MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f857819e6e755ebae3f2d4907df767d16c7cdd9c3d4083dca308e1e7ad075295. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 22 File information Comments

SHA256 hash: f857819e6e755ebae3f2d4907df767d16c7cdd9c3d4083dca308e1e7ad075295
SHA3-384 hash: f7c048a5dcb40ef7d833fee6b7e609412d8ad00bf81d97b0ac3ca556cfc36ecb197e9ab36d0ffdb20b1f7eae200bf8eb
SHA1 hash: 310ae7a31719f78c1279027ecb049ae0395444df
MD5 hash: 09662d5c52d41c17b06f7a3e0e64d466
humanhash: freddie-jersey-kitten-saturn
File name:f857819e6e755ebae3f2d4907df767d16c7cdd9c3d408.dll
Download: download sample
Signature ValleyRAT
File size:594'944 bytes
First seen:2026-01-14 02:40:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1777cd715eb912cff192a24f21ba3859 (1 x ValleyRAT)
ssdeep 6144:U9jfkiNc8LuAT/9MXtzR28CB1HMa69VZ4APMq1gjcOrEFQb04xGLcTRpC6D:qr3/4k5HD6VZ4AdOrkIt
TLSH T1A4C47D56E6E048FCC467C278CE975252EBF6B8190360BAEB07D199665F27BE1833D310
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:dll exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
8.210.255.100:8443

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
8.210.255.100:8443 https://threatfox.abuse.ch/ioc/1732051/

Intelligence


File Origin
# of uploads :
1
# of downloads :
158
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
f857819e6e755ebae3f2d4907df767d16c7cdd9c3d4083dca308e1e7ad075295.dll
Verdict:
Malicious activity
Analysis date:
2026-01-13 20:44:07 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Tags:
obfusc overt crypt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto dllhost lolbin masquerade microsoft_visual_cc
Verdict:
Malicious
File Type:
dll x64
First seen:
2026-01-13T16:08:00Z UTC
Last seen:
2026-01-14T23:08:00Z UTC
Hits:
~100
Detections:
Backdoor.Win32.Xkcp.bzq Backdoor.Agent.TCP.C&C Backdoor.Agent.HTTP.C&C Backdoor.Xkcp.TCP.ServerRequest
Result
Threat name:
ValleyRAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found malware configuration
Joe Sandbox ML detected suspicious sample
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected ValleyRAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1850356 Sample: f857819e6e755ebae3f2d4907df... Startdate: 14/01/2026 Architecture: WINDOWS Score: 100 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Yara detected ValleyRAT 2->50 52 2 other signatures 2->52 8 loaddll64.exe 1 2->8         started        process3 signatures4 66 Writes to foreign memory regions 8->66 68 Allocates memory in foreign processes 8->68 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        16 rundll32.exe 8->16         started        18 14 other processes 8->18 process5 signatures6 20 rundll32.exe 11->20         started        70 System process connects to network (likely due to code injection or exploit) 13->70 72 Writes to foreign memory regions 13->72 74 Allocates memory in foreign processes 13->74 24 dllhost.exe 13->24         started        26 dllhost.exe 16->26         started        28 dllhost.exe 16->28 injected 30 dllhost.exe 18->30         started        32 dllhost.exe 18->32         started        34 dllhost.exe 18->34         started        36 9 other processes 18->36 process7 dnsIp8 42 47.243.236.74, 443, 49714, 49715 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 20->42 54 Writes to foreign memory regions 20->54 56 Allocates memory in foreign processes 20->56 38 dllhost.exe 3 20->38         started        signatures9 process10 dnsIp11 44 8.210.255.100, 443, 49716, 49720 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 38->44 58 Contains functionality to inject threads in other processes 38->58 60 Contains functionality to capture and log keystrokes 38->60 62 Contains functionality to inject code into remote processes 38->62 64 Unusual module load detection (module proxying) 38->64 signatures12
Gathering data
Result
Malware family:
valleyrat_s2
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Enumerates connected drives
Badlisted process makes network request
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Malware Config
C2 Extraction:
8.210.255.100:8443
8.210.255.100:443
127.0.0.1:80
Unpacked files
SH256 hash:
f857819e6e755ebae3f2d4907df767d16c7cdd9c3d4083dca308e1e7ad075295
MD5 hash:
09662d5c52d41c17b06f7a3e0e64d466
SHA1 hash:
310ae7a31719f78c1279027ecb049ae0395444df
Malware family:
ValleyRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CAS_Malware_Hunting
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:GenericGh0st
Author:Still
Rule name:Gh0stKCP
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Author:Willi Ballenthin
Rule name:pe_no_import_table
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_4b0b73ce
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Author:Elastic Security
Rule name:win_valley_rat_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments