MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8282ae9485c170bc5728e80cd77882b7b5b6023c99a4e59e7e611a78a17ba74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 10 File information Comments

SHA256 hash:	d8282ae9485c170bc5728e80cd77882b7b5b6023c99a4e59e7e611a78a17ba74
SHA3-384 hash:	5837cb78bf1ff25224ecfd748dd54e704377b86f9446221e12350a4b25371f44ee8b656f6308387f70b369002cf90784
SHA1 hash:	5e2f6d59e0179a4870ef0791feaabb7880d79034
MD5 hash:	28f026633bca2f58f40ad8660925f7d1
humanhash:	eight-nuts-coffee-two
File name:	ChroneSetup.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	13'580'361 bytes
First seen:	2025-11-30 19:22:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5e48fbae3520a62c95e412b293e1759c (2 x ValleyRAT, 1 x PureLogsStealer)
ssdeep	393216:Ens4oupdQoRdNUs20ROy/YHGeUVR5u7Uo8ufe:gstAdbHZ20t/YILo98um
TLSH	T1DAD6332586408236D54D8BF77EF07EB23FBFA9D641C8B91AC3E744A5C9D8F413268462
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	GDHJDSYDH1
Tags:	backdoor dropper exe FakeApp SilverFox ValleyRAT

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

NSIS

Details

No details

Malware family:

n/a

ID:

File name:

ChroneSetup.exe

Verdict:

Malicious activity

Analysis date:

2025-11-30 19:13:01 UTC

Tags:

delphi

Link:

https://app.any.run/tasks/a54d15a3-6387-4909-baff-20d4bd5dfe5a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/41951/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692c973efca025d00d4713e7

Tags:

shellcode dropper emotet overt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the Program Files subdirectories

Creating a window

Creating a file in the %temp% subdirectories

Deleting a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Creating a service

Moving a file to the Program Files subdirectory

Launching a service

Creating a file

Moving a recently created file

Moving a file to the %temp% subdirectory

Searching for the window

Searching for analyzing tools

Enabling the 'hidden' option for recently created files

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Searching for many windows

Launching the default Windows debugger (dwwin.exe)

Creating a file in the system32 subdirectories

Enabling autorun for a service

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

Malware_61.2

Link:

https://www.hybrid-analysis.com/sample/d8282ae9485c170bc5728e80cd77882b7b5b6023c99a4e59e7e611a78a17ba74

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-30T13:59:00Z UTC

Last seen:

2025-12-01T13:02:00Z UTC

Hits:

~100

Detections:

Trojan.Win32.RokRat.sb Trojan.Win32.Mansabo.sb Trojan.Win32.Gatak.sb Trojan.Win32.AntiAV.dcku Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb Trojan-Dropper.Win32.Dapato.shaf PDM:Trojan.Win32.Generic Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.ixe Trojan.Win32.AntiAV.sb Trojan.Agent.TCP.C&C Backdoor.Win32.Zegost.sb

Link:

https://opentip.kaspersky.com/d8282ae9485c170bc5728e80cd77882b7b5b6023c99a4e59e7e611a78a17ba74/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/91a92d4b-66c8-4ac1-8d4e-83c0a9a03734

Score:

85%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d8282ae9485c170bc5728e80cd77882b7b5b6023c99a4e59e7e611a78a17ba74

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/28f026633bca2f58f40ad8660925f7d1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d8282ae9485c170bc5728e80cd77882b7b5b6023c99a4e59e7e611a78a17ba74/

Verdict:

Malicious

Threat:

Trojan.Win32.RokRat

Link:

https://tip.neiki.dev/file/d8282ae9485c170bc5728e80cd77882b7b5b6023c99a4e59e7e611a78a17ba74

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-11-30 19:13:03 UTC

File Type:

PE (Exe)

AV detection:

16 of 38 (42.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3aucv2kilqlqxrlsr2am254ifn5vwybdzgne4wph4yi2pcqxxj2a._file

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery installer persistence privilege_escalation spyware stealer trojan

Link:

https://tria.ge/reports/251130-x3wejs1peq/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Inno Setup is an open-source installation builder for Windows applications.

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Time Discovery

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Checks installed software on the system

Checks whether UAC is enabled

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Boot or Logon Autostart Execution: Active Setup

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b8c550ec-c6a1-4c83-bcb8-0d4096e7f883

Unpacked files

SH256 hash:

d8282ae9485c170bc5728e80cd77882b7b5b6023c99a4e59e7e611a78a17ba74

MD5 hash:

28f026633bca2f58f40ad8660925f7d1

SHA1 hash:

5e2f6d59e0179a4870ef0791feaabb7880d79034

Link:

https://www.unpac.me/results/8ff66257-23eb-4b18-8ec2-0f8eb104c108/

SH256 hash:

6d69272f9e39889ea4731fea44710d3c17b9653c0c650d01400599f055f1d054

MD5 hash:

e39f573054897e1ab0a151277dc72e1d

SHA1 hash:

fd8e4284dd465fe9494ac565d5ce57cf982399b4

Link:

https://www.unpac.me/results/8ff66257-23eb-4b18-8ec2-0f8eb104c108/

SH256 hash:

d209b8ba212fa8b1c5237a81ddc9935f1971b81f406ae57d2f09457bb33037c9

MD5 hash:

607df59f305560e671896d32cf88480f

SHA1 hash:

3bb0a387ae9e82e040b2856e8183cbb2acbf8eea

Link:

https://www.unpac.me/results/8ff66257-23eb-4b18-8ec2-0f8eb104c108/

SH256 hash:

388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

MD5 hash:

e4211d6d009757c078a9fac7ff4f03d4

SHA1 hash:

019cd56ba687d39d12d4b13991c9a42ea6ba03da

Link:

https://www.unpac.me/results/8ff66257-23eb-4b18-8ec2-0f8eb104c108/

SH256 hash:

75227e597f5868e0e20523436c78ba28775df66248b584700044bb2109f72738

MD5 hash:

606fdf1fa001522cef6a48935400c064

SHA1 hash:

fd7fbe51b671257d6e2572e256df07ed89ea65c4

Link:

https://www.unpac.me/results/8ff66257-23eb-4b18-8ec2-0f8eb104c108/

SH256 hash:

dc7b6b556ad8229c9cb105e9bf304d550a055e814a318bc5f825eeb30cf5a81b

MD5 hash:

0c4fe24de2265841b1456305422f974f

SHA1 hash:

2cb66d3d154dea5b725025f087b41e02c5438c75

Link:

https://www.unpac.me/results/8ff66257-23eb-4b18-8ec2-0f8eb104c108/

SH256 hash:

1c55a9fd0e0e422bb20f88356acffd0f81c0decd26ae8a01019469badda4c313

MD5 hash:

f25ca96a832c7bc4d96722211a7d9ce8

SHA1 hash:

1c8f80403969aad24ff885aa971d01f0f68a233e

Link:

https://www.unpac.me/results/8ff66257-23eb-4b18-8ec2-0f8eb104c108/

SH256 hash:

35ca839dbec9ae5da553b51a1994b9a5d1a3fae67be29fa99ae77974ab11ff20

MD5 hash:

c48072d261bd453a63438da46f6cda7a

SHA1 hash:

24ff956f48435ebeedcc8833ec9bba4336d64b80

Link:

https://www.unpac.me/results/8ff66257-23eb-4b18-8ec2-0f8eb104c108/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d8282ae9485c170bc5728e80cd77882b7b5b6023c99a4e59e7e611a78a17ba74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Generic_Threat_c9003b7b Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Generic_Threat_ce98c4bc Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/a54d15a3-6387-4909-baff-20d4bd5dfe5a

Link

https://tria.ge/251130-xw12fsbl2x/behavioral1

Cape

https://www.capesandbox.com/analysis/41951/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample