MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 398e1697d64f6d55c480dd9056fd079203936600fd2679760644914cf13df8ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 398e1697d64f6d55c480dd9056fd079203936600fd2679760644914cf13df8ec
SHA3-384 hash: 081bc9f6a741f3ab118e0177445a70be3aa9a34a5997a4f33e3840c7e79c4469577ef3d5a7d61bdfd128d1ac75959357
SHA1 hash: 1049d29f71c01b4ed3b3b6be01da55f51d0008f5
MD5 hash: f503e84d77257e02e618494ed3711f7a
humanhash: nebraska-earth-carpet-five
File name:Clash.Verge_2.4.4_x64-setup.exe
Download: download sample
File size:47'553'772 bytes
First seen:2026-01-27 07:44:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 573bb7b41bc641bd95c0f5eec13c233b (28 x GuLoader, 16 x VIPKeylogger, 13 x RemcosRAT)
ssdeep 786432:becmGlm4w+tzAgIAysmqCrne5LDuFvyoG5ziPRchYVsjqkW73Y3vB/f1ZzyphL:b3Hw+tzAqysmdre566oQGpaqkWrY5/76
Threatray 4 similar samples on MalwareBazaar
TLSH T188A733A54A745189C27481BD1AF31E24B9B0C4F1F525ABF84E6EE21AB13CF534C82E7D
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter zhuzhu0009
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
SC SC
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
Clash.Verge_2.4.4_x64-setup.exe
Verdict:
No threats detected
Analysis date:
2026-01-27 07:49:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ef4dbe1-fa39-4236-9746-63582fd24daa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69786cf76fa3eed1652f6b2a
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 blackhole crypt golang installer installer installer-heuristic microsoft_visual_cc nemesis nsis packed soft-404
Link:
https://www.filescan.io/uploads/69786ce9c943f4f722170de4/reports/9c3cd68c-3ec6-4cf6-8ca3-46ff900cc43b/overview
Verdict:
Malicious
Labled as:
Trojan.Wacatac
Link:
https://www.hybrid-analysis.com/sample/398e1697d64f6d55c480dd9056fd079203936600fd2679760644914cf13df8ec
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-22T23:32:00Z UTC
Last seen:
2026-01-29T04:02:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Agent.sb Backdoor.Win32.Agentb.sb Backdoor.Agent.TCP.C&C Trojan.Win32.Shellcode.lcx
Link:
https://opentip.kaspersky.com/398e1697d64f6d55c480dd9056fd079203936600fd2679760644914cf13df8ec/results?tab=lookup
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/398e1697d64f6d55c480dd9056fd079203936600fd2679760644914cf13df8ec
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Shellcode
Link:
https://tip.neiki.dev/file/398e1697d64f6d55c480dd9056fd079203936600fd2679760644914cf13df8ec
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-01-27 00:04:24 UTC
File Type:
PE (Exe)
Extracted files:
184
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hghbnf6wj5wvlrea3wifn7ihsibzgzqa7uths5qgisiuz4j57dwa._file
Verdict:
malicious
Label(s):
valleyrat
Create hunting rule
Similar samples:
06fbe6ea88df54d1d4e2e50cac0c44874c8a4e2e2e7dab623938f38fea70dcf4
error
fc4e73426643c89b7047cb0a427e068960a9f432da8dd231282e30dd29fdc9a4
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence privilege_escalation trojan
Link:
https://tria.ge/reports/260127-jk6kxaf19h/
Behaviour
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Loads dropped DLL
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/398e1697d64f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments