MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb0058218cb3c937666be4dd76f9b00c514a485f7ea24f49741891b9900b08fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb0058218cb3c937666be4dd76f9b00c514a485f7ea24f49741891b9900b08fd
SHA3-384 hash: fe5b8383924c9e0c501d3881fdd9e73bb0b7176fed71131c59b1f9854506ef1cf57b4f280072876eb9884beea9c87722
SHA1 hash: ad1bc615328ffefa7e654c0d81eaa157f874f5c1
MD5 hash: e0a0a44f39297f1307545734f92a7abd
humanhash: georgia-april-summer-colorado
File name:AmyDask.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:88'334'732 bytes
First seen:2025-06-18 16:09:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 31eb9b3068898b69608e63f7441dc924 (10 x ValleyRAT)
ssdeep 1572864:e5Ucq2nglxh11KMBtY3EgnaBkFYvEkLInyKgF3r94cYouj8Ff5:TVLvH2EgnQ1sne3r945BQ5
TLSH T1D21833F299A85158FDD7C07331A29B3B18D89CCA54CF40DD01C2FF887993691DAAA16F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 69ccd4d49696cc71 (22 x ValleyRAT, 13 x Adware.Adload, 8 x CoinMiner)
Reporter GDHJDSYDH1
Tags:backdoor dropper exe SilverFox ValleyRAT


Avatar
GDHJDSYDH1
Downloaded from: https://amydoskyc.top/
C2:
43.248.173.17
159.75.57.69

Intelligence

File Origin
# of uploads :
1
# of downloads :
895
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AmyDask.exe
Verdict:
No threats detected
Analysis date:
2025-06-18 16:07:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/421ea15d-4bb7-4a23-9aad-bf482208d6d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6852e4daf89e43b2145639e3
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm blackhole installer microsoft_visual_cc overlay overlay packed packed packed packer_detected
Link:
https://www.filescan.io/uploads/6852e4bf3faf8fcd7d344cd6/reports/de4cef1b-c17a-4631-8464-0e22b8dff213/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/eb0058218cb3c937666be4dd76f9b00c514a485f7ea24f49741891b9900b08fd
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1717773
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sample is not signed and drops a device driver
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1717773 Sample: AmyDask.exe Startdate: 18/06/2025 Architecture: WINDOWS Score: 100 64 legram-1359435016.cos.ap-guangzhou.myqcloud.com 2->64 66 alipay-1325772578.cos.ap-guangzhou.myqcloud.com 2->66 68 3 other IPs or domains 2->68 82 Suricata IDS alerts for network traffic 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Connects to many ports of the same IP (likely port scanning) 2->86 88 4 other signatures 2->88 10 AmyDask.exe 35 2->10         started        13 regsvr32.exe 2->13         started        signatures3 process4 file5 56 C:\Users\user\AppData\Roaming\...\intel.dll, PE32 10->56 dropped 58 C:\Users\user\AppData\Local\chrmstp.exe, PE32 10->58 dropped 60 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 10->60 dropped 62 3 other files (none is malicious) 10->62 dropped 15 cmd.exe 1 10->15         started        18 chrmstp.exe 1 10->18         started        20 regsvr32.exe 1 17 13->20         started        process6 signatures7 108 Adds a directory exclusion to Windows Defender 15->108 22 regsvr32.exe 7 19 15->22         started        26 conhost.exe 15->26         started        110 System process connects to network (likely due to code injection or exploit) 20->110 112 Injects code into the Windows Explorer (explorer.exe) 20->112 114 Writes to foreign memory regions 20->114 116 Allocates memory in foreign processes 20->116 28 cmd.exe 20->28         started        30 svchost.exe 20->30         started        32 svchost.exe 20->32         started        process8 dnsIp9 74 159.75.57.69, 443, 49701, 49708 TELE2EU China 22->74 76 43.248.173.17, 10451, 18852, 49695 JIC-AS-APJSLINKINTERNATIONALCORPORATIONHK Hong Kong 22->76 78 gz.file.myqcloud.com 159.75.57.35, 443, 49700, 49709 TELE2EU China 22->78 96 Injects code into the Windows Explorer (explorer.exe) 22->96 98 Contains functionality to inject code into remote processes 22->98 100 Writes to foreign memory regions 22->100 102 Allocates memory in foreign processes 22->102 34 svchost.exe 22->34         started        39 cmd.exe 1 22->39         started        41 svchost.exe 22->41         started        43 explorer.exe 26 1 22->43 injected 104 Adds a directory exclusion to Windows Defender 28->104 45 powershell.exe 28->45         started        47 conhost.exe 28->47         started        106 System process connects to network (likely due to code injection or exploit) 30->106 signatures10 process11 dnsIp12 70 143.92.49.209, 443, 49706, 49711 BCPL-SGBGPNETGlobalASNSG Singapore 34->70 54 C:\ProgramData\kernelquick.sys, data 34->54 dropped 90 Sample is not signed and drops a device driver 34->90 92 Adds a directory exclusion to Windows Defender 39->92 49 powershell.exe 22 39->49         started        52 conhost.exe 39->52         started        72 27.124.4.102, 10080, 10081, 49707 BCPL-SGBGPNETGlobalASNSG Singapore 41->72 94 Loading BitLocker PowerShell Module 45->94 file13 signatures14 process15 signatures16 80 Loading BitLocker PowerShell Module 49->80
Score:
64%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/eb0058218cb3c937666be4dd76f9b00c514a485f7ea24f49741891b9900b08fd
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/eb0058218cb3c937666be4dd76f9b00c514a485f7ea24f49741891b9900b08fd
Threat name:
Win32.Dropper.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-06-18 13:21:24 UTC
File Type:
PE (Exe)
AV detection:
3 of 24 (12.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mafqimmwpetoztl4toxn6nqbriuusc7p2re6sludci3tealbd6q._file
Verdict:
malicious
Label(s):
winos
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
error
ValleyRAT
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250618-tl4g2svkv6/
Behaviour
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2898ea6b-0511-40c2-8481-f082c3ff6ffe
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb0058218cb3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb0058218cb3c937666be4dd76f9b00c514a485f7ea24f49741891b9900b08fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe eb0058218cb3c937666be4dd76f9b00c514a485f7ea24f49741891b9900b08fd

(this sample)

  
Link
https://tria.ge/250618-tfwj9avjy4
  
Delivery method
Distributed via web download

Comments