Overview

overview

10

Static

static

3

AI自动�...64.dll

windows10-2004-x64

10

AI自动�...��.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    290s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/04/2025, 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AI自动化办公表格制作生成工具安装包/双击安装.exe

  • Size

    253KB

  • MD5

    c20383afabfbd60298b6b2385237a008

  • SHA1

    902438f6bcc919f98b195f4de2560a311ff5dcd0

  • SHA256

    a8a42814c253ca5e93e81be5bd69149ff71b9ac3024420614fba37fb0834b3c0

  • SHA512

    e844938501c7fe3da490e5d5b0172077829715d137ee1f9b770bbaf1ae1700ed0cb532da819beeba04ce7df926b9c81bc194bf7d5c3eb8c57625dc4aa8dc2bd2

  • SSDEEP

    3072:oehT3vurb+DJte4ytrYwFK8zk9J7TL6WxBEC7AVUAQ/J5foY46pjQ02WO9Fc43Lx:Xz4qDJte4yZjQ8zknFnkX+zohQs9BZ2u

Score
10/10
valleyrat_s2backdoor

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

C2

43.225.58.178:6666

43.225.58.178:8888

43.225.58.178:7777
Attributes
  • campaign_date

    2025. 3.30

Signatures

  • ValleyRat

    ValleyRat stage2 is a backdoor written in C++.

    backdoorvalleyrat_s2
  • Valleyrat_s2 family
    valleyrat_s2
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\AI自动化办公表格制作生成工具安装包\双击安装.exe
    "C:\Users\Admin\AppData\Local\Temp\AI自动化办公表格制作生成工具安装包\双击安装.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32.exe
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3104-0-0x000002DE35C40000-0x000002DE35C41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3104-1-0x000002DE35ED0000-0x000002DE35F51000-memory.dmp

    Filesize

    516KB

    Download

  • memory/3104-3-0x000002DE35F60000-0x000002DE35F89000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3104-2-0x000002DE35F60000-0x000002DE35F89000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3104-5-0x000002DE35F60000-0x000002DE35F89000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3104-4-0x000002DE35F60000-0x000002DE35F89000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3104-9-0x000002DE37D20000-0x000002DE37D6E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3104-8-0x000002DE37D20000-0x000002DE37D6E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3104-7-0x000002DE37CD0000-0x000002DE37D17000-memory.dmp

    Filesize

    284KB

    Download

  • memory/3104-6-0x000002DE35F60000-0x000002DE35F89000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3104-10-0x000002DE37D20000-0x000002DE37D6E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3104-12-0x000002DE37D20000-0x000002DE37D6E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3104-11-0x000002DE37D20000-0x000002DE37D6E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3104-14-0x000002DE35F60000-0x000002DE35F89000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3104-15-0x000002DE37D20000-0x000002DE37D6E000-memory.dmp

    Filesize

    312KB

    Download