MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6e26a376faaf347aafaef5768efba40297eb60b23a38e1cf02f944d21dda4c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6e26a376faaf347aafaef5768efba40297eb60b23a38e1cf02f944d21dda4c4
SHA3-384 hash: 0264a31a6d40cb36a56731b45366b0b35154723e2f7d5bf9e3837648612264d54c81de23aad2ca3ab1a1a6e9523dfa9f
SHA1 hash: f196dd8ea2db343b01dfefc65f50081cc35a73c6
MD5 hash: f497f8ed67dd4053336d109f4d3b518a
humanhash: cola-muppet-wisconsin-nevada
File name:letsVPN.msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:47'616'000 bytes
First seen:2025-08-11 15:16:50 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:YpsLWt5iKQtcq6BmHKxVLTAnFxlC/u8vMQy8jLRlr9SogFPCvBhvW1Gu/:Yp5BQy5KgLUnFxo/5YMbICvBhvoGu
Threatray 379 similar samples on MalwareBazaar
TLSH T19BA73332B287C532E55C543AED69FF1D0175BEB3073401D7A7E93DAA88F48C296B0A46
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:43-248-172-5 CHN msi SilverFox ValleyRAT VoidArachne winos


Avatar
iamaachum
https://aqmetcip.com/Barrie-4.7.zip

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
43.248.172.5:42284 https://threatfox.abuse.ch/ioc/1567286/

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689a09a1c633abe3908de4ff
Tags:
virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 cmd expired-cert fingerprint lolbin msiexec short-lived-cert wix
Link:
https://www.filescan.io/uploads/689a09989ef4d2ff7cf66d38/reports/521e56c3-8810-44c9-9ebd-dfb81d1551bc/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e6e26a376faaf347aafaef5768efba40297eb60b23a38e1cf02f944d21dda4c4
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e6e26a376faaf347aafaef5768efba40297eb60b23a38e1cf02f944d21dda4c4
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
94 / 100
Link:
https://www.joesandbox.com/analysis/1754701
Signature
Accesses sensitive object manager directories (likely to detect virtual machines)
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to modify Windows User Account Control (UAC) settings
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Detected unpacking (creates a PE file in dynamic memory)
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the DNS server
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses netsh to modify the Windows network and firewall settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1754701 Sample: letsVPN.msi Startdate: 11/08/2025 Architecture: WINDOWS Score: 94 150 yandex.com 2->150 152 www.yandex.com 2->152 154 8 other IPs or domains 2->154 178 Suricata IDS alerts for network traffic 2->178 180 Found malware configuration 2->180 182 Multi AV Scanner detection for submitted file 2->182 184 8 other signatures 2->184 14 msiexec.exe 106 67 2->14         started        17 WinCache.exe 2->17         started        20 msiexec.exe 15 2->20         started        22 11 other processes 2->22 signatures3 process4 file5 134 C:\ProgramData\...\MicrosoftCacha.exe, PE32 14->134 dropped 136 C:\ProgramData\WindowsCache\Latest.exe, PE32 14->136 dropped 138 C:\ProgramData\WindowsCache\...\WinCache.exe, PE32 14->138 dropped 146 23 other files (4 malicious) 14->146 dropped 24 msiexec.exe 2 14->24         started        27 msiexec.exe 14->27         started        164 Adds a directory exclusion to Windows Defender 17->164 166 Contains functionality to modify Windows User Account Control (UAC) settings 17->166 168 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 17->168 29 WinCache.exe 17->29         started        32 conhost.exe 17->32         started        140 C:\Users\user\AppData\Local\...\MSIE082.tmp, PE32 20->140 dropped 142 C:\Users\user\AppData\Local\...\MSIDFF4.tmp, PE32 20->142 dropped 144 C:\Users\user\AppData\Local\...\MSIDF28.tmp, PE32 20->144 dropped 148 7 other files (none is malicious) 20->148 dropped 170 Potential malicious VBS script found (suspicious strings) 20->170 172 Detected unpacking (creates a PE file in dynamic memory) 22->172 174 Changes security center settings (notifications, updates, antivirus, firewall) 22->174 176 Modifies the DNS server 22->176 34 drvinst.exe 22->34         started        36 drvinst.exe 22->36         started        38 MpCmdRun.exe 22->38         started        40 conhost.exe 22->40         started        signatures6 process7 file8 124 C:\Users\user\AppData\Local\Temp\viewer.exe, PE32 24->124 dropped 42 cmd.exe 1 24->42         started        220 Adds a directory exclusion to Windows Defender 29->220 45 powershell.exe 29->45         started        47 WinCache.exe 29->47         started        126 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 34->126 dropped 128 C:\Windows\System32\drivers\SETD9EE.tmp, PE32+ 34->128 dropped 222 Accesses sensitive object manager directories (likely to detect virtual machines) 34->222 130 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 36->130 dropped 132 C:\Windows\System32\...\SETD4B0.tmp, PE32+ 36->132 dropped 49 conhost.exe 38->49         started        signatures9 process10 signatures11 216 Uses netsh to modify the Windows network and firewall settings 42->216 51 cmd.exe 1 42->51         started        53 conhost.exe 42->53         started        218 Loading BitLocker PowerShell Module 45->218 process12 process13 55 Latest.exe 10 301 51->55         started        59 MicrosoftCacha.exe 2 51->59         started        61 cmd.exe 1 51->61         started        63 2 other processes 51->63 file14 116 C:\Program Files (x86)\...\tap0901.sys, PE32+ 55->116 dropped 118 C:\Program Files (x86)\...\LetsPRO.exe, PE32 55->118 dropped 120 C:\Program Files (x86)\...\LetsPRO.exe.config, XML 55->120 dropped 122 220 other files (none is malicious) 55->122 dropped 204 Modifies the windows firewall 55->204 206 Sample is not signed and drops a device driver 55->206 65 LetsPRO.exe 55->65         started        67 powershell.exe 55->67         started        70 tapinstall.exe 55->70         started        80 8 other processes 55->80 208 Found evasive API chain (may stop execution after checking mutex) 59->208 210 Contains functionality to inject code into remote processes 59->210 212 Adds a directory exclusion to Windows Defender 59->212 214 Contains functionality to modify Windows User Account Control (UAC) settings 59->214 73 MicrosoftCacha.exe 59->73         started        76 wscript.exe 1 61->76         started        78 wscript.exe 1 63->78         started        signatures15 process16 dnsIp17 82 LetsPRO.exe 65->82         started        186 Loading BitLocker PowerShell Module 67->186 86 conhost.exe 67->86         started        112 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 70->112 dropped 114 C:\Users\user\AppData\Local\...\SETD32A.tmp, PE32+ 70->114 dropped 88 conhost.exe 70->88         started        162 43.248.172.5, 42284, 49723 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK Hong Kong 73->162 188 Adds a directory exclusion to Windows Defender 73->188 190 Disables UAC (registry) 73->190 192 Disable UAC(promptonsecuredesktop) 73->192 90 powershell.exe 73->90         started        92 MicrosoftCacha.exe 73->92         started        194 Suspicious powershell command line found 76->194 196 Wscript starts Powershell (via cmd or directly) 76->196 198 Bypasses PowerShell execution policy 76->198 200 2 other signatures 76->200 94 powershell.exe 76->94         started        96 powershell.exe 78->96         started        98 conhost.exe 80->98         started        100 12 other processes 80->100 file18 signatures19 process20 dnsIp21 156 yandex.com 77.88.44.55, 443, 49730 YANDEXRU Russian Federation 82->156 158 119.29.29.29, 49727, 53 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 82->158 160 13 other IPs or domains 82->160 202 Loading BitLocker PowerShell Module 82->202 102 cmd.exe 82->102         started        104 conhost.exe 90->104         started        106 conhost.exe 94->106         started        108 conhost.exe 96->108         started        signatures22 process23 process24 110 conhost.exe 102->110         started       
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/e6e26a376faaf347aafaef5768efba40297eb60b23a38e1cf02f944d21dda4c4
Gathering data
Verdict:
Malicious
Threat:
Win32.Infostealer.Heuristic
Link:
https://tip.neiki.dev/file/e6e26a376faaf347aafaef5768efba40297eb60b23a38e1cf02f944d21dda4c4
Threat name:
Win32.Trojan.Suschil
Create hunting rule
Status:
Malicious
First seen:
2025-08-11 15:17:53 UTC
File Type:
Binary (Archive)
Extracted files:
3066
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43rgun3pvlzupkx255lwr352iaux5nqleory4hhqf6ke2io5utca._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
18332eb2631bdc0d2f1c3636da1458c7bcb3b56cdff4b19b13c772983bc90bd8
ValleyRAT
3fd538d2138789d2c6298e22543452777ca1390fd6ab26a596af55f477e1eb5d
ValleyRAT
4197da71fd45adddd77c5510107c7b0cb8a038a06cc3a849bdd4960fc5a4dcb3
ValleyRAT
573c08ded0eba1b7c02c9bb565cc3936761563da670bec986c29474532d2d43e
ValleyRAT
ab76c282f96150d60d7bca24836e47664cb414de70f49e3c41154a1d1b7369eb
ValleyRAT
b4a1c8e6d660a31aaca3053973c553c62354be47688f7d474998f0d5caf8f0ce
ValleyRAT
error
ValleyRAT
f7bf161078c546fc6dd5a2927020c80f6d27cfdf7416f445882d729cfcec6b83
ValleyRAT
+ 369 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250811-spcm3awnt5/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Loads dropped DLL
Enumerates connected drives
Verdict:
Malicious
Tags:
Win.Virus.Parite-9874427-0
YARA:
n/a
Link:
https://app.threat.zone/submission/81e64e2d-6476-4771-a250-927be3d91064
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6e26a376faa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6e26a376faaf347aafaef5768efba40297eb60b23a38e1cf02f944d21dda4c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Microsoft Software Installer (MSI) msi e6e26a376faaf347aafaef5768efba40297eb60b23a38e1cf02f944d21dda4c4

(this sample)

  
Link
https://tria.ge/250811-shrhmsywat/behavioral2
  
Delivery method
Distributed via web download

Comments