MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1461dea7e2ad3a3dc4366772bcdebba5185a18d6f793d0e4a27dd3d78f2f2ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1461dea7e2ad3a3dc4366772bcdebba5185a18d6f793d0e4a27dd3d78f2f2ab
SHA3-384 hash: c4e7443d5d2412939f09e702e22b951f77a45c5e4dd343e592e6d1f63665b73ac43d524c927c2278fdec66cb604a7d38
SHA1 hash: c2b311c1ce22e8ca9d233f87bf7f5a218dd41c21
MD5 hash: 8ba27fa91af836e6011504f920375a56
humanhash: fillet-echo-texas-hot
File name:8BA27FA91AF836E6011504F920375A56.dll
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:313'856 bytes
First seen:2025-11-29 06:00:50 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash eb0717668560c69003c9bc284324e3ce (1 x ValleyRAT)
ssdeep 6144:TupolQnpsSuoaCsWq06uKwJWU997c1J2kEy:TupIKpsnP08wJWU99I1I
TLSH T12D644B00B641D036F5EB04B5DEBE8A7A5A6C79711395A0CFD3C41DBE5F22AE17A3021B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:dll RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
137.220.156.78:6025

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
137.220.156.78:6025 https://threatfox.abuse.ch/ioc/1660684/

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
ValleyFall
Details
Link:
https://research.acce.ciphertechsolutions.com/results/872d8419-7d89-4b0c-8a4d-384de313b393/
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41798/
Detection(s):
Win.Malware.Lpvpk-10032284-0
Create hunting rule

Win.Malware.Lpvpk-10033630-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692a8c306cb1dcd5778245ee
Tags:
emotet farfli
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug evasive farfli fingerprint microsoft_visual_cc unsafe
Link:
https://www.filescan.io/uploads/692a8c2fd0d5e7288b502df1/reports/8002c5a3-90c3-4764-970a-285ce0bead33/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d1461dea7e2ad3a3dc4366772bcdebba5185a18d6f793d0e4a27dd3d78f2f2ab
Verdict:
Malicious
File Type:
dll x32
First seen:
2025-11-26T02:21:00Z UTC
Last seen:
2025-11-30T23:20:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Win32.Farfli.gen
Link:
https://opentip.kaspersky.com/d1461dea7e2ad3a3dc4366772bcdebba5185a18d6f793d0e4a27dd3d78f2f2ab/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a041452e-31ff-4e54-90ee-18d8a9a64816
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1822739
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Multi AV Scanner detection for submitted file
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1822739 Sample: FM43f6vAZe.dll Startdate: 29/11/2025 Architecture: WINDOWS Score: 72 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected ValleyRAT 2->23 7 loaddll32.exe 1 2->7         started        process3 signatures4 25 Contains functionality to inject threads in other processes 7->25 27 Contains functionality to inject code into remote processes 7->27 10 rundll32.exe 7->10         started        13 cmd.exe 1 7->13         started        15 conhost.exe 7->15         started        process5 signatures6 29 Contains functionality to inject threads in other processes 10->29 17 rundll32.exe 13->17         started        process7
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1461dea7e2ad3a3dc4366772bcdebba5185a18d6f793d0e4a27dd3d78f2f2ab
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/8ba27fa91af836e6011504f920375a56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1461dea7e2ad3a3dc4366772bcdebba5185a18d6f793d0e4a27dd3d78f2f2ab/
Verdict:
Malicious
Threat:
Backdoor.Win32.Farfli
Link:
https://tip.neiki.dev/file/d1461dea7e2ad3a3dc4366772bcdebba5185a18d6f793d0e4a27dd3d78f2f2ab
Threat name:
Win32.Trojan.AntiVm
Create hunting rule
Status:
Malicious
First seen:
2025-11-26 07:01:40 UTC
File Type:
PE (Dll)
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2fdb32t6flj2hxcdmz3sxtplxjiylimnn54t2dske7ot26hs6kvq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/251129-gq169sel2w/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
d1461dea7e2ad3a3dc4366772bcdebba5185a18d6f793d0e4a27dd3d78f2f2ab
MD5 hash:
8ba27fa91af836e6011504f920375a56
SHA1 hash:
c2b311c1ce22e8ca9d233f87bf7f5a218dd41c21
Link:
https://www.unpac.me/results/940ad3b2-885a-4f3e-aa03-eba8bdbc1167/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1461dea7e2ad3a3dc4366772bcdebba5185a18d6f793d0e4a27dd3d78f2f2ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/41798/

Comments