MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e774704b4e45fafcd0f8344f61dfd67177ef14de664d5610e7047d8e42621845. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e774704b4e45fafcd0f8344f61dfd67177ef14de664d5610e7047d8e42621845
SHA3-384 hash: acf17709b615d9c90ba8226477bb0c3145c6feee0ef834e9df7f742d8433071e171d90780c3fb296776bebb2e27b0ccf
SHA1 hash: 0a2867db19252e2af3f4aa1926a83d978687d847
MD5 hash: 781c2bbafc8f7082d25144285571272e
humanhash: orange-florida-enemy-july
File name:781c2bbafc8f7082d25144285571272e.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:49'020'756 bytes
First seen:2025-09-01 05:05:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (55 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 786432:0lQ5gvcPDfGREmVB3ZRRdn5l0lsCDoCOnv9fsdgOr7C7fl3MYAU0Enpw+Km+Nran:0lUb+NV5RF5l0l0COvT427d3MYACspwn
TLSH T182B7332B7148A43FC4BA23304173B16069FBBB6DE516AE156BD0CD4CCF314816E7AEA5
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon e9b2c9cdcdc88261 (4 x ValleyRAT)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
137.220.154.46:9000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
137.220.154.46:9000 https://threatfox.abuse.ch/ioc/1578968/

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
781c2bbafc8f7082d25144285571272e.exe
Verdict:
Malicious activity
Analysis date:
2025-09-01 05:08:02 UTC
Tags:
inno installer delphi silverfox backdoor valley winos rat valleyrat
Link:
https://app.any.run/tasks/5e8bb20b-0a51-482a-808f-de9bc43db54c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b529ba3e988eb6ab836a6d
Tags:
emotet spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Delayed reading of the file
Creating a file in the Program Files subdirectories
Deleting a recently created file
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Launching a process
Moving a file to the Program Files subdirectory
DNS request
Connection attempt
Running batch commands
Enabling autorun for a service
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug embarcadero_delphi fakeapp fingerprint installer invalid-signature overlay overlay packed signed threat zero
Link:
https://www.filescan.io/uploads/68b529b21c81c34281da0b11/reports/c990ae4d-2d26-4e49-9318-8e5cd51dc0a1/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Yomal_rfn
Link:
https://www.hybrid-analysis.com/sample/e774704b4e45fafcd0f8344f61dfd67177ef14de664d5610e7047d8e42621845
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-28T00:38:00Z UTC
Last seen:
2025-08-28T00:38:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/e774704b4e45fafcd0f8344f61dfd67177ef14de664d5610e7047d8e42621845/results?tab=lookup
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1768657
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Drops password protected ZIP file
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768657 Sample: HWt7RW1gC4.exe Startdate: 01/09/2025 Architecture: WINDOWS Score: 100 123 zbj22.zbj888uul.com 2->123 125 support.google.com 2->125 127 8 other IPs or domains 2->127 143 Suricata IDS alerts for network traffic 2->143 145 Malicious sample detected (through community Yara rule) 2->145 147 Antivirus detection for dropped file 2->147 149 12 other signatures 2->149 11 HWt7RW1gC4.exe 2 2->11         started        14 svchost.exe 2->14         started        17 chrome.exe 2->17         started        20 18 other processes 2->20 signatures3 process4 dnsIp5 109 C:\Users\user\AppData\...\HWt7RW1gC4.tmp, PE32 11->109 dropped 22 HWt7RW1gC4.tmp 3 17 11->22         started        181 Changes security center settings (notifications, updates, antivirus, firewall) 14->181 25 MpCmdRun.exe 14->25         started        119 192.168.2.4, 443, 49708, 49709 unknown unknown 17->119 27 chrome.exe 17->27         started        121 127.0.0.1 unknown unknown 20->121 30 conhost.exe 20->30         started        file6 signatures7 process8 dnsIp9 105 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->105 dropped 107 C:\ProgramData\WindowsData\funzip.exe, PE32 22->107 dropped 32 men.exe 12 22->32         started        36 setup.exe 7 22->36         started        38 funzip.exe 3 22->38         started        40 conhost.exe 25->40         started        131 feedback-pa.clients6.google.com 142.250.176.202, 443, 49776 GOOGLEUS United States 27->131 133 googlehosted.l.googleusercontent.com 142.250.64.65, 443, 49743 GOOGLEUS United States 27->133 135 17 other IPs or domains 27->135 file10 process11 file12 91 C:\Users\Public\Documents\...\rwdriver.sys, PE32+ 32->91 dropped 93 C:\Users\Public\Documents\...\main.exe, PE32+ 32->93 dropped 95 C:\Users\Public\Documents\...\log.dll, PE32 32->95 dropped 103 5 other malicious files 32->103 dropped 137 Multi AV Scanner detection for dropped file 32->137 139 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 32->139 141 Sample is not signed and drops a device driver 32->141 42 NtHandleCallback.exe 32->42         started        47 cmd.exe 32->47         started        49 main.exe 32->49         started        55 7 other processes 32->55 97 C:\Users\user\AppData\Local\...\updater.exe, PE32 36->97 dropped 51 updater.exe 24 11 36->51         started        99 C:\ProgramData\WindowsData\setup.exe, PE32 38->99 dropped 101 C:\ProgramData\WindowsData\men.exe, PE32+ 38->101 dropped 53 conhost.exe 38->53         started        signatures13 process14 dnsIp15 129 zbj22.zbj888uul.com 137.220.154.46, 49722, 49747, 49789 BCPL-SGBGPNETGlobalASNSG Singapore 42->129 111 C:\XiaoH.sys, PE32+ 42->111 dropped 113 C:\Cndom6.sys, PE32+ 42->113 dropped 161 Suspicious powershell command line found 42->161 163 Bypasses PowerShell execution policy 42->163 165 Writes to foreign memory regions 42->165 179 3 other signatures 42->179 57 tracerpt.exe 42->57         started        60 NVIDIA.exe 42->60         started        63 powershell.exe 42->63         started        71 30 other processes 42->71 167 Uses ping.exe to sleep 47->167 169 Uses ping.exe to check the status of other devices and networks 47->169 73 6 other processes 47->73 171 Antivirus detection for dropped file 49->171 173 Multi AV Scanner detection for dropped file 49->173 65 conhost.exe 49->65         started        115 C:\Program Files (x86)behaviorgraphoogle\...\updater.exe, PE32 51->115 dropped 67 updater.exe 4 51->67         started        175 Opens network shares 55->175 177 Loading BitLocker PowerShell Module 55->177 69 conhost.exe 55->69         started        75 6 other processes 55->75 file16 signatures17 process18 file19 151 Writes to foreign memory regions 57->151 153 Allocates memory in foreign processes 57->153 155 Creates a thread in another existing process (thread injection) 57->155 77 conhost.exe 57->77         started        79 svchost.exe 57->79         started        117 C:\Users\user\...\JZyugdWLINNKiNAWbVmMrMMMQSJ, PE32+ 60->117 dropped 157 Multi AV Scanner detection for dropped file 60->157 159 Loading BitLocker PowerShell Module 63->159 81 conhost.exe 63->81         started        83 conhost.exe 71->83         started        85 conhost.exe 71->85         started        87 conhost.exe 71->87         started        89 26 other processes 71->89 signatures20 process21
Score:
19%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e774704b4e45fafcd0f8344f61dfd67177ef14de664d5610e7047d8e42621845
Gathering data
Threat name:
Win32.Trojan.Yomal
Create hunting rule
Status:
Malicious
First seen:
2025-08-28 05:26:03 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=452has2oix5pzuhygrhwdx6wof366fg6mzgvmehhar6y4qtcdbcq._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery execution exploit persistence privilege_escalation trojan
Link:
https://tria.ge/reports/250901-fq9yqsar8y/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Indicator Removal: File Deletion
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Possible privilege escalation attempt
Sets service image path in registry
Stops running service(s)
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
zbj22.zbj888uul.com:9000
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/05e632d3-9d2e-4a77-b7dd-e2803ba8c72e
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e774704b4e45/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e774704b4e45fafcd0f8344f61dfd67177ef14de664d5610e7047d8e42621845

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments