valleyrat_s2 | d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1 | Triage

Submit
Reports

Overview

overview

Static

static

3

d6387be78d...c1.dll

windows7-x64

d6387be78d...c1.dll

windows10-2004-x64

Sharing

General

Target

d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1
Size

107KB
Sample

250331-e2977swjy6
MD5

3198b729513bf5a65e39be989298079b
SHA1

a79a312a5c8884ec4b51aa4d776ba5793de09ffc
SHA256

d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1
SHA512

05c6431a07aad1f276431d99beb4f4dd8e247bde96084cbe5ae0bce01ca262827e96a9187aec4d3dd41c08afde594d1bb98217dfe09718bb4eb3907e0f2bde2e
SSDEEP

3072:bw0WMZYV7iTQbXAukRJtps7Fo/3e6Uege/EYpVPVZ:bw0xGVQGXAu2iQV9

Score

10^/10

valleyrat_s2 backdoor

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1.dll

Resource

win7-20241023-en

valleyrat_s2 backdoor

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1.dll

Resource

win10v2004-20250314-en

valleyrat_s2 backdoor

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

C2

43.225.58.178:6666

43.225.58.178:8888

43.225.58.178:7777

Attributes

campaign_date
2025. 3.30

Targets

- Target
  
  d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1
- Size
  
  107KB
- MD5
  
  3198b729513bf5a65e39be989298079b
- SHA1
  
  a79a312a5c8884ec4b51aa4d776ba5793de09ffc
- SHA256
  
  d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1
- SHA512
  
  05c6431a07aad1f276431d99beb4f4dd8e247bde96084cbe5ae0bce01ca262827e96a9187aec4d3dd41c08afde594d1bb98217dfe09718bb4eb3907e0f2bde2e
- SSDEEP
  
  3072:bw0WMZYV7iTQbXAukRJtps7Fo/3e6Uege/EYpVPVZ:bw0xGVQGXAu2iQV9
Score

10^/10

valleyrat_s2 backdoor
- ValleyRat
  ValleyRat stage2 is a backdoor written in C++.
  backdoor valleyrat_s2
- Valleyrat_s2 family
  valleyrat_s2
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

valleyrat_s2backdoor

behavioral2

valleyrat_s2backdoor

© 2018-2025

Terms | Privacy