MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4c45b94663e791fbb7d84b6eabec26f7bdef921f7bafe72934f00f2bc0259a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4c45b94663e791fbb7d84b6eabec26f7bdef921f7bafe72934f00f2bc0259a8
SHA3-384 hash: 71dfc667f6425d3d983e7a79d402f068c57cce8fec3507625c6f14d843dd266dd547f44fb5c5d39fef9785de32a3e2aa
SHA1 hash: 6c56483e8333e58f3ceb208a7de9ec158a0ab56c
MD5 hash: 3bfe9cbc18aa1687a59f761efe236ea7
humanhash: september-august-romeo-idaho
File name:DeepLSetup (7).msi
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:57'355'776 bytes
First seen:2025-08-13 05:26:33 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:6t/OuBGxFHS5n9ClPXYj2wC8rigxJFL3bxg4j:+OegFC9CqCti/tg
TLSH T1A0C73324B17269D4E62FA7BFE0A95FC44430BCE1731BE66773783FA589B064611B2903
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter GDHJDSYDH1
Tags:backdoor dropper Gh0stRAT msi SilverFox ValleyRAT


Avatar
GDHJDSYDH1
C2:
103.235.46.115:443
27.124.21.207:5178
Reference:
https://hunting.abuse.ch/hunt/103.235.46.115/#sandnet

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689c2245642b4839d1b5acaa
Tags:
virus spawn
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
cmd lolbin obfuscated remote wix
Link:
https://www.filescan.io/uploads/689c223f2fbe0788fb1ec495/reports/78280199-8c2c-4cc3-a537-343c5cdeb949/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/f4c45b94663e791fbb7d84b6eabec26f7bdef921f7bafe72934f00f2bc0259a8
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f4c45b94663e791fbb7d84b6eabec26f7bdef921f7bafe72934f00f2bc0259a8
Score:
5%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/f4c45b94663e791fbb7d84b6eabec26f7bdef921f7bafe72934f00f2bc0259a8
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win64.Agent
Link:
https://tip.neiki.dev/file/f4c45b94663e791fbb7d84b6eabec26f7bdef921f7bafe72934f00f2bc0259a8
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-13 05:14:31 UTC
File Type:
Binary (Archive)
Extracted files:
634
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tcfxfdghz4r7o35qs3ovpwcn55556jb665p44utj4apfpaclgua._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery
Link:
https://tria.ge/reports/250813-f5mrrafl6y/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Loads dropped DLL
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a9e4531c-ec59-46f4-b226-13e5aa81290f
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ValleyRAT

Microsoft Software Installer (MSI) msi f4c45b94663e791fbb7d84b6eabec26f7bdef921f7bafe72934f00f2bc0259a8

(this sample)

ValleyRAT

zip 114b5c2ba2905d6333a8f9146df1c528a507ffc88a3da8c2344dff42ad8a8f97

anyrun
any.run
https://app.any.run/tasks/868be8f3-0819-4ec3-90fe-2e6eab62955e
  
Link
https://tria.ge/250813-f1h8rswtbv/behavioral2
  
Dropping
SHA256 114b5c2ba2905d6333a8f9146df1c528a507ffc88a3da8c2344dff42ad8a8f97
  
Dropping
MD5 9fd8063b0485c11146e5534d7f3a2662
  
Dropping
SHA256 7688c08ee19cd46ad76d0a27bcd4b5f596a9732eac66afb7f877f197c1886343
  
Dropping
MD5 b61f6547de40e0df3707757c35f54e74
  
Dropping
SHA256 2052aaf8fbc964dc9c4d78da7023d1bbe01eb873f44d5d40fb4b59b95c420c2e
  
Dropping
MD5 ca69691102b38ea5a46a0c00d17ede40

Comments