MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d16696ece5eb6833f6497b70a5bc894a32479a52f19b1f5dd49be5473f8d2ba5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments

SHA256 hash: d16696ece5eb6833f6497b70a5bc894a32479a52f19b1f5dd49be5473f8d2ba5
SHA3-384 hash: 5578cbaa2537a7ca7ea2ecf1a673ebc1d487d41140e0547d04ebeda15dbf49e6a177cdfed82e874fb3b8f41f29560985
SHA1 hash: d6f688726227b0ea0bbf4ab6bb6a93b5c28a631a
MD5 hash: 5a93ca1560e5e9689620887be0f110b1
humanhash: neptune-jupiter-muppet-speaker
File name:2026.exe
Download: download sample
Signature ValleyRAT
File size:440'832 bytes
First seen:2026-03-06 09:25:11 UTC
Last seen:2026-03-06 13:44:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a035ee702e8e6269a6c35195019f1c86 (1 x ValleyRAT)
ssdeep 12288:F6I9oJimDwgjNZxxbmKjwp+2C3/7WNT4c2Ds07HZfmKCEPXAP3:F2JiXUN3gymOTo2sCHFLBXS3
Threatray 11 similar samples on MalwareBazaar
TLSH T15494D01175D2C473E9B215300AF8DBB95A7DBC210B359AEBA7D4077E8F302C1A731A66
TrID 22.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win64 Executable (generic) (6522/11/2)
17.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.7% (.EXE) Win32 Executable (generic) (4504/4/1)
7.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
156.254.21.227:8888

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
156.254.21.227:8888 https://threatfox.abuse.ch/ioc/1760242/

Intelligence


File Origin
# of uploads :
3
# of downloads :
173
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
2026.exe
Verdict:
No threats detected
Analysis date:
2026-03-06 09:11:36 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint microsoft_visual_cc packed
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.Win32.Zenpak.sb HEUR:Backdoor.Win32.Farfli.gen
Result
Threat name:
ValleyRAT
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Found potential dummy code loops (likely to delay analysis)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Trojan.Egairtigado
Status:
Malicious
First seen:
2026-03-06 09:11:41 UTC
File Type:
PE (Exe)
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Result
Malware family:
valleyrat_s2
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Enumerates connected drives
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Unpacked files
SH256 hash:
d16696ece5eb6833f6497b70a5bc894a32479a52f19b1f5dd49be5473f8d2ba5
MD5 hash:
5a93ca1560e5e9689620887be0f110b1
SHA1 hash:
d6f688726227b0ea0bbf4ab6bb6a93b5c28a631a
Malware family:
ValleyRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments