MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe53fccdb00110dae17b5831b4ba1e3f384ea44bfbf9306120b67db6278f0cad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValleyRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe53fccdb00110dae17b5831b4ba1e3f384ea44bfbf9306120b67db6278f0cad
SHA3-384 hash: 1afd8ed4223a259fd23eb5d2b71249c33578ae5fd18e9635bb0464e3cf1951473068cf15a15ad5f7a8eee2646c366d6d
SHA1 hash: a131f615f9691f17858cd6b5a66d56c6e91b7f5e
MD5 hash: 1235ec6b2b8ee3368a1edd646f83eef1
humanhash: uniform-tennis-skylark-glucose
File name:1235EC6B2B8EE3368A1EDD646F83EEF1.exe
Download: download sample
Signature ValleyRAT
Create hunting rule
File size:1'052'997 bytes
First seen:2025-07-14 12:55:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'447 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 24576:xnahIwNNYOuzd8mw8IfWPUHmcdNS8SJG923Yw5YZf:xahIwNNYOEnw8IfWPUH/dg8SJGZd
TLSH T1AC25D0C17960C4AFEE7759F2BD1FE53028EA7E9D6894810CAAE63F0D94B3251101FB16
TrID 80.0% (.EXE) Inno Setup installer (107240/4/30)
10.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win32 Executable (generic) (4504/4/1)
1.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
1.5% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon d4c09118383921a6 (1 x ValleyRAT)
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
192.252.181.4:8088

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.252.181.4:8088 https://threatfox.abuse.ch/ioc/1556654/

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1235EC6B2B8EE3368A1EDD646F83EEF1.exe
Verdict:
Malicious activity
Analysis date:
2025-07-14 13:00:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/317a870a-fd32-41fb-8a28-266f79a1c4ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14234/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6874fe3d900df8e7f86a91d5
Tags:
extens virus spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Launching a process
Loading a suspicious library
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Creating a file
Connection attempt
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint installer overlay overlay packed
Link:
https://www.filescan.io/uploads/6874fe45a15b22faa8b12a0c/reports/7d99e6d0-6f98-4ce8-87a9-ebc23f591882/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fe53fccdb00110dae17b5831b4ba1e3f384ea44bfbf9306120b67db6278f0cad
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/75ba7910-f7a6-4a9e-ab89-1a7f495fbdfe
Result
Threat name:
ValleyRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1736050
Signature
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found malware configuration
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1736050 Sample: hb90j7GzOd.exe Startdate: 14/07/2025 Architecture: WINDOWS Score: 100 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 5 other signatures 2->71 12 hb90j7GzOd.exe 2 2->12         started        15 regsvr32.exe 2->15         started        process3 file4 57 C:\Users\user\AppData\...\hb90j7GzOd.tmp, PE32 12->57 dropped 17 hb90j7GzOd.tmp 6 12->17         started        process5 file6 41 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 17->41 dropped 43 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->43 dropped 45 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 17->45 dropped 20 hb90j7GzOd.exe 2 17->20         started        process7 file8 47 C:\Users\user\AppData\...\hb90j7GzOd.tmp, PE32 20->47 dropped 23 hb90j7GzOd.tmp 6 20->23         started        process9 file10 49 C:\Users\user\AppData\...\is-JNEBO.tmp, PE32+ 23->49 dropped 51 Windows_Patch_Dist..._Cert_v1.crt (copy), PE32+ 23->51 dropped 53 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 23->53 dropped 55 2 other files (none is malicious) 23->55 dropped 26 regsvr32.exe 23->26         started        process11 process12 28 regsvr32.exe 10 2 26->28         started        dnsIp13 59 192.252.181.4, 49721, 49722, 49766 BCPL-SGBGPNETGlobalASNSG United States 28->59 61 127.0.0.1 unknown unknown 28->61 73 System process connects to network (likely due to code injection or exploit) 28->73 75 Found stalling execution ending in API Sleep call 28->75 77 Contains functionality to inject threads in other processes 28->77 79 5 other signatures 28->79 32 powershell.exe 37 28->32         started        35 powershell.exe 37 28->35         started        signatures14 process15 signatures16 63 Loading BitLocker PowerShell Module 32->63 37 conhost.exe 32->37         started        39 conhost.exe 35->39         started        process17
Score:
44%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/fe53fccdb00110dae17b5831b4ba1e3f384ea44bfbf9306120b67db6278f0cad
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/1235ec6b2b8ee3368a1edd646f83eef1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe53fccdb00110dae17b5831b4ba1e3f384ea44bfbf9306120b67db6278f0cad/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-12 18:25:56 UTC
AV detection:
11 of 37 (29.73%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zj7ztnqaeinvyl3lay3joq6h44e5jcl7p4tayjawz63mj4pbswq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250714-p6g3bsstew/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9278fded-4692-429f-a2c4-887ff0838d64
Unpacked files
SH256 hash:
add1397b27214977ddf04e22eaf54d4b63d8ae184e462f83d347f784b5095d02
MD5 hash:
02d1a0b2c765916a7e4e24151437dcba
SHA1 hash:
0919c01dcd5100441f413cc2a89ea7b85ebb45e5
Link:
https://www.unpac.me/results/ada83af7-1d8c-4087-9949-d05c482de5d6/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/ada83af7-1d8c-4087-9949-d05c482de5d6/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/ada83af7-1d8c-4087-9949-d05c482de5d6/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/ada83af7-1d8c-4087-9949-d05c482de5d6/
SH256 hash:
fe53fccdb00110dae17b5831b4ba1e3f384ea44bfbf9306120b67db6278f0cad
MD5 hash:
1235ec6b2b8ee3368a1edd646f83eef1
SHA1 hash:
a131f615f9691f17858cd6b5a66d56c6e91b7f5e
Link:
https://www.unpac.me/results/ada83af7-1d8c-4087-9949-d05c482de5d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe53fccdb00110dae17b5831b4ba1e3f384ea44bfbf9306120b67db6278f0cad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:ScanStringsInsocks5systemz
Create hunting rule
Author:Byambaa@pubcert.mn
Description:Scans presence of the found strings using the in-house brute force method
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ValleyRAT
Create hunting rule
Author:NDA0E
Description:Detects ValleyRAT
Rule name:Windows_Generic_Threat_3055c14a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Donutloader_f40e3759
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14234/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments