MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ValkyrieStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1
SHA3-384 hash: 42bf905b39fb6c405110a44da2a4b7a2be08a7e408557547b2e1590bb6c3f06776b61a8937bb254f4ee7867e08179e86
SHA1 hash: 25a75e2a46178bb8c3b73630ff20922dcdbcb41b
MD5 hash: acd2186001937668e15cd37f6151affb
humanhash: ack-sixteen-cat-nineteen
File name:1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1.bin.exe
Download: download sample
Signature ValkyrieStealer
Create hunting rule
File size:6'131'200 bytes
First seen:2025-11-16 15:39:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 98304:hycfaLpIqoyR6EytdzO17Yqc6zbrHVc8xBi6IpkNx8cYw:NaLpboyQEytRO17Yqfz+N6IkPY
TLSH T15C56335D671F7476E6CA6EBF64DF00539B2981D7D8F206EB9B1D08CD416B2021EEA08C
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe ValkyrieStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-10-31 10:08:29 UTC
Tags:
github evasion anti-evasion valkyrie stealer ip-check themida antivm arch-doc
Link:
https://app.any.run/tasks/9d71a09a-2ad9-46fa-bb50-5bb93d6566a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38350/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6919f074434cd67b17c21c98
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin masquerade microsoft_visual_cc obfuscated oreans_codevirtualizer packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/6919f06f53bda2a5d9f6d080/reports/a120fcde-74d8-4925-91f1-4c5eb3bf172c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-31T07:21:00Z UTC
Last seen:
2025-11-17T23:28:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bc0fbb96-78d6-4c3a-be00-9905e1d7444b
Result
Threat name:
Valkyrie Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1814899
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Leaks process information
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses WMIC command to query system information (often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Valkyrie Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1814899 Sample: yjcyBPLHgu.exe Startdate: 16/11/2025 Architecture: WINDOWS Score: 100 34 lylred.space 2->34 36 steamcommunity.com 2->36 38 3 other IPs or domains 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for URL or domain 2->50 52 10 other signatures 2->52 8 yjcyBPLHgu.exe 68 2->8         started        signatures3 process4 dnsIp5 40 lylred.space 172.67.147.27, 49753, 80 CLOUDFLARENETUS United States 8->40 42 ipwhois.app 15.204.213.5, 443, 49746 HP-INTERNET-ASUS United States 8->42 44 4 other IPs or domains 8->44 32 C:\Users\user\AppData\Local\...\Valkyrie.zip, Zip 8->32 dropped 54 Detected unpacking (changes PE section rights) 8->54 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Found many strings related to Crypto-Wallets (likely being stolen) 8->58 60 10 other signatures 8->60 13 cmd.exe 1 8->13         started        16 powershell.exe 16 8->16         started        18 msedge.exe 8->18         started        20 chrome.exe 8->20         started        file6 signatures7 process8 signatures9 62 Uses WMIC command to query system information (often done to detect virtual machines) 13->62 22 WMIC.exe 1 13->22         started        24 conhost.exe 13->24         started        64 Found many strings related to Crypto-Wallets (likely being stolen) 16->64 26 conhost.exe 16->26         started        28 WerFault.exe 1 16 18->28         started        30 WerFault.exe 16 20->30         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/acd2186001937668e15cd37f6151affb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1/
Verdict:
Malicious
Threat:
Trojan-GameThief.MSIL.Worgtop
Link:
https://tip.neiki.dev/file/1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-10-31 10:08:31 UTC
File Type:
PE+ (Exe)
AV detection:
22 of 36 (61.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzdk6pfccurf5obcc6xnaaumwrvms75vmmp2zguwugvgrtm45hiq._file
Verdict:
malicious
Label(s):
valkyriestealer
Create hunting rule
Similar samples:
error
ValkyrieStealer
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion
Link:
https://tria.ge/reports/251116-s4fm9sfm8x/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Checks BIOS information in registry
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Looks for VirtualBox Guest Additions in registry
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d6f4af33-2192-4d43-84d1-952b9dd20141
Unpacked files
SH256 hash:
1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1
MD5 hash:
acd2186001937668e15cd37f6151affb
SHA1 hash:
25a75e2a46178bb8c3b73630ff20922dcdbcb41b
Link:
https://www.unpac.me/results/3d92c5f7-8e15-497e-88c1-cd7df477870d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_Qemu_DeviceMap
Create hunting rule
Rule name:Check_VBox_DeviceMap
Create hunting rule
Rule name:Check_VBox_Guest_Additions
Create hunting rule
Rule name:Check_VmTools
Create hunting rule
Rule name:Check_VMWare_DeviceMap
Create hunting rule
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HKTL_Meterpreter_inMemory
Create hunting rule
Author:netbiosX, Florian Roth
Description:Detects Meterpreter in-memory
Reference:https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:ReflectiveLoader
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_ENV_Folder_Root_File_Jan23_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious file path pointing to the root of a folder easily accessible via environment variables
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ValkyrieStealer

Executable exe 1e46af3ca215225eb82217aed0028cb46ac97fb5631fac9a96a1aa68cd9ce9d1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3704835/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/38350/

Comments