Overview

overview

10

Static

static

3

d6387be78d...c1.dll

windows7-x64

10

d6387be78d...c1.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/03/2025, 04:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1.dll

  • Size

    107KB

  • MD5

    3198b729513bf5a65e39be989298079b

  • SHA1

    a79a312a5c8884ec4b51aa4d776ba5793de09ffc

  • SHA256

    d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1

  • SHA512

    05c6431a07aad1f276431d99beb4f4dd8e247bde96084cbe5ae0bce01ca262827e96a9187aec4d3dd41c08afde594d1bb98217dfe09718bb4eb3907e0f2bde2e

  • SSDEEP

    3072:bw0WMZYV7iTQbXAukRJtps7Fo/3e6Uege/EYpVPVZ:bw0xGVQGXAu2iQV9

Score
10/10
valleyrat_s2backdoor

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

C2

43.225.58.178:6666

43.225.58.178:8888

43.225.58.178:7777
Attributes
  • campaign_date

    2025. 3.30

Signatures

  • ValleyRat

    ValleyRat stage2 is a backdoor written in C++.

    backdoorvalleyrat_s2
  • Valleyrat_s2 family
    valleyrat_s2
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1.dll,#1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Windows\system32\rundll32.exe
      rundll32.exe
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3676-0-0x000001F34C1D0000-0x000001F34C1D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3676-2-0x000001F34C470000-0x000001F34C4F1000-memory.dmp

    Filesize

    516KB

    Download

  • memory/3676-3-0x000001F34C500000-0x000001F34C529000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3676-1-0x000001F34C500000-0x000001F34C529000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3676-5-0x000001F34C500000-0x000001F34C529000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3676-4-0x000001F34C500000-0x000001F34C529000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3676-9-0x000001F34E2A0000-0x000001F34E2EE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3676-8-0x000001F34E2A0000-0x000001F34E2EE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3676-7-0x000001F34E250000-0x000001F34E297000-memory.dmp

    Filesize

    284KB

    Download

  • memory/3676-6-0x000001F34C500000-0x000001F34C529000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3676-10-0x000001F34E2A0000-0x000001F34E2EE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3676-12-0x000001F34E2A0000-0x000001F34E2EE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3676-11-0x000001F34E2A0000-0x000001F34E2EE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3676-13-0x000001F34C500000-0x000001F34C529000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3676-14-0x000001F34C500000-0x000001F34C529000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3676-15-0x000001F34E2A0000-0x000001F34E2EE000-memory.dmp

    Filesize

    312KB

    Download