General
-
Target
https://wormhole.app/qze7O8#5-gsdAz4xUtoP7luIiChpQ
-
Sample
250603-kxn23ahp61
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://wormhole.app/qze7O8#5-gsdAz4xUtoP7luIiChpQ
Resource
win10ltsc2021-20250425-en
Malware Config
Extracted
valleyrat_s2
1.0
hu0.fun:10701
hu0.fun:10702
hu0.fun:10703
154.91.84.54:9865
154.91.84.54:3657
127.0.0.1:80
-
campaign_date
2025. 4.10
Targets
-
-
Target
https://wormhole.app/qze7O8#5-gsdAz4xUtoP7luIiChpQ
-
Valleyrat_s2 family
-
Zloader family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Windows Firewall
-
Stops running service(s)
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
2Pre-OS Boot
1Bootkit
1