MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb481df33605bdb63257f7a2cb69e48643c0807247d22acb88608b405f292d8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb481df33605bdb63257f7a2cb69e48643c0807247d22acb88608b405f292d8c
SHA3-384 hash: f656a0c1cd7faeda7a2f55d984376f66f5809d0b2c1a54f34ecd1ea61aa3bbb84601c09783276725c17a537e66ffb1d1
SHA1 hash: fb3ad7645dc9a0820bc3a0feb6159bfe60c78628
MD5 hash: 8feb5972ad0c4f8e7e869041dc8d1a61
humanhash: lake-virginia-angel-white
File name:tsetupw11-64.msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:81'697'280 bytes
First seen:2026-05-30 16:11:00 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:Pb3OWlG7bfcOGLZd0qR0yFI4LLh9Egqa0LpzcAULQUD3KJ5vHFwW2D+9Z:Pb+Wl2zcDBRrOSLhB7QUDaJ5fF0De
Threatray 811 similar samples on MalwareBazaar
TLSH T1ED083331B26739A8D62FA37FA5645FC941307CE1731BEA9763783F6585B0A8710B2843
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter Ling
Tags:agent donutloader msi Shellcode ValleyRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/c128d294-f6a4-42dc-ba96-0aa492cd0b8c/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a1b091ca22676d7bfe4263f
Tags:
rapid shell spawn sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 CAB cmd crypto expand expired-cert expired-cert fingerprint installer large-file lolbin lolbin obfuscated overlay packed reconnaissance short-lived-cert wiper wix
Link:
https://www.filescan.io/uploads/6a1b0c3446e44aecc0c65efe/reports/a73644bf-3559-4887-ac1c-2860db514a9f/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/eb481df33605bdb63257f7a2cb69e48643c0807247d22acb88608b405f292d8c
Verdict:
Malicious
File Type:
msi
First seen:
2026-05-30T13:14:00Z UTC
Last seen:
2026-06-01T00:21:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Shellcode.sb Trojan.OLE2.Agent.sb Trojan.Multi.Agent.au HEUR:Trojan.Win64.Silverfox.gen Trojan.Win64.Agent.sb
Link:
https://opentip.kaspersky.com/eb481df33605bdb63257f7a2cb69e48643c0807247d22acb88608b405f292d8c/results?tab=lookup
Score:
10%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/eb481df33605bdb63257f7a2cb69e48643c0807247d22acb88608b405f292d8c
Gathering data
Threat name:
Win64.Exploit.DonutMarte
Create hunting rule
Status:
Malicious
First seen:
2026-05-30 15:58:45 UTC
File Type:
Binary (Archive)
Extracted files:
1592
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5neb34zwaw63mmsx66rmw2peqzb4badsi7jcvs4imcfuaxzjfwga._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
289767b49dc8525bce262ea06fee4ef9fced2e131a55b25654ce871c1f0498b2
ValleyRAT
320a2103e7dba828db31a8ec2f42ae301ecf1a666e42ac1dfeb7c3ae81e3d6eb
ValleyRAT
6d9c91584132fe3f0eaea3d25aecef32f47331d0946d074cb5687f759c68750f
ValleyRAT
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
ValleyRAT
a7f02413b1cf40739a6b8cf528f4a18272564e3d916f75542a7a15da2beb0fc7
ValleyRAT
dd615f60bc6c364b15ffdf93880e3dcdef9e7a2eb5444cd913c6e3a58b0943d5
ValleyRAT
eb481df33605bdb63257f7a2cb69e48643c0807247d22acb88608b405f292d8c
ValleyRAT
error
ValleyRAT
+ 801 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery execution installer loader persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/260530-tm77maby8p/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Inno Setup is an open-source installation builder for Windows applications.
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Badlisted process makes network request
Enumerates connected drives
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Detects DonutLoader
Family: DonutLoader
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb481df33605/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Microsoft Software Installer (MSI) msi eb481df33605bdb63257f7a2cb69e48643c0807247d22acb88608b405f292d8c

(this sample)

  
Delivery method
Distributed via web download

Comments