MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd
SHA3-384 hash: aa053386cac56eba80a7368f794574e46bddc1d92836378ebdb51229a308f896e4b8c82e1e532eb89174b0d853b6251d
SHA1 hash: 0e9d717b91d75b38b313bda65ceed260dacd31e7
MD5 hash: 3957cec5878cb5615240365c9f6e58a2
humanhash: spaghetti-maine-seven-black
File name:xdcf93414b0b484552594de493651c303a85f79044d81.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:1'868'288 bytes
First seen:2026-01-10 07:15:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (365 x Vidar, 94 x Stealc, 92 x Rhadamanthys)
ssdeep 24576:ZHWmE76qBJpQNlus47JAY+cxDFjbX+jBjCNcBh5mMKB:ZHAn/Q8s4N7ejCk6
Threatray 424 similar samples on MalwareBazaar
TLSH T18B854B47BCD158F5D0AA92318A6691527B71BC490F3263EB3E90B37C2F72BD06A79740
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
192.229.116.171:447

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.229.116.171:447 https://threatfox.abuse.ch/ioc/1700300/

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
xdcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd.exe
Verdict:
Malicious activity
Analysis date:
2026-01-10 07:00:37 UTC
Tags:
auto-reg golang
Link:
https://app.any.run/tasks/cb134614-9a38-46a3-a14d-aa9e6988da0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48448/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6961f915f50945831dff96e1
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Creating a service
Launching a service
Restart of the analyzed sample
Searching for synchronization primitives
Creating a window
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypto golang
Link:
https://www.filescan.io/uploads/6961fca930368802bb7f01d8/reports/fde7cb3e-7168-4994-a213-7fd630fdf610/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/dcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-10T04:04:00Z UTC
Last seen:
2026-01-10T08:24:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win64.Goshell.gen
Link:
https://opentip.kaspersky.com/dcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/14d73842-20b9-4f61-9a2d-b90ce84afe78
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1847817
Signature
Allocates many large memory junks
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Sigma detected: Suspicious New Service Creation
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1847817 Sample: xdcf93414b0b484552594de4936... Startdate: 10/01/2026 Architecture: WINDOWS Score: 100 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 3 other signatures 2->94 9 xdcf93414b0b484552594de493651c303a85f79044d81.exe 11 2->9         started        12 xdcf93414b0b484552594de493651c303a85f79044d81.exe 10 1 2->12         started        15 xdcf93414b0b484552594de493651c303a85f79044d81.exe 1 2->15         started        17 3 other processes 2->17 process3 dnsIp4 98 Detected unpacking (creates a PE file in dynamic memory) 9->98 100 Contains functionality to inject threads in other processes 9->100 102 Contains functionality to capture and log keystrokes 9->102 106 4 other signatures 9->106 19 xdcf93414b0b484552594de493651c303a85f79044d81.exe 9->19         started        21 schtasks.exe 1 9->21         started        31 2 other processes 9->31 86 192.229.116.171, 447, 49690, 49695 LEASEWEB-USA-LAX-11US United States 12->86 104 Allocates many large memory junks 12->104 23 xdcf93414b0b484552594de493651c303a85f79044d81.exe 12->23         started        25 schtasks.exe 1 12->25         started        33 2 other processes 12->33 27 xdcf93414b0b484552594de493651c303a85f79044d81.exe 15->27         started        35 3 other processes 15->35 29 WerFault.exe 17->29         started        signatures5 process6 process7 44 4 other processes 19->44 37 conhost.exe 21->37         started        39 xdcf93414b0b484552594de493651c303a85f79044d81.exe 1 23->39         started        46 3 other processes 23->46 42 conhost.exe 25->42         started        48 4 other processes 27->48 50 2 other processes 31->50 52 2 other processes 33->52 54 3 other processes 35->54 signatures8 96 Allocates many large memory junks 39->96 56 schtasks.exe 1 39->56         started        58 sc.exe 1 39->58         started        60 sc.exe 1 39->60         started        62 WerFault.exe 39->62         started        68 3 other processes 44->68 70 3 other processes 46->70 64 schtasks.exe 48->64         started        66 sc.exe 48->66         started        72 4 other processes 48->72 process9 process10 74 conhost.exe 56->74         started        76 conhost.exe 58->76         started        78 conhost.exe 60->78         started        80 conhost.exe 64->80         started        82 conhost.exe 66->82         started        84 conhost.exe 72->84         started       
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/3957cec5878cb5615240365c9f6e58a2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd/
Verdict:
Malicious
Threat:
Family.VALLEYRAT_S2
Link:
https://tip.neiki.dev/file/dcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd
Threat name:
Win64.Backdoor.Valleyrat
Create hunting rule
Status:
Suspicious
First seen:
2026-01-09 20:48:53 UTC
File Type:
PE+ (Exe)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3t4tiffqwscfkjmu3zetmuodaouf66iejwa5avdrvcuajfvn4w6q._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
1c3501b4689c6072553f84fd7ea04c655a204f9d960825c09745fcbe38a33cdf
ValleyRAT
247bc5015b57de8b3b61bd8afdf7f432aef154405129004e941b7fa890104a6c
ValleyRAT
608639e4b592cfdcc7d6bf3de6e6bd38e70c61f4e07bc9f47ed3fb3dbfae8c21
ValleyRAT
7ed4fb65dd859ee8ebe2c174fa9ba7ba953a5f3585f064e42c09d0a23f8d39c8
ValleyRAT
7f526f51e12c0e66bfb00b2b5132669010db2fc3664394ce8051e1ccb9c323e3
ValleyRAT
c65b94204e8e7f2c9a85cba08db28449a8e7e91702856380ade9fa7b9f63bf4d
ValleyRAT
d3cbcd81a249212c42c752454e7b704f4b0da63f30b142ed08b60c614c91c248
ValleyRAT
error
ValleyRAT
fefa640efcb181ede0f59c963719648d0904be2d2e45d9c9ef7d381e50592cea
ValleyRAT
+ 414 additional samples on MalwareBazaar
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor execution persistence
Link:
https://tria.ge/reports/260110-h3n8xagx2c/
Behaviour
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Launches sc.exe
Adds Run key to start application
Enumerates connected drives
Creates new service(s)
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Verdict:
Malicious
Tags:
ProcessKiller
YARA:
n/a
Link:
https://app.threat.zone/submission/5a6c105c-f404-491e-a7ac-dd89f6097465
Unpacked files
SH256 hash:
dcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd
MD5 hash:
3957cec5878cb5615240365c9f6e58a2
SHA1 hash:
0e9d717b91d75b38b313bda65ceed260dacd31e7
Link:
https://www.unpac.me/results/4c976da4-eddc-48c6-a25f-9f3b1d7e8e05/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dcf93414b0b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/dcf93414b0b484552594de493651c303a85f79044d81d05471a8a80496ade5bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48448/

Comments