valleyrat_s2 | b929b4efc4af3e5e34b74e4ed2fda0e46c159742b2f0a9117b54516a25c75a4d

Analysis

max time kernel
299s
max time network
290s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AI自动化办公表格制作生成工具安装包/steam_api64.dll
Size

107KB
MD5

3198b729513bf5a65e39be989298079b
SHA1

a79a312a5c8884ec4b51aa4d776ba5793de09ffc
SHA256

d6387be78d258a820e4cb35ec53c65d52a813b63147488629b56269f6648adc1
SHA512

05c6431a07aad1f276431d99beb4f4dd8e247bde96084cbe5ae0bce01ca262827e96a9187aec4d3dd41c08afde594d1bb98217dfe09718bb4eb3907e0f2bde2e
SSDEEP

3072:bw0WMZYV7iTQbXAukRJtps7Fo/3e6Uege/EYpVPVZ:bw0xGVQGXAu2iQV9

Score

10^/10

valleyrat_s2 backdoor

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

43.225.58.178:6666

43.225.58.178:8888

43.225.58.178:7777

Attributes

campaign_date
2025. 3.30

Signatures

ValleyRat
ValleyRat stage2 is a backdoor written in C++.
backdoor valleyrat_s2
Valleyrat_s2 family
valleyrat_s2

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	3196	rundll32.exe
25	3196	rundll32.exe
26	3196	rundll32.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 3196	2824	rundll32.exe	87

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe
3196	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3196	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 3196	2824	rundll32.exe	87
PID 2824 wrote to memory of 3196	2824	rundll32.exe	87
PID 2824 wrote to memory of 3196	2824	rundll32.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\AI自动化办公表格制作生成工具安装包\steam_api64.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\system32\rundll32.exe
  rundll32.exe
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3196-0-0x0000028AAFB40000-0x0000028AAFB41000-memory.dmp

Filesize
4KB

Download
memory/3196-1-0x0000028AAFDD0000-0x0000028AAFE51000-memory.dmp

Filesize
516KB

Download
memory/3196-3-0x0000028AAFE60000-0x0000028AAFE89000-memory.dmp

Filesize
164KB

Download
memory/3196-2-0x0000028AAFE60000-0x0000028AAFE89000-memory.dmp

Filesize
164KB

Download
memory/3196-5-0x0000028AAFE60000-0x0000028AAFE89000-memory.dmp

Filesize
164KB

Download
memory/3196-4-0x0000028AAFE60000-0x0000028AAFE89000-memory.dmp

Filesize
164KB

Download
memory/3196-9-0x0000028AB1C70000-0x0000028AB1CBE000-memory.dmp

Filesize
312KB

Download
memory/3196-8-0x0000028AB1C70000-0x0000028AB1CBE000-memory.dmp

Filesize
312KB

Download
memory/3196-7-0x0000028AB1C20000-0x0000028AB1C67000-memory.dmp

Filesize
284KB

Download
memory/3196-6-0x0000028AAFE60000-0x0000028AAFE89000-memory.dmp

Filesize
164KB

Download
memory/3196-10-0x0000028AB1C70000-0x0000028AB1CBE000-memory.dmp

Filesize
312KB

Download
memory/3196-11-0x0000028AB1C70000-0x0000028AB1CBE000-memory.dmp

Filesize
312KB

Download
memory/3196-12-0x0000028AB1C70000-0x0000028AB1CBE000-memory.dmp

Filesize
312KB

Download
memory/3196-13-0x0000028AAFE60000-0x0000028AAFE89000-memory.dmp

Filesize
164KB

Download
memory/3196-15-0x0000028AB1C70000-0x0000028AB1CBE000-memory.dmp

Filesize
312KB

Download