MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffc89638df4301aedb7a018f2bec7f929abe03de04ebfe040d5a53272582e618. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 14 File information Comments

SHA256 hash: ffc89638df4301aedb7a018f2bec7f929abe03de04ebfe040d5a53272582e618
SHA3-384 hash: ceff6975a8b8f26895decb4faeba42c4f44d9b97bc12bba50fbe3a268d469e0b45af515866a81013987fd8a1b5b753b5
SHA1 hash: 94217788f1a01dd34c5303f64b905cd47a674679
MD5 hash: 9e7092a1e450096e19d0fa75f6de2e2e
humanhash: oxygen-angel-vermont-lion
File name:kernel32.exe
Download: download sample
Signature ValleyRAT
File size:65'610 bytes
First seen:2026-01-14 13:50:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 05482834eabaa8536ebbfac6b783f546 (1 x ValleyRAT)
ssdeep 384:0apO4cEYOy2NdCI30I4WISfngEAQboGi0+SE1AoN5FqNfzZJ4CeHFH5mZgalQz6e:ZispNdbb4WOG3+H5FQf/elURQzh55qti
Threatray 889 similar samples on MalwareBazaar
TLSH T155535C2B39D14233C492C1B594B0CB139A3F9522032199E7EB805BDEAD71AE6D53E30F
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:exe RAT ValleyRAT


Avatar
abuse_ch
ValleyRAT C2:
103.121.93.78:8668

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.121.93.78:8668 https://threatfox.abuse.ch/ioc/1732225/

Intelligence


File Origin
# of uploads :
1
# of downloads :
142
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_ffc89638df4301aedb7a018f2bec7f929abe03de04ebfe040d5a53272582e618.exe
Verdict:
No threats detected
Analysis date:
2026-01-14 13:51:09 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Tags:
autorun emotet zbot
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug lolbin microsoft_visual_cc overlay schtasks
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-14T10:55:00Z UTC
Last seen:
2026-01-14T12:41:00Z UTC
Hits:
~10
Detections:
Backdoor.Agent.TCP.C&C HEUR:Trojan.Multi.Shellcode.gen Trojan-Spy.Win32.KeyLogger.sba PDM:Trojan.Win32.Generic HEUR:Backdoor.Win32.Xkcp.gen Backdoor.Xkcp.TCP.ServerRequest Trojan-Spy.Win32.Stealer.sb Backdoor.Win32.Xkcp.a
Result
Threat name:
ValleyRAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Potential WinAPI Calls Via CommandLine
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected ValleyRAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1850564 Sample: kernel32.exe Startdate: 14/01/2026 Architecture: WINDOWS Score: 100 23 Suricata IDS alerts for network traffic 2->23 25 Found malware configuration 2->25 27 Antivirus detection for URL or domain 2->27 29 6 other signatures 2->29 7 kernel32.exe 10 7 2->7         started        11 kernel32.exe 1 6 2->11         started        process3 dnsIp4 21 103.121.93.78, 2323, 49718, 49723 BSYNTCL-AS-APBeijingShijihulianYuntongNetworkTechnology China 7->21 31 Detected unpacking (creates a PE file in dynamic memory) 7->31 33 Contains functionality to inject threads in other processes 7->33 35 Contains functionality to capture and log keystrokes 7->35 37 3 other signatures 7->37 13 schtasks.exe 1 7->13         started        15 schtasks.exe 1 11->15         started        signatures5 process6 process7 17 conhost.exe 13->17         started        19 conhost.exe 15->19         started       
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Threat name:
Win32.Backdoor.ValleyRAT
Status:
Malicious
First seen:
2026-01-14 13:50:42 UTC
File Type:
PE (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Result
Malware family:
valleyrat_s2
Score:
  10/10
Tags:
family:valleyrat_s2 backdoor discovery execution persistence
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Enumerates connected drives
Detects ValleyRAT payload
ValleyRat
Valleyrat_s2 family
Unpacked files
SH256 hash:
ffc89638df4301aedb7a018f2bec7f929abe03de04ebfe040d5a53272582e618
MD5 hash:
9e7092a1e450096e19d0fa75f6de2e2e
SHA1 hash:
94217788f1a01dd34c5303f64b905cd47a674679
Malware family:
ValleyRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GenericGh0st
Author:Still
Rule name:Gh0stKCP
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Author:Willi Ballenthin
Rule name:pe_no_import_table
Description:Detect pe file that no import table
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_Threat_4b0b73ce
Author:Elastic Security
Rule name:Windows_Trojan_Winos_464b8a2e
Author:Elastic Security
Rule name:win_valley_rat_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.valley_rat.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValleyRAT

Executable exe ffc89638df4301aedb7a018f2bec7f929abe03de04ebfe040d5a53272582e618

(this sample)

  
Delivery method
Distributed via web download

Comments