MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e71f4fa46e5fbab202f42041c3630de34b0e11667e6ff3e6832fb344b30986cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 10 File information Comments

SHA256 hash: e71f4fa46e5fbab202f42041c3630de34b0e11667e6ff3e6832fb344b30986cb
SHA3-384 hash: 0be23c3d4048084d11f220bad65036155461c4535cfd98a5dd456d12c3dba832255c75f78701e42871ed25aecb8b6ba4
SHA1 hash: cb7e5cb60eff4ccdd529f349041f363ff9d6bfb7
MD5 hash: 9ea745cd27b60e0613748f32e6a311ef
humanhash: colorado-tango-early-paris
File name:9EA745CD27B60E0613748F32E6A311EF.exe
Download: download sample
Signature ValleyRAT
File size:368'640 bytes
First seen:2025-09-16 01:30:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8dd188a560685bdc49addb37fcd457d (1 x ValleyRAT)
ssdeep 6144:zOoMegW0m/4vociFC9UkhpsvvBdbmjhEVsyaLUoyByx75MzRijp0r2M8U6:6oMzW0m/qLiFC95psXOjaVsyroyB076L
TLSH T1B374BE163AE0C977D67B40704DE1DB7CB2B9B9540E32DE9363A08B3E9D32A914637316
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10522/11/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
27.124.6.169:5539

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
27.124.6.169:5539 https://threatfox.abuse.ch/ioc/1590978/

Intelligence


File Origin
# of uploads :
1
# of downloads :
120
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9EA745CD27B60E0613748F32E6A311EF.exe
Verdict:
Malicious activity
Analysis date:
2025-09-16 01:31:15 UTC
Tags:
xor-url generic

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
95.7%
Tags:
emotet spoof madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Connection attempt
Sending an HTTP GET request
Creating a file
Delayed reading of the file
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a service
Moving a recently created file
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context babar iceid keylogger microsoft_visual_cc obfuscated xor-pe
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-11T16:21:00Z UTC
Last seen:
2025-09-11T16:21:00Z UTC
Hits:
~10
Result
Threat name:
ValleyRAT
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Drops password protected ZIP file
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected ValleyRAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1778160 Sample: jo7prug0MA.exe Startdate: 16/09/2025 Architecture: WINDOWS Score: 100 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 5 other signatures 2->55 7 jo7prug0MA.exe 198 2->7         started        11 svchost.exe 2->11         started        14 svchost.exe 1 2->14         started        16 3 other processes 2->16 process3 dnsIp4 45 45.192.243.11, 1533, 49720 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 7->45 47 38.47.97.210, 1978, 49721 COGENT-174US United States 7->47 35 C:\ProgramData\zlib.dll, PE32 7->35 dropped 37 C:\ProgramData\rIzVLJotu.exe, PE32 7->37 dropped 39 C:\ProgramData\mzlib.dll, PE32 7->39 dropped 41 3 other files (1 malicious) 7->41 dropped 18 rIzVLJotu.exe 10 6 7->18         started        65 Changes security center settings (notifications, updates, antivirus, firewall) 11->65 23 MpCmdRun.exe 1 11->23         started        file5 signatures6 process7 dnsIp8 43 27.124.6.169, 49722, 49724, 5539 BCPL-SGBGPNETGlobalASNSG Singapore 18->43 27 C:\ProgramData\WVZKMwTSy@12\zlib.dll (copy), PE32 18->27 dropped 29 C:\ProgramData\WVZKMwTSy@12\lspexDVfq.exe, PE32 18->29 dropped 31 C:\ProgramData\WVZKMwTSy@12\cnima.xml, COM 18->31 dropped 33 C:\ProgramData\WVZKMwTSy@12\DuiLib-1.dll, PE32 18->33 dropped 57 Found evasive API chain (may stop execution after checking mutex) 18->57 59 Found stalling execution ending in API Sleep call 18->59 61 Contains functionality to inject code into remote processes 18->61 63 2 other signatures 18->63 25 conhost.exe 23->25         started        file9 signatures10 process11
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Infostealer.Babar
Status:
Malicious
First seen:
2025-09-11 17:18:24 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Behaviour
Suspicious use of SetWindowsHookEx
Program crash
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
e71f4fa46e5fbab202f42041c3630de34b0e11667e6ff3e6832fb344b30986cb
MD5 hash:
9ea745cd27b60e0613748f32e6a311ef
SHA1 hash:
cb7e5cb60eff4ccdd529f349041f363ff9d6bfb7
SH256 hash:
1874fea387dc708243eb6519ec20460e1cfd9ae4192839309c587c0d578d4719
MD5 hash:
dfe08715d9422fb34066c0123f594460
SHA1 hash:
49edf08214934c353e4c722e97fe81fde5f6d845
Malware family:
ValleyRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:SUSP_XORed_MSDOS_Stub_Message
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Winos_464b8a2e
Author:Elastic Security
Rule name:win_valley_rat_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments