MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1bde45ac4a34b8ec885fb5fb07f5e47f89f97b257cc38a1eb37fc0c308c4a04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1bde45ac4a34b8ec885fb5fb07f5e47f89f97b257cc38a1eb37fc0c308c4a04
SHA3-384 hash: e31f67e21544e582d589d547a8a199fa445e80b8898460fe35daf88f848a544421963e36c6474863f64119732a9111e1
SHA1 hash: b3398c70a2fc85fc80158c27ab30ac645e3bf4bf
MD5 hash: 86cb5f74af900c505a558dd1c9018bc4
humanhash: friend-enemy-equal-thirteen
File name:86CB5F74AF900C505A558DD1C9018BC4.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:50'534'402 bytes
First seen:2025-07-26 00:32:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efd455830ba918de67076b7c65d86586 (57 x Gh0stRAT, 19 x ValleyRAT, 6 x OffLoader)
ssdeep 1572864:LP07ip8CHZ5R55jfitFrSNGgm0jRubbjO:L87/adi3rkmY4bC
TLSH T139B73323B2CB653FE13D59354AB3D6125A3F6B6072124C5397E8449CCF2A6C40D3EAA7
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon e9b2c9cdcdc88261 (2 x ValleyRAT)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
154.82.84.217:8880

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
154.82.84.217:8880 https://threatfox.abuse.ch/ioc/1560769/

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
86CB5F74AF900C505A558DD1C9018BC4.exe
Verdict:
Malicious activity
Analysis date:
2025-07-26 00:50:00 UTC
Tags:
backdoor silverfox valleyrat winos rat qrcode vmprotect
Link:
https://app.any.run/tasks/1554a9bb-b2fe-40e1-96dc-edba0a76a25c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688422390b4775fb213138ea
Tags:
vmprotect shellcode dropper blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process with a hidden window
Creating a service
Moving a file to the Program Files subdirectory
Launching a service
Delayed reading of the file
Loading a system driver
Launching a process
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Running batch commands
Enabling autorun for a service
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Trojan_Win32_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/f1bde45ac4a34b8ec885fb5fb07f5e47f89f97b257cc38a1eb37fc0c308c4a04
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1744460
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Detected VMProtect packer
Drops password protected ZIP file
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1744460 Sample: DeN1Eysg5z.exe Startdate: 26/07/2025 Architecture: WINDOWS Score: 100 119 support.google.com 2->119 121 play.google.com 2->121 123 7 other IPs or domains 2->123 137 Suricata IDS alerts for network traffic 2->137 139 Antivirus detection for dropped file 2->139 141 Multi AV Scanner detection for dropped file 2->141 143 14 other signatures 2->143 11 DeN1Eysg5z.exe 2 2->11         started        14 chrome.exe 2->14         started        18 chrome.exe 2->18         started        20 25 other processes 2->20 signatures3 process4 dnsIp5 105 C:\Users\user\AppData\...\DeN1Eysg5z.tmp, PE32 11->105 dropped 22 DeN1Eysg5z.tmp 5 9 11->22         started        133 192.168.2.10, 138, 443, 49321 unknown unknown 14->133 171 Suspicious powershell command line found 14->171 173 Suspicious execution chain found 14->173 175 Adds a directory exclusion to Windows Defender 14->175 25 chrome.exe 14->25         started        135 127.0.0.1 unknown unknown 20->135 177 Changes security center settings (notifications, updates, antivirus, firewall) 20->177 28 MpCmdRun.exe 20->28         started        file6 signatures7 process8 dnsIp9 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->89 dropped 91 C:\Users\Public\Documents\unzip.exe (copy), PE32 22->91 dropped 93 C:\Users\Public\Documents\setup.exe (copy), PE32 22->93 dropped 95 2 other malicious files 22->95 dropped 30 men.exe 12 22->30         started        34 setup.exe 7 22->34         started        36 unzip.exe 2 22->36         started        127 142.250.64.74, 443, 49758, 49775 GOOGLEUS United States 25->127 129 googlehosted.l.googleusercontent.com 142.250.65.161, 443, 49717 GOOGLEUS United States 25->129 131 19 other IPs or domains 25->131 38 conhost.exe 28->38         started        file10 process11 file12 107 C:\Users\Public\Documents\...\rwdriver.sys, PE32+ 30->107 dropped 109 C:\Users\Public\Documents\...\main.exe, PE32+ 30->109 dropped 111 C:\Users\Public\Documents\...\log.dll, PE32 30->111 dropped 117 5 other malicious files 30->117 dropped 179 Antivirus detection for dropped file 30->179 181 Multi AV Scanner detection for dropped file 30->181 183 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->183 185 3 other signatures 30->185 40 NtHandleCallback.exe 2 2 30->40         started        45 main.exe 30->45         started        47 powershell.exe 30->47         started        53 7 other processes 30->53 113 C:\Users\user\AppData\Local\...\updater.exe, PE32 34->113 dropped 49 updater.exe 22 11 34->49         started        115 C:\Users\Public\Documents\men.exe, PE32+ 36->115 dropped 51 conhost.exe 36->51         started        signatures13 process14 dnsIp15 125 154.82.84.217, 49690, 49699, 49756 ROOTNETWORKSUS Seychelles 40->125 97 C:\XiaoH.sys, PE32+ 40->97 dropped 99 C:\Cndom6.sys, PE32+ 40->99 dropped 157 Suspicious powershell command line found 40->157 159 Bypasses PowerShell execution policy 40->159 161 Writes to foreign memory regions 40->161 169 3 other signatures 40->169 55 tracerpt.exe 40->55         started        58 NVIDIA.exe 40->58         started        61 powershell.exe 23 40->61         started        71 23 other processes 40->71 163 Antivirus detection for dropped file 45->163 165 Multi AV Scanner detection for dropped file 45->165 63 conhost.exe 45->63         started        167 Loading BitLocker PowerShell Module 47->167 65 conhost.exe 47->65         started        101 C:\Program Files (x86)behaviorgraphoogle\...\updater.exe, PE32 49->101 dropped 67 updater.exe 4 49->67         started        69 conhost.exe 53->69         started        73 11 other processes 53->73 file16 signatures17 process18 file19 145 Writes to foreign memory regions 55->145 147 Allocates memory in foreign processes 55->147 149 Creates a thread in another existing process (thread injection) 55->149 75 conhost.exe 55->75         started        77 svchost.exe 55->77         started        103 C:\Users\user\AppData\...103JLKQNHBGUkBnMvgEg, PE32+ 58->103 dropped 151 Antivirus detection for dropped file 58->151 153 Multi AV Scanner detection for dropped file 58->153 155 Loading BitLocker PowerShell Module 61->155 79 conhost.exe 61->79         started        81 conhost.exe 71->81         started        83 conhost.exe 71->83         started        85 conhost.exe 71->85         started        87 20 other processes 71->87 signatures20 process21
Score:
21%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/f1bde45ac4a34b8ec885fb5fb07f5e47f89f97b257cc38a1eb37fc0c308c4a04
Gathering data
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-07-24 02:21:19 UTC
File Type:
PE (Exe)
AV detection:
6 of 35 (17.14%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6g66iwweunfy5sef7np3a726i74j7f5sk7gdriplg76aymemjica._file
Result
Malware family:
valleyrat_s2
Create hunting rule
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor defense_evasion discovery execution exploit persistence privilege_escalation trojan
Link:
https://tria.ge/reports/250726-avwzsabp7s/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Indicator Removal: File Deletion
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Possible privilege escalation attempt
Sets service image path in registry
Stops running service(s)
Valleyrat_s2 family
ValleyRat
Malware Config
C2 Extraction:
154.82.84.217:8880
127.0.0.1:80
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9997f4c9-d158-4374-ada4-3a432542a1ce
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1bde45ac4a34b8ec885fb5fb07f5e47f89f97b257cc38a1eb37fc0c308c4a04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments