MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2c72920b15258deaaef003cca1defdce6f6db00ad2f6c5e396a112815bea9eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2c72920b15258deaaef003cca1defdce6f6db00ad2f6c5e396a112815bea9eb
SHA3-384 hash: c8efd454800a7ea4ae318549ca2aa034103d3bcfd45e9f55eab32c68cac108b9a7406fd99764fe6d5ba9836cc026c1a0
SHA1 hash: 91f7c0c45235b2c1ec465b16905560e31a5298c9
MD5 hash: c10d06f698e3cbc67cf16178a28337ad
humanhash: floor-nitrogen-lithium-march
File name:点击安装简体中文语言包.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:2'609'624 bytes
First seen:2026-04-13 15:27:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c127b5c3dca6719be48578d9541b6a59 (1 x ValleyRAT)
ssdeep 49152:GRItqar3Gb2P9QTdE2UY+FGV7cwS7FHW+:CIH6QQTgYV7bs2+
TLSH T1F6C5B013665408B5E46FC135A8D69E3BEBB474420BA0C7CB13A8C6694F637C12F7E3A5
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Ling
Tags:exe ValleyRAT


Avatar
CNGaoLing
ValleyRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
点击安装简体中文语言包.exe
Verdict:
Malicious activity
Analysis date:
2026-04-13 15:15:11 UTC
Tags:
valleyrat silverfox rat winos
Link:
https://app.any.run/tasks/bfed074d-8eb8-4f70-8eac-0afc0df4f8bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61410/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69dd0abff68adfe100396da4
Tags:
shellcode injection obfusc
Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Malicious
Labled as:
Win64/ShellCode.Agent
Link:
https://www.hybrid-analysis.com/sample/e2c72920b15258deaaef003cca1defdce6f6db00ad2f6c5e396a112815bea9eb
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-13T23:35:00Z UTC
Last seen:
2026-04-15T09:52:00Z UTC
Hits:
~10
Detections:
UDS:DangerousObject.Multi.Generic BSS:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/e2c72920b15258deaaef003cca1defdce6f6db00ad2f6c5e396a112815bea9eb/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a98ab997-d365-4070-9fef-a703676a3e0c
Score:
6%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e2c72920b15258deaaef003cca1defdce6f6db00ad2f6c5e396a112815bea9eb
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2c72920b15258deaaef003cca1defdce6f6db00ad2f6c5e396a112815bea9eb/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/e2c72920b15258deaaef003cca1defdce6f6db00ad2f6c5e396a112815bea9eb
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2026-04-13 15:24:51 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ldssifrkjmn5kxpaa6muhpp3ttpnwyavuxwyxrzniisqfn6vhvq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260413-sv3fnsev5s/
Unpacked files
SH256 hash:
e2c72920b15258deaaef003cca1defdce6f6db00ad2f6c5e396a112815bea9eb
MD5 hash:
c10d06f698e3cbc67cf16178a28337ad
SHA1 hash:
91f7c0c45235b2c1ec465b16905560e31a5298c9
Link:
https://www.unpac.me/results/65a42edc-4424-4a8d-aaf7-4e6bae6a0771/
SH256 hash:
194c3e2481623da35b1eed3df1ce8b55d537bc6fcd20bfc715d028adfcf27a73
MD5 hash:
846b27be747d6bab1dad29f694003a42
SHA1 hash:
07df2b47199dd2895e4b953214066cd0025bc36d
Link:
https://www.unpac.me/results/65a42edc-4424-4a8d-aaf7-4e6bae6a0771/
SH256 hash:
31416ac62f64c9505075f5302e73feb93f2e6bf3dc0ae6863d23a29773cefd87
MD5 hash:
28749213448bea0eb811a203f2c2c953
SHA1 hash:
528170b5a64086200e1e91ce5ee319102d7d7afd
Link:
https://www.unpac.me/results/65a42edc-4424-4a8d-aaf7-4e6bae6a0771/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2c72920b152/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/e2c72920b15258deaaef003cca1defdce6f6db00ad2f6c5e396a112815bea9eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe e2c72920b15258deaaef003cca1defdce6f6db00ad2f6c5e396a112815bea9eb

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/61410/

Comments