MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d94869c8716511062aad53d6b4befc783ccd4d5a703967f79b55626bb7637f53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d94869c8716511062aad53d6b4befc783ccd4d5a703967f79b55626bb7637f53
SHA3-384 hash: 0e8c49e9d7feebcd8a9481d7191c0ddf40e5bc658dcf984a7ae27b369c8b0bfbded54ad5efea2531315f2d0ed83068c5
SHA1 hash: a307710bec76109580463b7250bd2345039ec7e0
MD5 hash: 976e24d7136df6c2dbf7fb1b165fe98f
humanhash: diet-mirror-enemy-enemy
File name:976e24d7136df6c2dbf7fb1b165fe98f.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:390'144 bytes
First seen:2025-02-25 12:40:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7444b6dc7c8cddb50fba5269ad57bce (12 x ValleyRAT)
ssdeep 6144:REuCLheWNooiWVs7nHrjfQbW7enoHNcB9vi3:FCEW3iWu7HHP7encc
TLSH T16F848E49F79505F8E5678138C9634916EBB27C6D03A09BDF33A4466A2F237D0AE3E710
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
45.192.168.10:4433

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.192.168.10:4433 https://threatfox.abuse.ch/ioc/1430625/

Intelligence

File Origin
# of uploads :
1
# of downloads :
526
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
976e24d7136df6c2dbf7fb1b165fe98f.exe
Verdict:
Malicious activity
Analysis date:
2025-02-25 13:11:49 UTC
Tags:
silverfox backdoor winos
Link:
https://app.any.run/tasks/4986eaaf-0496-4f7b-bceb-662bec2b5b8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Slpvpk-10042553-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bdba7a28ab76d43a5d0c1f
Tags:
emotet cobalt
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Creating a file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm evasive fingerprint ghostrat microsoft_visual_cc obfuscated rat
Link:
https://www.filescan.io/uploads/67bdba6b60f4b4f0724c2b04/reports/34077fbf-27b7-447c-9ed4-a47fedfffc13/overview
Verdict:
Malicious
Labled as:
Malware.SLPVPk.Generic
Link:
https://www.hybrid-analysis.com/sample/d94869c8716511062aad53d6b4befc783ccd4d5a703967f79b55626bb7637f53
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7b467a5-ee35-47da-ba8c-d1c71e2b7d54
Result
Threat name:
GhostRat, ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1623691
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Drops password protected ZIP file
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Potentially Suspicious Malware Callback Communication
Suricata IDS alerts for network traffic
Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
Yara detected GhostRat
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d94869c8716511062aad53d6b4befc783ccd4d5a703967f79b55626bb7637f53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d94869c8716511062aad53d6b4befc783ccd4d5a703967f79b55626bb7637f53/
Threat name:
Win64.Backdoor.GhostRAT
Create hunting rule
Status:
Malicious
First seen:
2025-02-22 14:46:00 UTC
File Type:
PE+ (Exe)
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fegtsdrmuiqmkvnkplljpx4pa6m2tk2oa4wp543kvrgxn3dp5jq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/250225-pwt9xaxjw4/
Behaviour
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8cd52b47-168f-453c-ab6f-3aae460a26c5
Unpacked files
SH256 hash:
d94869c8716511062aad53d6b4befc783ccd4d5a703967f79b55626bb7637f53
MD5 hash:
976e24d7136df6c2dbf7fb1b165fe98f
SHA1 hash:
a307710bec76109580463b7250bd2345039ec7e0
Link:
https://www.unpac.me/results/a7313d76-7a79-425d-8f31-1a5ad4b32bce/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d94869c87165/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d94869c8716511062aad53d6b4befc783ccd4d5a703967f79b55626bb7637f53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ValleyRAT
Create hunting rule
Author:NDA0E
Description:Detects ValleyRAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetSidSubAuthorityCount
ADVAPI32.dll::GetSidSubAuthority
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipGetImageEncoders
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleWindow
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
KERNEL32.dll::QueryDosDeviceW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSACloseEvent
WS2_32.dll::WSACreateEvent
WS2_32.dll::WSAEnumNetworkEvents
WS2_32.dll::WSAEventSelect
WS2_32.dll::WSAIoctl
WS2_32.dll::WSAResetEvent
WIN_USER_APIPerforms GUI ActionsUSER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW

Comments