General
-
Target
2025-04-02_0ca9e4cb5777ad028ec438cc21182b4e_hijackloader_icedid
-
Size
22.2MB
-
Sample
250402-bpdfxs1n14
-
MD5
0ca9e4cb5777ad028ec438cc21182b4e
-
SHA1
c17c086b6864e7194247a8f7ec79927a09e18f5b
-
SHA256
6a8e70f36c2b5dea66a76245d23b079899b958c584358093516f602f237da7f6
-
SHA512
777fe56da072eb2089889835d0d406b767a254d8b76faf2bd4e65e41357e12760f141c641f1b7dc5e6386dc748936d77acc565b458aff27655b9ccd49b0de605
-
SSDEEP
49152:LQ6/BNDUplG4eVdEZma5bVI5rUNkPAhb/BNlz/gYCQLF0v1QNneuEBELEMjFRe:86JNDUplG4DbBsKB0
Malware Config
Extracted
valleyrat_s2
1.0
43.248.173.35:6666
43.248.173.35:8888
-
campaign_date
2025. 3.15
Targets
-
-
Target
2025-04-02_0ca9e4cb5777ad028ec438cc21182b4e_hijackloader_icedid
-
Size
22.2MB
-
MD5
0ca9e4cb5777ad028ec438cc21182b4e
-
SHA1
c17c086b6864e7194247a8f7ec79927a09e18f5b
-
SHA256
6a8e70f36c2b5dea66a76245d23b079899b958c584358093516f602f237da7f6
-
SHA512
777fe56da072eb2089889835d0d406b767a254d8b76faf2bd4e65e41357e12760f141c641f1b7dc5e6386dc748936d77acc565b458aff27655b9ccd49b0de605
-
SSDEEP
49152:LQ6/BNDUplG4eVdEZma5bVI5rUNkPAhb/BNlz/gYCQLF0v1QNneuEBELEMjFRe:86JNDUplG4DbBsKB0
Score10/10-
UAC bypass
-
ValleyRat
ValleyRat stage2 is a backdoor written in C++.
-
Valleyrat_s2 family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3