214.122:22011	https://threatfox.abuse.ch/ioc/1770774/

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

File Archive Information

This file archive contains 11 file(s), sorted by their relevance:

File name:	vcruntime140_threads.dll
File size:	36'000 bytes
SHA256 hash:	bb2b1d16187562376fc888059e2cbbf26c5404f6a4bb7197d1d01b970f199667
MD5 hash:	f33686a21e90c76989b3c89acc6c7167
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	msvcp140_2.dll
File size:	294'992 bytes
SHA256 hash:	2a5365e03cc6e78b408dfca81537f3734bf3d7cf9cc13ae33204dfbc641dbe43
MD5 hash:	8a905a035e730bf611d9927cfda5eaee
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	vccorlib140.dll
File size:	287'360 bytes
SHA256 hash:	89ed5a6877a87ec3ec9fe4a0fb14dc950599f0b67318e746084a0c333a6c865f
MD5 hash:	e31ea3c69878adf3abb87d7a7ce4b7a1
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	msvcp140_1.dll
File size:	33'896 bytes
SHA256 hash:	01a58552686d0c6b9fd67a7ac81169fc0013aedf59a8efdc611f94907489a31c
MD5 hash:	804c24586c4b92845130df77f97e42d6
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	msvcp140_codecvt_ids.dll
File size:	30'824 bytes
SHA256 hash:	a5cbecfd9b8892ec9a60e30fef7ef2158032c6d91efdfbaca87c082bcd48bfa9
MD5 hash:	06003c07efbc571fcb243149953aad81
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	vcruntime140.dll
File size:	91'216 bytes
SHA256 hash:	a9d7732a3c3de09f0601a7fa2555093dcb49f08e2fc62a86091461f0f38393ed
MD5 hash:	4bea1ba68690620b78c7502ac968f0ba
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	msvcp140_atomic_wait.dll
File size:	47'240 bytes
SHA256 hash:	c4a2bae74e008a5bb2445f9078c14df9dcb03267248dfa64e7d04cdc8af5208e
MD5 hash:	4aeb0f5e744241b59813fd51075b2170
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	concrt140.dll
File size:	259'688 bytes
SHA256 hash:	a2b04c69868b08a600518ebbad1661d38de4dd0e0a8e638c22d4641d410e50b1
MD5 hash:	db5f992aa6dbd35be2dc2a6012ebe024
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	msvcp140.dll
File size:	447'616 bytes
SHA256 hash:	97e71a3c697fb1ab3af777db39009e4602525e8c3aff0837ecc7031cba188165
MD5 hash:	cbf2f368dae5e7dcf338c6f63533a2a9
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	SystemMaintenance.exe
File size:	3'863'352 bytes
SHA256 hash:	cdcb7126e18b31023afb3c3d42e48bd9bb108cad4f87490be317a3e40e70b736
MD5 hash:	ec8784a178367bbabde0a95673b089e3
MIME type:	application/x-dosexec
Signature	ValleyRAT

File name:	sqlite3.dll
File size:	852'480 bytes
SHA256 hash:	795190db4f5689c3b9973a7d3e6a01ad9eaee7c34d7c7446d0557a8fd916b96d
MD5 hash:	575ae22575b47753935082237d589eaf
MIME type:	application/x-dosexec
Signature	ValleyRAT

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/b73372f8-af87-4b7b-9a9c-8af51a118f8c/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b955c893b644ca466ae424

Tags:

injection obfusc crypt

Result

Verdict:

Unknown

File Type:

PE File

Link:

https://app.docguard.net/cf36607a670996c7b8b275132bef9e8faacf5f97a3268edaa23b5e2e5a3fdf29/results/dashboard

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/cf36607a670996c7b8b275132bef9e8faacf5f97a3268edaa23b5e2e5a3fdf29

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/cf36607a670996c7b8b275132bef9e8faacf5f97a3268edaa23b5e2e5a3fdf29

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

File Type:

zip

Link:

https://opentip.kaspersky.com/cf36607a670996c7b8b275132bef9e8faacf5f97a3268edaa23b5e2e5a3fdf29/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery upx

Link:

https://tria.ge/reports/260317-qvba3sdv5v/

Behaviour

Modifies registry class

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

UPX packed file

Looks up external IP address via web service

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf36607a670996c7b8b275132bef9e8faacf5f97a3268edaa23b5e2e5a3fdf29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample