MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e113b7591dd047b7c32a9fd1204d38f1d37952729d7b08a0bb038ea534cf4590. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	e113b7591dd047b7c32a9fd1204d38f1d37952729d7b08a0bb038ea534cf4590
SHA3-384 hash:	6b7a3b70b2121072a8979c768bb5bcbfd5b4e84bf3b319c0bc2c1799df2678b25b6dedcab20eee49140238df5e0d2730
SHA1 hash:	a00ce367a7bac1c540729e0ac9d3eaefadea16fc
MD5 hash:	a1326237e1e562927b3d49dfaf12db09
humanhash:	carolina-alaska-shade-rugby
File name:	Documento-IRPF.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	6'995'456 bytes
First seen:	2026-03-16 12:26:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	35a8ca8f9e23c606269cf36f04ccf126 (1 x ValleyRAT)
ssdeep	196608:t+cMLu9QSWrBaLtKc7QTK4Waymj/0tteKr7aEe:+y9QlBab7Tgymj/0ttlaEe
Threatray	1 similar samples on MalwareBazaar
TLSH	T1076633D4AAD308C4C9A983781653BAFE39B33EC592704C5EB54C7DC5BAF32509436A93
TrID	42.7% (.EXE) Win32 Executable (generic) (4504/4/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
Reporter	zhuzhu0009
Tags:	exe SilverFox ValleyRAT

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

Documento-IRPF.exe

Verdict:

No threats detected

Analysis date:

2026-03-16 12:28:28 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ffc84fd5-7f78-4a85-82be-096d6589f9b6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/57632/

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69b7f72193b644ca466a9149

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process with a hidden window

DNS request

Connecting to a non-recommended domain

Connection attempt

Sending a custom TCP request

Creating a file in the %temp% directory

Creating a file

Enabling the 'hidden' option for files in the %temp% directory

Creating a process from a recently created file

Creating a window

Adding an exclusion to Microsoft Defender

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypto installer-heuristic packed

Link:

https://www.filescan.io/uploads/69b7f71e493cb7d62dffe740/reports/8ad8e80c-a49a-4009-b026-aa3a46131906/overview

Verdict:

Malicious

Labled as:

Suspicious:Packer.Agdetc.a.aurb

Link:

https://www.hybrid-analysis.com/sample/e113b7591dd047b7c32a9fd1204d38f1d37952729d7b08a0bb038ea534cf4590

Verdict:

Clean

File Type:

exe x32

Link:

https://opentip.kaspersky.com/e113b7591dd047b7c32a9fd1204d38f1d37952729d7b08a0bb038ea534cf4590/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/94a1a351-b444-4d74-aa0d-a99a9ce776d3

Result

Threat name:

n/a

Detection:

malicious

Classification:

rans.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1884228

Signature

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Installs new ROOT certificates

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to evade analysis by execution special instruction (VM detection)

Writes many files with high entropy

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e113b7591dd047b7c32a9fd1204d38f1d37952729d7b08a0bb038ea534cf4590

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/a1326237e1e562927b3d49dfaf12db09

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e113b7591dd047b7c32a9fd1204d38f1d37952729d7b08a0bb038ea534cf4590/

Verdict:

Clean

Link:

https://tip.neiki.dev/file/e113b7591dd047b7c32a9fd1204d38f1d37952729d7b08a0bb038ea534cf4590

Threat name:

Win32.Trojan.Etset

Status:

Malicious

First seen:

2026-03-14 05:40:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ej3owi52bd3pqzkt7isatjy6hjxsutstv5qrif3aohkkngpiwia._file

Verdict:

malicious

Label(s):

shellcode_loader_008

ValleyRAT

error

ValleyRAT

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/260316-pmtxsaat4r/

Behaviour

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

e113b7591dd047b7c32a9fd1204d38f1d37952729d7b08a0bb038ea534cf4590

MD5 hash:

a1326237e1e562927b3d49dfaf12db09

SHA1 hash:

a00ce367a7bac1c540729e0ac9d3eaefadea16fc

Link:

https://www.unpac.me/results/9770f21e-ef35-4192-a5f0-ae41bccdb685/

SH256 hash:

4eada34842e91dd47f4dcb39029a452399129e9348a02e3347497c018d058fcd

MD5 hash:

e990fd618c4e76e4d45063a43f6c055e

SHA1 hash:

0defb6e339e41bd6f70eceaafe2b8a1145624805

Link:

https://www.unpac.me/results/9770f21e-ef35-4192-a5f0-ae41bccdb685/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e113b7591dd047b7c32a9fd1204d38f1d37952729d7b08a0bb038ea534cf4590

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/57632/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample