MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d08c07e7a8a7ffeb5e3e1ee417ec7b292f00a72920768915bf964efce66d2482. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 25 File information Comments

SHA256 hash:	d08c07e7a8a7ffeb5e3e1ee417ec7b292f00a72920768915bf964efce66d2482
SHA3-384 hash:	302bd44ddcd2ab24d42f3a7a8e71ba144496ae4c02889c5fe5d09b398e98d7ae5b1aec38a1c3ba57e0063cafcb9bf47f
SHA1 hash:	682ea50cbac6d4c47858bccf7baa7b356d85265e
MD5 hash:	5c8bea324b7bb8a41976cc0e4b6c2dad
humanhash:	oregon-diet-johnny-queen
File name:	5C8BEA324B7BB8A41976CC0E4B6C2DAD.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	3'428'352 bytes
First seen:	2025-12-15 00:25:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	12aeb56d19857b19a8ee03b5078d80b3 (1 x ValleyRAT)
ssdeep	49152:tPoPoP/iiJVVwGz3L3MpadD/RkJnhcV4NQkhttGo+vB2Eoq7:tQPonbVVl4papGJw4NQvvvho2
TLSH	T17CF5128AFCA813BAD0360430586796CEE5B66CF10E25C5BB13D513ED3DB02B969365B3
TrID	42.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 22.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 14.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe RAT ValleyRAT

abuse_ch

ValleyRAT C2:
143.92.62.89:6666

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
143.92.62.89:6666	https://threatfox.abuse.ch/ioc/1679285/

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/3371706a-794a-4a7a-9b06-d3c521c32690/

Malware family:

n/a

ID:

File name:

_d08c07e7a8a7ffeb5e3e1ee417ec7b292f00a72920768915bf964efce66d2482.exe

Verdict:

No threats detected

Analysis date:

2025-12-15 00:26:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/68579a7f-cb61-4e47-8b8e-640e1ead9869

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44656/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693f5578039c1dfc733948f0

Tags:

vmdetect emotet

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-vm babar keylogger microsoft_visual_cc obfuscated packed packed safengine_shielden unsafe virus

Link:

https://www.filescan.io/uploads/693f557464bd958a52113da3/reports/2eb16073-7362-427c-9841-5d3c3a32eb66/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d08c07e7a8a7ffeb5e3e1ee417ec7b292f00a72920768915bf964efce66d2482

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-11T20:11:00Z UTC

Last seen:

2025-12-15T00:23:00Z UTC

Hits:

~10

Detections:

Backdoor.Win32.Xkcp.bsb Backdoor.Win32.Xkcp.a Backdoor.Xkcp.TCP.ServerRequest Backdoor.Agent.TCP.C&C

Link:

https://opentip.kaspersky.com/d08c07e7a8a7ffeb5e3e1ee417ec7b292f00a72920768915bf964efce66d2482/results?tab=lookup

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3ba33a05-aa10-44ba-9a76-7791bb4fdcc0

Result

Threat name:

GhostRat, ValleyRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1832689

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Unusual module load detection (module proxying)

Yara detected GhostRat

Yara detected ValleyRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d08c07e7a8a7ffeb5e3e1ee417ec7b292f00a72920768915bf964efce66d2482

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/5c8bea324b7bb8a41976cc0e4b6c2dad

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d08c07e7a8a7ffeb5e3e1ee417ec7b292f00a72920768915bf964efce66d2482/

Verdict:

Malicious

Threat:

Backdoor.Win32.Xkcp

Link:

https://tip.neiki.dev/file/d08c07e7a8a7ffeb5e3e1ee417ec7b292f00a72920768915bf964efce66d2482

Threat name:

Win32.Infostealer.Babar

Status:

Malicious

First seen:

2025-12-13 05:51:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2cgapz5iu776wxr6d3sbp3d3fexqbjzjeb3isfn7szhpzztnesba._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/251215-aqtnvsas7f/

Behaviour

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

ProcessKiller

YARA:

n/a

Link:

https://app.threat.zone/submission/50691cb4-f924-400f-98dd-d866ff27f6eb

Unpacked files

SH256 hash:

d08c07e7a8a7ffeb5e3e1ee417ec7b292f00a72920768915bf964efce66d2482

MD5 hash:

5c8bea324b7bb8a41976cc0e4b6c2dad

SHA1 hash:

682ea50cbac6d4c47858bccf7baa7b356d85265e

Link:

https://www.unpac.me/results/c5fbbe26-b20a-4170-bb2a-32e00fb04dda/

SH256 hash:

118287085c72cf7d1bf3489c96196b375b881f5247e122d91c9c7a60f5311b85

MD5 hash:

151d91ee06505f6719562c726c0dfaf7

SHA1 hash:

0ede29c3c62d9f00e186d198c37060f7be232f63

Link:

https://www.unpac.me/results/c5fbbe26-b20a-4170-bb2a-32e00fb04dda/

Malware family:

Shielden

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d08c07e7a8a7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d08c07e7a8a7ffeb5e3e1ee417ec7b292f00a72920768915bf964efce66d2482

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	GenericGh0st Create hunting rule
Author:	Still

Rule name:	Gh0stKCP Create hunting rule
Author:	Netresec
Description:	Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:	https://netresec.com/?b=259a5af

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Generic_Threat_4b0b73ce Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Winos_464b8a2e Create hunting rule
Author:	Elastic Security

Rule name:	win_valley_rat_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.valley_rat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/44656/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample