MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbdb425f59933650146ae3c32313677afa4ff3e27c739a2a8e528095f68a950a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbdb425f59933650146ae3c32313677afa4ff3e27c739a2a8e528095f68a950a
SHA3-384 hash: fed56f58301eaafa465f6c54db8cb882d39a499b0960aa93278e7b05fdf8fb644b887381e2052d3a4045a806fa3ec914
SHA1 hash: 53a2f4b4a542b6e78764c35d5faadb1a72321f70
MD5 hash: 6436ad2e556ff8608899ffb953f512cf
humanhash: pluto-kitten-bulldog-colorado
File name:安装setup.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:22'795'040 bytes
First seen:2025-07-10 05:17:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6fc2c59267c403703f6c999b2cd9c8e6 (1 x ValleyRAT)
ssdeep 393216:XQZ7xbSHqo4hOGVINeUcu/04B9azNRvD97BOEZVW/7QsVGm20vOUvgf0UqVoDH:gx2KVn0eUcu/LB9aRrbOEC/7ZG8FGf
Threatray 65 similar samples on MalwareBazaar
TLSH T108373323F54429EED54AC471A24B1B23ED1934CD4B2287EF178216F92FAC6F24F38665
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10522/11/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter GDHJDSYDH1
Tags:backdoor dropper exe SilverFox ValleyRAT


Avatar
GDHJDSYDH1
C2: 206.238.114.217
Domain: a.zqycftmex.cn

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
206.238.114.217:7777 https://threatfox.abuse.ch/ioc/1555422/

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2025-07-10 05:11:38 UTC
Tags:
rust
Link:
https://app.any.run/tasks/87f43365-85c8-4405-b304-c7d923d18d04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13734/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686f4d25c9eb9747376800ab
Tags:
shellcode shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
DNS request
Connection attempt
Launching a process
Searching for synchronization primitives
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Moving of the original file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd invalid-signature lolbin microsoft_visual_cc obfuscated packed packed packer_detected rust signed
Link:
https://www.filescan.io/uploads/686f4d210737c4165a987260/reports/bd341901-f457-4027-9c9a-ec8303331a5f/overview
Verdict:
Malicious
Labled as:
Win64/GenKryptik.HKDX trojan
Link:
https://www.hybrid-analysis.com/sample/dbdb425f59933650146ae3c32313677afa4ff3e27c739a2a8e528095f68a950a
Score:
53%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/dbdb425f59933650146ae3c32313677afa4ff3e27c739a2a8e528095f68a950a
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/6436ad2e556ff8608899ffb953f512cf
Gathering data
Verdict:
Malicious
Threat:
trojan.cryp
Link:
https://tip.neiki.dev/file/dbdb425f59933650146ae3c32313677afa4ff3e27c739a2a8e528095f68a950a
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-10 05:11:41 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pnuex2zsm3fafdk4pbsge3hpl5e747cprzzukuokkajl5uksufa._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
0c4db03b4deb41efd71f82444034efc2196fb8586a74d85786b6d09a1ae19ef5
ValleyRAT
47040b942f874d377548c8743b8a4e443d4f281c29af2d23d670e0ccf9b6ea2e
ValleyRAT
6490a19d1b236722f4560e3c59722b16319ff3b4a425897b4c513f6ac8a7524c
ValleyRAT
78073d05ad9332199eea1f51bc30ae648745d4fe2e725f1ffca0d164369822f9
ValleyRAT
83f8553d64af8e471b7d0e18425e85e85d39565b4e7de8f80c807715551c8cb3
ValleyRAT
abd7e3e563b878b8050cea2a8fd76fbc47dd067e7480b54e583c2882c5115487
ValleyRAT
error
ValleyRAT
f0193ed53ec30bcba588fcc0d08c87a6ad066bbf1c30eec0eee3860715d6c6f6
ValleyRAT
fbb7826f9715516801419259ce25b9be57a67663a790efb931a7b4a2fb83d052
ValleyRAT
+ 55 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor persistence ransomware
Link:
https://tria.ge/reports/250710-fzffgszxd1/
Behaviour
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Enumerates connected drives
Checks computer location settings
Deletes itself
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
a.zqycftmex.cn:77777
a.zqycftmex.cn:7777
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/210ee8f6-7137-4daa-b6db-1f7156f50a96
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbdb425f59933650146ae3c32313677afa4ff3e27c739a2a8e528095f68a950a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:Rustyloader_mem_loose
Create hunting rule
Author:James_inthe_box
Description:Corroded buerloader
Reference:https://app.any.run/tasks/83064edd-c7eb-4558-85e8-621db72b2a24
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe dbdb425f59933650146ae3c32313677afa4ff3e27c739a2a8e528095f68a950a

(this sample)

  
Link
https://tria.ge/250710-fvk56sdr6s
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/13734/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW

Comments