MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea37cf74d52ae3a829b32b3c91f940132a649ec854b2d2377ef82c523fff7fe4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 12 File information Comments

SHA256 hash: ea37cf74d52ae3a829b32b3c91f940132a649ec854b2d2377ef82c523fff7fe4
SHA3-384 hash: 9b37d6e2704dd2333c334f92ac360c5083fd7ea90d4d0204a5683306e664690031907425969306681c665464f23c5ee8
SHA1 hash: 0fda1bfcc63a8198882a0bbfcfdc1e40bc001df8
MD5 hash: 4f46075552500da5b19b711285a5152d
humanhash: spring-queen-bulldog-oklahoma
File name:4F46075552500DA5B19B711285A5152D.dll
Download: download sample
Signature ValleyRAT
File size:216'576 bytes
First seen:2026-06-30 04:30:12 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 2cf88258b418fcd7a89902f001ed24cf (2 x ValleyRAT)
ssdeep 6144:n3WOArZU5HEl9YKmfeHvkZWNEbgN4YYYYE:3fA1U5HEl8eHvkZWNEHYYYY
Threatray 962 similar samples on MalwareBazaar
TLSH T1C3246B217680C13BC19B1A3196BF9FB618BCAA35176581CBB7904EB91E707D1FE3470A
TrID 50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win64 Executable (generic) (6522/11/2)
8.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:dll RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
118.107.9.185:1115

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
118.107.9.185:1115 https://threatfox.abuse.ch/ioc/1822796/

Intelligence


File Origin
# of uploads :
1
# of downloads :
157
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
99.1%
Tags:
emotet farfli
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto downloader evasive fingerprint ghostrat microsoft_visual_cc packed reconnaissance
Verdict:
Malicious
Labled as:
Capa_reference_analysis_tools_strings
Verdict:
Malicious
File Type:
dll x32
First seen:
2026-06-26T19:24:00Z UTC
Last seen:
2026-07-01T18:09:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Win32.Farfli.gen HEUR:Trojan.Win32.SilverFox.gen
Result
Threat name:
ValleyRAT
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected ValleyRAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1935353 Sample: RsAmirGhIO.dll Startdate: 30/06/2026 Architecture: WINDOWS Score: 88 18 Found malware configuration 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 2 other signatures 2->24 7 loaddll32.exe 1 2->7         started        process3 signatures4 26 Contains functionality to inject threads in other processes 7->26 28 Contains functionality to inject code into remote processes 7->28 30 Contains functionality to detect sleep reduction / modifications 7->30 10 cmd.exe 1 7->10         started        12 conhost.exe 7->12         started        14 rundll32.exe 7->14         started        process5 process6 16 rundll32.exe 10->16         started       
Verdict:
Vidar Stealer
YARA:
6 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Stealer Vidar Stealer Win 32 Exe x86
Malware Config
C2 Extraction:
CNC: https://ifconfig.me/iphttps://api.ipify.orgkernel32.dll%dGroupName client.groupClientConsolePublicWanIpLoginModule ????REMARKAppEvent
CNC: https://api.ipify.orgkernel32.dll%dGroupName client.groupClientConsolePublicWanIpLoginModule ????REMARKAppEventsNetworkx6
Threat name:
Win32.Trojan.FraudLoad
Status:
Malicious
First seen:
2026-06-27 00:21:08 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
30 of 36 (83.33%)
Threat level:
  5/5
Result
Malware family:
valleyrat_s2
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
ea37cf74d52ae3a829b32b3c91f940132a649ec854b2d2377ef82c523fff7fe4
MD5 hash:
4f46075552500da5b19b711285a5152d
SHA1 hash:
0fda1bfcc63a8198882a0bbfcfdc1e40bc001df8
Detections:
win_winos_auto triage_winos_rat_plugin_manager
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GenericGh0st
Author:Still
Rule name:Gh0stKCP
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:telebot_framework
Author:vietdx.mb
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:WinosStager
Author:YungBinary
Description:https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign
Rule name:win_winos_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.winos.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments