valleyrat_s2 | 3d20d079d777d5c179d709428935d51605d82a8668ac716eb89f8249c46adb8d | Triage

Sharing

General

Target

2025-04-01_f1795a8e111b967491cefe7438f38267_black-basta_icedid_luca-stealer
Size

21.8MB
Sample

250401-csmz7stry2
MD5

f1795a8e111b967491cefe7438f38267
SHA1

ec6783287f8fba0a53534b88ad027799f054e023
SHA256

3d20d079d777d5c179d709428935d51605d82a8668ac716eb89f8249c46adb8d
SHA512

a70a16730a858bf59f0c18274b2251206ab0136a34237447a3b1fa624c1c19a7ff8c431b7352534d739770d5b9674bd043199d1461584bc9366feaeb2e7014b9
SSDEEP

49152:XciUvXVc5YlG4V5EXHwCC5hDOng6kpicavOafd4+9mNneuEBELEMjFRwV:sislc5YlG4fnzDOnREoQBe

Score

10^/10

valleyrat_s2 backdoor defense_evasion discovery privilege_escalation trojan

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

C2

154.39.239.95:1445

Attributes

campaign_date
2025. 3. 5

Targets

- Target
  
  2025-04-01_f1795a8e111b967491cefe7438f38267_black-basta_icedid_luca-stealer
- Size
  
  21.8MB
- MD5
  
  f1795a8e111b967491cefe7438f38267
- SHA1
  
  ec6783287f8fba0a53534b88ad027799f054e023
- SHA256
  
  3d20d079d777d5c179d709428935d51605d82a8668ac716eb89f8249c46adb8d
- SHA512
  
  a70a16730a858bf59f0c18274b2251206ab0136a34237447a3b1fa624c1c19a7ff8c431b7352534d739770d5b9674bd043199d1461584bc9366feaeb2e7014b9
- SSDEEP
  
  49152:XciUvXVc5YlG4V5EXHwCC5hDOng6kpicavOafd4+9mNneuEBELEMjFRwV:sislc5YlG4fnzDOnREoQBe
Score

10^/10

valleyrat_s2 backdoor defense_evasion discovery privilege_escalation trojan
- UAC bypass
  defense_evasion trojan
- ValleyRat
  ValleyRat stage2 is a backdoor written in C++.
  backdoor valleyrat_s2
- Valleyrat_s2 family
  valleyrat_s2
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Checks whether UAC is enabled
  defense_evasion trojan
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Access Token Manipulation

Create Process with Token

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Access Token Manipulation

Create Process with Token

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

valleyrat_s2backdoordefense_evasiondiscoveryprivilege_escalationtrojan