valleyrat_s2 | 0d3cc26534eee5d7d387f1e718299e30909cc192858f6a46646d2b0c85debe8b | Triage

Sharing

General

Target

0d3cc26534eee5d7d387f1e718299e30909cc192858f6a46646d2b0c85debe8b.exe
Size

2.7MB
Sample

250330-sj53estlw2
MD5

2c54a502a6e895067b44c10518cc526b
SHA1

be97549d3a00f0e33787998145d4498b1bb06860
SHA256

0d3cc26534eee5d7d387f1e718299e30909cc192858f6a46646d2b0c85debe8b
SHA512

720862858a1d9f428772e940ab9a15cf4b915afb15ae983a532bb27e1c59671cd28a7f1ffc7fffb3ce45b0c91697739d5c07338c3e9b15e566d8376aceee1025
SSDEEP

49152:m1dJHUNmnJgPa4g5X9IrE76Iech3cfxVfCzhJTzkaNogFZDqVnDnE:m1P0NAJgar5tIrOFech3cfvfCtJTzkIR

Score

10^/10

valleyrat_s2 backdoor discovery execution

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

C2

154.44.8.39:443

154.44.8.39:80

154.44.8.39:8011

Attributes

campaign_date
2025. 3. 7

Targets

- Target
  
  0d3cc26534eee5d7d387f1e718299e30909cc192858f6a46646d2b0c85debe8b.exe
- Size
  
  2.7MB
- MD5
  
  2c54a502a6e895067b44c10518cc526b
- SHA1
  
  be97549d3a00f0e33787998145d4498b1bb06860
- SHA256
  
  0d3cc26534eee5d7d387f1e718299e30909cc192858f6a46646d2b0c85debe8b
- SHA512
  
  720862858a1d9f428772e940ab9a15cf4b915afb15ae983a532bb27e1c59671cd28a7f1ffc7fffb3ce45b0c91697739d5c07338c3e9b15e566d8376aceee1025
- SSDEEP
  
  49152:m1dJHUNmnJgPa4g5X9IrE76Iech3cfxVfCzhJTzkaNogFZDqVnDnE:m1P0NAJgar5tIrOFech3cfvfCtJTzkIR
Score

10^/10

valleyrat_s2 backdoor discovery execution
- ValleyRat
  ValleyRat stage2 is a backdoor written in C++.
  backdoor valleyrat_s2
- Valleyrat_s2 family
  valleyrat_s2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

valleyrat_s2backdoordiscoveryexecution

behavioral2

valleyrat_s2backdoordiscoveryexecution