MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1fdb98c8cd8be48bed316bc6740c09922b24fe54134a21f9c6935798800e0ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1fdb98c8cd8be48bed316bc6740c09922b24fe54134a21f9c6935798800e0ce
SHA3-384 hash: 84f3be971c0ecc4dcdf17c4ee5c3016aa635acc8a80f32d2731191fa2c17fbdc11506419915594dea343305f02ea224a
SHA1 hash: f5f4fefddd90193c2b96dea705f107d8a37d02ee
MD5 hash: aea38634fa0980e770ab7a6ef6f20761
humanhash: robin-river-west-carbon
File name:ValhallaDSP bundle 2025.5 CE.exe
Download: download sample
File size:12'850'487 bytes
First seen:2025-06-11 11:02:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18d60425fd93eccbd964ff66b826efa1
ssdeep 196608:Z7M2I/K1sOYcRnUAGI542m7pxl6Zg31Pk5dKR1YD26WRX2kH/wDc6dIO4lMBx+Ne:FywsODnUg4dHcZYP4C1ZXX/wgUvIM9
TLSH T1E5D6232AF29E903DC85A173C4573EA205937BBF6B0314E1E62F83A08EB675055D3B167
TrID 62.3% (.EXE) Inno Setup installer (107240/4/30)
24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.1% (.EXE) Win64 Executable (generic) (10522/11/4)
2.6% (.EXE) Win32 Executable (generic) (4504/4/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 0f1796b2e0dc5d8e
Reporter Tester
Tags:exe malware

Intelligence

File Origin
# of uploads :
1
# of downloads :
529
Origin country :
PT PT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ValhallaDSP bundle 2025.5 CE.exe
Verdict:
No threats detected
Analysis date:
2025-06-11 11:04:14 UTC
Tags:
delphi inno installer
Link:
https://app.any.run/tasks/3789ba60-268d-4d59-bf9e-b93e921a893a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8943/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684962828bd5d68a12e7b0c5
Tags:
ransomware vmdetect dropper spawn
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint installer masquerade overlay overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/68496285171e01f9593ce72a/reports/9eda62f7-7671-447f-8a0e-754daacf59cb/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/d1fdb98c8cd8be48bed316bc6740c09922b24fe54134a21f9c6935798800e0ce
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9e96f883-f459-4e2b-8e9c-169b799010e6
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
5 / 100
Link:
https://www.joesandbox.com/analysis/1712118
Behaviour
Behavior Graph:
n/a
Score:
75%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1fdb98c8cd8be48bed316bc6740c09922b24fe54134a21f9c6935798800e0ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1fdb98c8cd8be48bed316bc6740c09922b24fe54134a21f9c6935798800e0ce/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/d1fdb98c8cd8be48bed316bc6740c09922b24fe54134a21f9c6935798800e0ce
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2h63tdem3c7erpwtc26goqgaterlet7fie2keh44ne2xtcaa4dha._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250611-m5wg8azpw2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Checks installed software on the system
Drops desktop.ini file(s)
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b6056fd2-7835-4c39-b3f0-775cc2a3d2f9
Unpacked files
SH256 hash:
d1fdb98c8cd8be48bed316bc6740c09922b24fe54134a21f9c6935798800e0ce
MD5 hash:
aea38634fa0980e770ab7a6ef6f20761
SHA1 hash:
f5f4fefddd90193c2b96dea705f107d8a37d02ee
Link:
https://www.unpac.me/results/d8fff019-1824-4e5e-800c-20760155476b/
SH256 hash:
fa087ca751b29e9f71095729b6293338a54c63197f9cb61e5eb1d74b90f4353a
MD5 hash:
3ae5a6aad8185d9869d21f86d51b0970
SHA1 hash:
2e7e9970ee98ce6c043a855007b690934821bfcd
Link:
https://www.unpac.me/results/d8fff019-1824-4e5e-800c-20760155476b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1fdb98c8cd8be48bed316bc6740c09922b24fe54134a21f9c6935798800e0ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/8943/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments


Avatar
commented on 2025-06-11 12:20:16 UTC

It has embed a virus/malware in itself. Beware