MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8f2e7bfd2556f53b3828efa5aa6b54a75faa77d88b369ea314e8e9c8f65b261. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 17

Intelligence 17 IOCs 1 YARA 7 File information Comments

SHA256 hash:	f8f2e7bfd2556f53b3828efa5aa6b54a75faa77d88b369ea314e8e9c8f65b261
SHA3-384 hash:	179b5ce2ffd43a0c7ee4146cc0c8c4b1bcee761483531a986e620c8e7db7abc8d6a0d1cf2b466cb3db2d413c18bd7a70
SHA1 hash:	bf97fe56ccf16a222858a6b29968247af8710431
MD5 hash:	4eea5c2000d91f819c00dcecfc0aa0e7
humanhash:	utah-fish-victor-glucose
File name:	4EEA5C2000D91F819C00DCECFC0AA0E7.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	1'109'438 bytes
First seen:	2025-05-23 17:25:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c38362e0e37590c08f252fc98b1f0136 (11 x ValleyRAT, 1 x Blackmoon, 1 x AsyncRAT)
ssdeep	24576:F+ulpVcg88E3rFpFNsyX2M6BAk+vqIFvjZKf4xPIsT:culB+LFBX2M64X9c4xPBT
Threatray	305 similar samples on MalwareBazaar
TLSH	T1433533578D2C723CFA0927F6488A1CF4967DDEF40082CEA55D9A0D9C24BCF69DBA9407
TrID	54.9% (.EXE) UPX compressed Win32 Executable (27066/9/6) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4504/4/1) 4.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe RAT ValleyRAT

abuse_ch

ValleyRAT C2:
23.249.29.68:2968

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
23.249.29.68:2968	https://threatfox.abuse.ch/ioc/1533021/

Intelligence

File Origin

# of uploads :

# of downloads :

627

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4EEA5C2000D91F819C00DCECFC0AA0E7.exe

Verdict:

Malicious activity

Analysis date:

2025-05-23 18:20:14 UTC

Tags:

silverfox backdoor valleyrat winos rat auto-reg upx

Link:

https://app.any.run/tasks/7cf300b2-de14-4cc8-8fc5-425ddda41752

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Fragtor-10028386-0

Win.Trojan.Farfli-10038362-0

Win.Malware.Bulz-10016535-0

Win.Malware.Vindor-10034624-0

Win.Malware.Vindor-10034625-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6830b16444c3881e854c7a57

Tags:

emotet virus spawn sage

Result

Verdict:

Malware

Maliciousness:

Behaviour

Running batch commands

Creating a process with a hidden window

Forced system process termination

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Сreating synchronization primitives

Connection attempt

Sending a custom TCP request

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context babar crypt crypto fingerprint keylogger microsoft_visual_cc overlay overlay packed packed packed packed packer_detected upx xpack

Link:

https://www.filescan.io/uploads/6830b001985349514e5d38bd/reports/4328005d-c942-4956-b511-f7e4ccdd3d7d/overview

Verdict:

Malicious

Labled as:

Adware.Babar.Generic

Link:

https://www.hybrid-analysis.com/sample/f8f2e7bfd2556f53b3828efa5aa6b54a75faa77d88b369ea314e8e9c8f65b261

Malware family:

Winos

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f8315c35-41a3-4ac4-904f-20299eb4b266

Result

Threat name:

GhostRat, ValleyRAT

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1698150

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to capture and log keystrokes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Contains functionality to register a low level keyboard hook

Contains functionalty to change the wallpaper

Found malware configuration

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Suricata IDS alerts for network traffic

Yara detected GhostRat

Yara detected ValleyRAT

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f8f2e7bfd2556f53b3828efa5aa6b54a75faa77d88b369ea314e8e9c8f65b261

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f8f2e7bfd2556f53b3828efa5aa6b54a75faa77d88b369ea314e8e9c8f65b261/

Threat name:

Win32.Trojan.FatalRAT

Status:

Malicious

First seen:

2025-05-21 20:40:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 38 (73.68%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7dzopp6skvxvhm4cr35fvjvvjj27vj35rczwt2rrj2hjzd3fwjqq._file

Verdict:

malicious

Label(s):

winos

ValleyRAT

3382f1e8b4497600245423aa6c45361006509702eb34ce6f37c80acf88b9cc51

ValleyRAT

44a608f048408e9d071f6facd3b493fbced70833c9f1012b36c68519f56d8721

ValleyRAT

a4cc67246a0ea59d26443aafec204a48a1ddc57d19de09ac75fe391aed9a2fe5

ValleyRAT

e192fd0794512b687a4820a4356123175e6a0a804abc158355b018c47f6b9c95

ValleyRAT

ea57f741eeb76fb77cd84fbb1ff7b33d00772b751d20cbc0ce8dc3278db141af

ValleyRAT

eed7dafbcbab29a94b6092fb5a88b17eb6fc6e8430458e8b31b348d6864c212c

ValleyRAT

error

ValleyRAT

f8f2e7bfd2556f53b3828efa5aa6b54a75faa77d88b369ea314e8e9c8f65b261

ValleyRAT

+ 295 additional samples on MalwareBazaar

Result

Malware family:

valleyrat_s2

Score:

10/10

Tags:

family:valleyrat_s2 backdoor discovery persistence upx

Link:

https://tria.ge/reports/250523-vzz78agk5w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

UPX packed file

Adds Run key to start application

Enumerates connected drives

Executes dropped EXE

ValleyRat

Valleyrat_s2 family

Malware Config

C2 Extraction:

23.249.29.68:2968
23.249.29.68:2967
23.249.29.68:2966

Verdict:

Malicious

Tags:

Win.Malware.Fragtor-10028386-0

YARA:

n/a

Link:

https://app.threat.zone/submission/d27d865b-4db9-4eeb-92a6-e4412afa95bd

Unpacked files

SH256 hash:

f8f2e7bfd2556f53b3828efa5aa6b54a75faa77d88b369ea314e8e9c8f65b261

MD5 hash:

4eea5c2000d91f819c00dcecfc0aa0e7

SHA1 hash:

bf97fe56ccf16a222858a6b29968247af8710431

Link:

https://www.unpac.me/results/20e0ab8b-eef3-4ce3-9782-f59b1eb9015e/

SH256 hash:

efe17dff8fa885045053e1cd2e3f4bf76e086ba6639bc5501f3b253ec30b56ba

MD5 hash:

3a0ba6593b76ae4f1ee8c6f31622b55b

SHA1 hash:

9b8afc927dea9fbce60cbf1862073fc36b4071e5

Link:

https://www.unpac.me/results/20e0ab8b-eef3-4ce3-9782-f59b1eb9015e/

SH256 hash:

2275c2e889ea1658d3ee6765f6ea4c74ada88e864b3603d0b46e63fb6eb14444

MD5 hash:

c47e12099079941d8bcb483520ed686b

SHA1 hash:

98484bc86fec5b58f94d7a502eaa081b889f92e2

Detections:

win_valley_rat_auto

Link:

https://www.unpac.me/results/20e0ab8b-eef3-4ce3-9782-f59b1eb9015e/

Parent samples :

f8f2e7bfd2556f53b3828efa5aa6b54a75faa77d88b369ea314e8e9c8f65b261
2275c2e889ea1658d3ee6765f6ea4c74ada88e864b3603d0b46e63fb6eb14444

SH256 hash:

6cc6a5a28754f3fd7573d8d3d4409b312a85555ab90fe2697ddd1138723ce6eb

MD5 hash:

c53253cd5de71df7ab02d9934a4abfda

SHA1 hash:

4f802c021662082df534d27639ea29d68dab6095

Link:

https://www.unpac.me/results/20e0ab8b-eef3-4ce3-9782-f59b1eb9015e/

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f8f2e7bfd255/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f8f2e7bfd2556f53b3828efa5aa6b54a75faa77d88b369ea314e8e9c8f65b261

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample