MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8cc8d586cd3c1fc102fc882c901e0a53c0809747121a061202d0294bb1a2b75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8cc8d586cd3c1fc102fc882c901e0a53c0809747121a061202d0294bb1a2b75
SHA3-384 hash: bc26871eddf7506a041f0601a231b7eae0e7ad4bfef337a069c621c87bbee2f385544e0569881bd19bfceafbf79a113c
SHA1 hash: 70bd520865ad914b4a9271cd46c00deaab96a881
MD5 hash: 15e8ed419218216fd0b53ce2c654183c
humanhash: fifteen-wisconsin-table-indigo
File name:黑园区及死者身份信息详情.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'927'104 bytes
First seen:2026-04-01 21:46:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57aa5a06514e2fc2ce3dae5b3cadf0b6 (1 x ValleyRAT)
ssdeep 49152:XWM7XgF/L4vNq6b7sP38iH6YKfBIxucrQQsyKlZDDeZ1X3zwjrSGnz+uC+Mh0eWJ:XN7XsWy3p6YKfBTc0QsLDeZkKQMhj
Threatray 1'140 similar samples on MalwareBazaar
TLSH T1FCD5331AF76977E9E06F413E8492654AE37778310BB0874E131842F22F175E49E2EF62
TrID 37.0% (.EXE) Win64 Executable (generic) (6522/11/2)
28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
11.3% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter Ling
Tags:exe SilverFox Trojan:Win64/Malgent!MSR ValleyRAT


Avatar
CNGaoLing
This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win64/Malgent!MSR)

SilverFox IOC (IP 23.248.202.170)

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
US US
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
609bfe7b_.exe
Verdict:
Suspicious activity
Analysis date:
2026-04-01 11:20:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f918eb78-a75c-42da-996a-dd8c2fcd3054

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/60142/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop36.37109.980.2261.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ccff946363ca5d27f089a7
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Deleting a recently created file
Creating a process from a recently created file
Forced system process termination
Creating a file in the %temp% subdirectories
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Moving a recently created file
Creating a process with a hidden window
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/69cd9268e2df9aa488c2d84d/reports/35f3c5fa-c8c9-4130-bb89-290a57773c3a/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/d8cc8d586cd3c1fc102fc882c901e0a53c0809747121a061202d0294bb1a2b75
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-01T08:45:00Z UTC
Last seen:
2026-04-01T23:51:00Z UTC
Hits:
~10
Detections:
UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/d8cc8d586cd3c1fc102fc882c901e0a53c0809747121a061202d0294bb1a2b75/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cd67c519-af96-4993-aee2-4461003258c7
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d8cc8d586cd3c1fc102fc882c901e0a53c0809747121a061202d0294bb1a2b75
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/15e8ed419218216fd0b53ce2c654183c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8cc8d586cd3c1fc102fc882c901e0a53c0809747121a061202d0294bb1a2b75/
Verdict:
Malicious
Threat:
Family.VALLEYRAT_S2
Link:
https://tip.neiki.dev/file/d8cc8d586cd3c1fc102fc882c901e0a53c0809747121a061202d0294bb1a2b75
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-04-01 11:21:09 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3dgi2wdm2pa7yebpzcbmsapauu6aqcluoeq2ayjafubjjoy2fn2q._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
031c37911ff8933c904fca037f7511d9092f4f20360baf0bebea6c1c63c21d3c
ValleyRAT
143fa9567ebbccacceb58201dd85b7206fdf22882ff2cea0da994a513572f14e
ValleyRAT
587fc7679681f1fba3bd4f8eceef60f28bcda87fe178c33b001ac11935028ff8
ValleyRAT
6968840ce1b13d50d13f7f0320a2e5d66bfd97073f325231edc58ec85e694b6b
ValleyRAT
a7cc50fef60f2db424d171c34140abec446daaecb10814b2d2d8a669b7c77419
ValleyRAT
b34ad2bcea2f7e3459975747fa3e44fe958cad413bc5e45768bcbf86cf505fa2
ValleyRAT
c0fcad0ba982fd95958248c73ee12f1732229632fde97d645e2e479cc664bf84
ValleyRAT
c5baf8fe00350ce8d1117384ad520583e7742797f3b57d7dcc1a9d759172d2b7
ValleyRAT
d418420aa4accfb887be12a22b277a1ea14a74bbb074debd1dc2cd341117ec1a
ValleyRAT
eae8cd926d6e304636c68e9923bc3f8132aebf27e330ecb61c8f5c8c7e77f385
ValleyRAT
error
ValleyRAT
+ 1'130 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery installer persistence
Link:
https://tria.ge/reports/260401-1nbclsgy4k/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Unpacked files
SH256 hash:
d8cc8d586cd3c1fc102fc882c901e0a53c0809747121a061202d0294bb1a2b75
MD5 hash:
15e8ed419218216fd0b53ce2c654183c
SHA1 hash:
70bd520865ad914b4a9271cd46c00deaab96a881
Link:
https://www.unpac.me/results/5af7ff03-bfa0-48ae-8417-8bde2f93f55b/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d8cc8d586cd3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8cc8d586cd3c1fc102fc882c901e0a53c0809747121a061202d0294bb1a2b75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GenericGh0st
Create hunting rule
Author:Still
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Generic_Threat_4b0b73ce
Create hunting rule
Author:Elastic Security
Rule name:Windows_Shellcode_Rdi_eee75d2c
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security
Rule name:WinosStager
Create hunting rule
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Rule name:win_winos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.winos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe d8cc8d586cd3c1fc102fc882c901e0a53c0809747121a061202d0294bb1a2b75

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/60142/

Comments