ValleyRAT Insights: Tactics, Techniques, and Detection Methods

Date: 10/25/2024

Severity: Critical

Summary

ValleyRAT is a remote access Trojan (RAT) that was first detected in early 2023, mainly aimed at Chinese-speaking users via targeted phishing campaigns. Its primary function is to monitor and control infected systems, allowing attackers to install additional malicious plugins for increased damage. As a multi-stage, multi-component malware, ValleyRAT cleverly avoids detection by loading its components sequentially, enabling it to stay hidden and maintain persistence on the target system throughout the attack.

Indicators of Compromise (IOC) List

IP Address :

158.74.222.152

154.39.255.141

Hash :

60c7bf466af1b547da818d9ac01e10a0d208b80a6608c72c3c590f86d93b074

d208b80a6608c72c3c590f86d93b074533c0c4ef8a46b6d36ed52cc2b4c179d5

14bf52de60e60a526141ffe61ef5afc2a3bc7d60d4086e644ec80e67513d2684

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

IP Address :	dstipaddress IN ("158.74.222.152","154.39.255.141") or ipaddress IN ("158.74.222.152","154.39.255.141") or publicipaddress IN ("158.74.222.152","154.39.255.141") or srcipaddress IN ("158.74.222.152","154.39.255.141")
Hash :	sha256hash IN ("60c7bf466af1b547da818d9ac01e10a0d208b80a6608c72c3c590f86d93b074","d208b80a6608c72c3c590f86d93b074533c0c4ef8a46b6d36ed52cc2b4c179d5","14bf52de60e60a526141ffe61ef5afc2a3bc7d60d4086e644ec80e67513d2684")

Reference:

https://www.splunk.com/en_us/blog/security/valleyrat-insights-tactics-techniques-and-detection-methods.html

ValleyRAT Insights: Tactics, Techniques, and Detection Methods

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

ValleyRAT Insights: Tactics, Techniques, and Detection Methods

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments