MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 019e0ded6cc8e5524f78fed06f17c3ac00222b5c0204a6ce2691a2775699846e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	019e0ded6cc8e5524f78fed06f17c3ac00222b5c0204a6ce2691a2775699846e
SHA3-384 hash:	88f6e838705b1cf2fa170b45e757a06aeb70cdcac8eeac63b368db16d0dd83b81d53de4c677884dd28d5e51098e9b6fe
SHA1 hash:	460f1eac16e2300d234b4d9d997bc99df1cefa61
MD5 hash:	57b56d40e53d65137bce9db182b0efe2
humanhash:	juliet-autumn-eight-five
File name:	64位安装包_特別版_233_S.exe
Download:	download sample
File size:	1'210'880 bytes
First seen:	2026-01-19 01:21:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fc1511793129e48f3058bf759a59eb3a (1 x ValleyRAT)
ssdeep	12288:TH+Ec/7YYrbfCohS1MV5yODD8EHEiSXAVzZiB1HbDUMluC00izdCZNaKhqT+:MYWVk8dEgYvDhldNaKI
TLSH	T127458E16BBAC00F9E1E7923CC962C616E27ABC465361E7DF02941A5B2F339D14E7D720
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Ling
Tags:	exe Malgent Trojan:Win32/Malgent!MSR

CNGaoLing

This sample has been reviewed by Microsoft researchers and determined to be malware. (Trojan:Win32/Malgent!MSR)

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

ValleyFall

Details

Link:

https://research.acce.ciphertechsolutions.com/results/9212e8f3-6a9d-401b-8ad2-f3663b6fa74d/

Malware family:

n/a

ID:

File name:

64位安装包_特別版_233_S.exe

Verdict:

Malicious activity

Analysis date:

2026-01-18 21:45:55 UTC

Tags:

uac

Link:

https://app.any.run/tasks/04c5b00e-50f2-4bf1-9d74-c397b9c490ca

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

WinosStager

Link:

https://www.capesandbox.com/analysis/49285/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=696d8750bcad3327ec063a1f

Tags:

malware

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm base64 cmd evasive evasive exploit explorer fingerprint installer-heuristic lolbin microsoft_visual_cc uacme unsafe

Link:

https://www.filescan.io/uploads/696d874d3dd9d209505942e7/reports/819715eb-43a8-4fc9-8421-91dfaa69bcd5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/019e0ded6cc8e5524f78fed06f17c3ac00222b5c0204a6ce2691a2775699846e

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-01-18T18:47:00Z UTC

Last seen:

2026-01-18T19:07:00Z UTC

Hits:

~10

Detections:

Trojan-Dropper.Win32.Agent.sb HEUR:HackTool.Win64.UACme.gen

Link:

https://opentip.kaspersky.com/019e0ded6cc8e5524f78fed06f17c3ac00222b5c0204a6ce2691a2775699846e/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/f0c52fec-cd0f-4861-badc-0d8229d1d188

Score:

84%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/019e0ded6cc8e5524f78fed06f17c3ac00222b5c0204a6ce2691a2775699846e

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/57b56d40e53d65137bce9db182b0efe2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/019e0ded6cc8e5524f78fed06f17c3ac00222b5c0204a6ce2691a2775699846e/

Verdict:

Malicious

Threat:

HackTool.Win64.UACme

Link:

https://tip.neiki.dev/file/019e0ded6cc8e5524f78fed06f17c3ac00222b5c0204a6ce2691a2775699846e

Threat name:

Win64.Backdoor.Valleyrat

Status:

Suspicious

First seen:

2026-01-18 22:48:53 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=agpa33lmzdsvet3y73ig6f6dvqacek24aickntrgsgrhovuzqrxa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260119-bref1act5b/

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e2c2a4d2-22e4-4479-818c-ed7a84115645

Unpacked files

SH256 hash:

019e0ded6cc8e5524f78fed06f17c3ac00222b5c0204a6ce2691a2775699846e

MD5 hash:

57b56d40e53d65137bce9db182b0efe2

SHA1 hash:

460f1eac16e2300d234b4d9d997bc99df1cefa61

Link:

https://www.unpac.me/results/615e5fb1-8909-461a-a15a-913f8120c08c/

SH256 hash:

9489347497ef832c730ac555150894f9f5137f086df82b9c47da2d83f8d7f603

MD5 hash:

1e8c40caf0338a165b11260a812b044b

SHA1 hash:

3d4603a23ffe5e424376072540b896664e8abdfa

Link:

https://www.unpac.me/results/615e5fb1-8909-461a-a15a-913f8120c08c/

Malware family:

ValleyRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/019e0ded6cc8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/019e0ded6cc8e5524f78fed06f17c3ac00222b5c0204a6ce2691a2775699846e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	WinosStager Create hunting rule
Author:	YungBinary
Description:	https://www.esentire.com/blog/winos4-0-online-module-staging-component-used-in-cleversoar-campaign

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 019e0ded6cc8e5524f78fed06f17c3ac00222b5c0204a6ce2691a2775699846e

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/49285/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample