valleyrat_s2 | 82f016b7f71f4eb3e5dc93f1dbc8d44f2fca707107e5e86b64de356ffc92ca6b

Resubmissions

31/03/2025, 15:25

250331-st3p2svps7 10

Sharing

Copy URL

Twitter E-mail

General

Target

QuarkPC.exe
Size

234.0MB
Sample

250331-st3p2svps7
MD5

2668f14280f019ff282536aab3269571
SHA1

177c5d0d1a90233514c10e8c2a91503fb4390b40
SHA256

82f016b7f71f4eb3e5dc93f1dbc8d44f2fca707107e5e86b64de356ffc92ca6b
SHA512

741d52eaa9c6077819c03ea2736751c2a2966089d82dc5e013d79f8f798510c2aa989c0004c95193e0151ecef906ca47d19523f4ee58efacc5cac17db1b0bfa4
SSDEEP

6291456:fuum0tMgaGIOvFH/nF6jxaUsDg9SxsaXnLLgBfNShzbFNsmOLXYfyX:2umADahSp/FIamQx93PglkzBNsmOTL

Score

10^/10

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

103.192.179.40:9091

103.192.179.40:9092

103.192.179.40:9093

Attributes

campaign_date
2025. 3.28

Targets

- Target
  
  QuarkPC.exe
- Size
  
  234.0MB
- MD5
  
  2668f14280f019ff282536aab3269571
- SHA1
  
  177c5d0d1a90233514c10e8c2a91503fb4390b40
- SHA256
  
  82f016b7f71f4eb3e5dc93f1dbc8d44f2fca707107e5e86b64de356ffc92ca6b
- SHA512
  
  741d52eaa9c6077819c03ea2736751c2a2966089d82dc5e013d79f8f798510c2aa989c0004c95193e0151ecef906ca47d19523f4ee58efacc5cac17db1b0bfa4
- SSDEEP
  
  6291456:fuum0tMgaGIOvFH/nF6jxaUsDg9SxsaXnLLgBfNShzbFNsmOLXYfyX:2umADahSp/FIamQx93PglkzBNsmOTL
Score

10^/10

valleyrat_s2 backdoor discovery execution
- ValleyRat
  ValleyRat stage2 is a backdoor written in C++.
  backdoor valleyrat_s2
- Valleyrat_s2 family
  valleyrat_s2
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Invoke Powershell command.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Enumerates processes with tasklist
  discovery
behavioral1
- Target
  
  $APPDATA/Promotions/Logs.vbs
- Size
  
  298B
- MD5
  
  3a8b3e03abf3fe595d12574597ee61c7
- SHA1
  
  1b67b2d4bbd3287587b5ccab1970dfbdf1c8d7df
- SHA256
  
  9d3d7eb30d1e992076d4d481d769fa6df93f1cd355e0599dc51090518ae05ad5
- SHA512
  
  af068f7a21101b4900d0bf40cfc0b888101aa994078f43f629a8e2cfd2d74ca101cd87fbd6731a6ad0c546278c1caef5cecb7d2ca54fb2fe6b1d927990d9caaf
Score

3^/10

discovery execution
behavioral2
- Target
  
  $APPDATA/Promotions/Promotions.ps1
- Size
  
  1KB
- MD5
  
  b582c83dc8ef6202e1d0495aa152e4c2
- SHA1
  
  beca619e1c0e0e987395002a797f08dc3657d1fd
- SHA256
  
  e07d9c1dfa78fa62b7fe0e9aeaa5b6b41d97ca82aead6a92dbfae24e135075f1
- SHA512
  
  9ec4f95d47890802d9cb2ca889db7ad28dc65c5a710ffbc4fdb7ce63cd9fec308be6e86b2e31ee9e671df4c17afbe01fd329953b0d185e3d502ae462c97b6daf
Score

3^/10

execution
behavioral3
- Target
  
  $APPDATA/Promotions/Update.dll
- Size
  
  17.6MB
- MD5
  
  7f6fbf1250943e68f8bcabeb6cd755ed
- SHA1
  
  141fed89a60cdf8c63dd7f45ad5c76fd03fdf3bd
- SHA256
  
  979648b33f010940b58a6499b36708729c6cacda1a7861b228da843a2108fa27
- SHA512
  
  4176e3d9817c0e072906987ac2c6521c382c31d0b19901f329b7f23581d874c26aec1841d7233e222debe357e20a2731bdf78c737b30731f194d5b814b05cdf3
- SSDEEP
  
  393216:Lwyzn8P0jU0/3SnwrqJG4GKOPE+B8EAyMoPKySdkAjHtE23QnaR53y00D:LEk/iUMXbVEAgKyUHvIa/38D
Score

3^/10

discovery
behavioral4
- Target
  
  $LOCALAPPDATA/Protected_R.exe
- Size
  
  2.2MB
- MD5
  
  c2aa84ef33aed92c14425baa7569b01f
- SHA1
  
  39e8f13321d4dc528561d0be8f0c21de2166a812
- SHA256
  
  6a13d71314131a8b92c294b0a658b97de63bb8ab9fb058ae8f60914e9a4ed6f9
- SHA512
  
  fa806f12fb714ad391d4aa62339edbfbf7b2a765fb9e6091b0bc9f434662fc02cfd6fc99a8dfaee6a014c6412fbe0cf02c3b96bf5e5cf4efa9f0e2390b91e068
- SSDEEP
  
  24576:2f93zcv9ZhsSGSQoryOzozU63IqRNhB0kDKPTkkkkkkkNoIeAo:2f93zO9ZhBGlopzM3HRNr0so
Score

5^/10

discovery execution
- Command and Scripting Interpreter: PowerShell
  Invoke Powershell command.
  execution
behavioral5
- Target
  
  $LOCALAPPDATA/SGuardSvc32.exe
- Size
  
  725KB
- MD5
  
  923b08492146a6a3b8bd269eb25f6372
- SHA1
  
  e263b5265abeae655f0ef5000196dbb80c6eca9b
- SHA256
  
  2fdf2af92b069e06d9cb1d9713a6e34b7223a60214d17bf3f8ee0a4d6c9a4480
- SHA512
  
  6f51bfd0d5b195e218231470b4bc8d4700c804252d1af48dde13a2f298e15ff725bb0641fdc868dcaef381bd805b4a7a9433ed695198001c21eafd93c9d5867f
- SSDEEP
  
  12288:uPCmM17WubawsfQ53By01qaVeCCgfuiI85Qe+wKQZ6d3mzOI1Z8u3qyxH47LMUVX:usBsfQR5w643+VaN8uOjg7bQPTfM
Score

3^/10

discovery
behavioral6
- Target
  
  $PLUGINSDIR/InstallOptions.dll
- Size
  
  15KB
- MD5
  
  d095b082b7c5ba4665d40d9c5042af6d
- SHA1
  
  2220277304af105ca6c56219f56f04e894b28d27
- SHA256
  
  b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
- SHA512
  
  61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9
- SSDEEP
  
  192:EyGQtZkTktEQUrJaZfuyCnSmUsv3sY7L7cW8Y6Q86QvoTr11929WtshLAzgSrX8:EyNt+4t7uJalUnGesY7Lt8nCr/Yosa
Score

3^/10

discovery
behavioral7
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  4add245d4ba34b04f213409bfe504c07
- SHA1
  
  ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
- SHA256
  
  9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
- SHA512
  
  1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
- SSDEEP
  
  192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score

3^/10

discovery
behavioral8
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  7KB
- MD5
  
  b4579bc396ace8cafd9e825ff63fe244
- SHA1
  
  32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c
- SHA256
  
  01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b
- SHA512
  
  3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a
- SSDEEP
  
  96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
Score

3^/10

discovery
behavioral9
- Target
  
  $WINDIR/Text
- Size
  
  3KB
- MD5
  
  d81a1c714c1e6c3ec4d4eb8c3649a336
- SHA1
  
  4a4e9167989b8d637f36a3201b18ca4767acb8fe
- SHA256
  
  d5da1e586d322da67f0c1136968ab5dab2acf387e145acc199027c343630bc2d
- SHA512
  
  94e6b437e05f8ded151f9303a25321307a246b7373908450b4272da1b9e7b6305bf7e2a7980d190fe73f261c92a9cc18e42e4bee94ce9e085b23dbc06b8314c5
Score

3^/10

execution
behavioral10
- Target
  
  QuarkPC.exe
- Size
  
  216.1MB
- MD5
  
  7816b1d8cbff825310f5e4f712f3696d
- SHA1
  
  131bf00914f03cd76a7bb01f55bb6d7e5f463ee0
- SHA256
  
  bd0b5d3f7310d3f23caa43e3a18886fa805f06b4865de1cf620a233c21956cf6
- SHA512
  
  c7da78b0590ca40471da9e280cbf708922c99190664bf92bbffc5c939241161f9697b41c353fbf45e4fe20a7e12c9b8447fdb835fffbac650a9d94a936062d72
- SSDEEP
  
  6291456:wgaGIOvFH/nF6jxaUsDg9SxsaXnLLgBfNShzbFNsmOLXYfyq:3ahSp/FIamQx93PglkzBNsmOT+
Score

4^/10

discovery
behavioral11

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

ValleyRat

Valleyrat_s2 family

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Enumerates processes with tasklist

Command and Scripting Interpreter: PowerShell

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11