MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081
SHA3-384 hash: 044fe395699a1bcf74b123ab487ffe87873b8324b0828a3280f9c9a38b2205e3f56a74b18e7fe8fd0a4f8f5d1465cec4
SHA1 hash: 96ba336824213a381332a7f79d88e74bd549fde9
MD5 hash: a3e4bf11f2bddb38fb43d0c6f1e794cf
humanhash: lithium-venus-north-sink
File name:1818d962f04bdafba255f0a2bdbc5385.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:1'567'744 bytes
First seen:2026-01-04 19:25:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 161e826dfd316276e2fb5c263851bbbd (1 x ValleyRAT)
ssdeep 24576:WH+vtzc7KCmdZ49gLK5m52dwmeF4d6zo7apPppvp5gc5h+Zs3U:WH+B+IVp52+eKY2pIE
Threatray 156 similar samples on MalwareBazaar
TLSH T1B875021B776328FCCA1F813882DA5772A971F4280364AEAB17D4D7B23F64D540A1ED39
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe upx-dec ValleyRAT


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 dcc0e2606f2881c371ae80d41f558fded4fc7723c15f458d067e6fb790da6829

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
8.136.41.104:3323 https://threatfox.abuse.ch/ioc/1691027/
File size (compressed) :1'100'288 bytes
File size (de-compressed) :1'567'744 bytes
Format:win64/pe
Packed file: dcc0e2606f2881c371ae80d41f558fded4fc7723c15f458d067e6fb790da6829

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081.exe
Verdict:
Malicious activity
Analysis date:
2026-01-04 19:26:36 UTC
Tags:
auto-reg donutloader loader valleyrat rat silverfox winos
Link:
https://app.any.run/tasks/1f22659d-045c-4ddb-bc89-5852163a5341

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47636/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695abed7e148d42004df6511
Tags:
emotet virus shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Launching a process
Creating a file
Connection attempt
Sending a custom TCP request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 packed
Link:
https://www.filescan.io/uploads/695abed4148c21e830f01ee8/reports/783c562e-15c8-4b93-9989-da4be6e30488/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-01-02T02:43:00Z UTC
Last seen:
2026-01-04T18:48:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan.Win32.HTA.atq
Link:
https://opentip.kaspersky.com/e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc3ee4aa-b60e-47a3-abda-f65d515456dc
Result
Threat name:
DonutLoader, ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1844500
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DonutLoader
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1844500 Sample: 1818d962f04bdafba255f0a2bdb... Startdate: 04/01/2026 Architecture: WINDOWS Score: 100 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 6 other signatures 2->50 7 1818d962f04bdafba255f0a2bdbc5385.exe 8 2->7         started        10 2.exe 1 2->10         started        13 2.exe 1 2->13         started        process3 file4 28 C:\Users\user\AppData\...\WinStore.App.dll, PE32+ 7->28 dropped 30 C:\Users\user\AppData\...\PilotshubApp.dll, PE32+ 7->30 dropped 32 C:\Users\user\AppData\Roaming\...\2.exe, PE32+ 7->32 dropped 34 C:\Users\user\AppData\Roaming\...\1.exe, PE32+ 7->34 dropped 15 1.exe 7->15         started        17 cmd.exe 1 7->17         started        60 Found direct / indirect Syscall (likely to bypass EDR) 10->60 signatures5 process6 signatures7 20 2.exe 4 15->20         started        40 Uses ping.exe to sleep 17->40 42 Uses ping.exe to check the status of other devices and networks 17->42 24 PING.EXE 1 17->24         started        26 conhost.exe 17->26         started        process8 dnsIp9 36 8.136.41.104, 3323, 49718, 49719 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd Singapore 20->36 52 Found evasive API chain (may stop execution after checking mutex) 20->52 54 Found stalling execution ending in API Sleep call 20->54 56 Contains functionality to inject threads in other processes 20->56 58 6 other signatures 20->58 38 127.0.0.1 unknown unknown 24->38 signatures10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/a3e4bf11f2bddb38fb43d0c6f1e794cf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081/
Verdict:
Malicious
Threat:
Family.VALLEYRAT
Link:
https://tip.neiki.dev/file/e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-02 14:42:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4b577wnfjosy35fxtocra5ohctwd4j2yaxchxci27dkwjdnyecaq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
valleyrat
Create hunting rule
Similar samples:
1cc62d774236839a8067b217ed9844b475d78eca9b27c5f6419ad1ffa35b9d64
ValleyRAT
a89819d8298417810e440254559762c1975c1bb81032db1038d3947c2f77d4ba
ValleyRAT
d7adfc9774a6f8f2e40da98960bbaaefd6851a362ed0953281df63a449c9bff1
ValleyRAT
dcc0e2606f2881c371ae80d41f558fded4fc7723c15f458d067e6fb790da6829
ValleyRAT
e026b43e5a2b1ec0409e7dc3b60631146a0e68203780dd5b80e2b9673ab08f3c
ValleyRAT
e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081
ValleyRAT
error
ValleyRAT
+ 146 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery loader persistence
Link:
https://tria.ge/reports/260106-jdzh1sdr5v/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1d6c7416-2a41-4f4a-8dc7-f370c572a4c1
Unpacked files
SH256 hash:
e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081
MD5 hash:
a3e4bf11f2bddb38fb43d0c6f1e794cf
SHA1 hash:
96ba336824213a381332a7f79d88e74bd549fde9
Link:
https://www.unpac.me/results/21ea044b-2319-4da0-8cc4-75e27ee33e0a/
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e07bffd9a54b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Gh0stKCP
Create hunting rule
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_3055c14a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ValleyRAT

Executable exe dcc0e2606f2881c371ae80d41f558fded4fc7723c15f458d067e6fb790da6829

ValleyRAT

Executable exe e07bffd9a54ba58df4b79b851075c714ec3e275805c47b891af8d5648db82081

(this sample)

  
Dropped by
SHA256 dcc0e2606f2881c371ae80d41f558fded4fc7723c15f458d067e6fb790da6829
  
Dropped by
MD5 1818d962f04bdafba255f0a2bdbc5385
Cape
Cape
https://www.capesandbox.com/analysis/47636/

Comments