SYMBOLCOMMON_NAMEaka. SYNONYMS
win.valley_rat (Back to overview)

ValleyRAT

aka: Winos
VTCollection    

There is no description at this point.

References
2026-05-20K7 SecuritySrinivasan E
Fake Microsoft Teams download sites are being used to deliver ValleyRAT via DLL sideloading
ValleyRAT
2026-01-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2025
Coper FluBot Joker Aisuru Mirai AsyncRAT BianLian Cobalt Strike DCRat Havoc Latrodectus PureLogs Stealer Quasar RAT Remcos Rhadamanthys Sliver ValleyRAT Venom RAT Vidar XWorm
2026-01-11Medium APOPHISMichelle Khalil
ValleyRAT_S2 Chinese campaign
ValleyRAT
2025-12-24CloudsekKoushik Pal, somedieyoungZZ
Silver Fox Targeting India Using Tax Themed Phishing Lures
ValleyRAT Winos
2025-12-10Check Point ResearchCheck Point Research, Jiří Vinopal
Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits
ValleyRAT
2025-10-22CyderesRahul Ramesh
Chrome Installer Impersonation Campaign Targets China-Based Victims with ValleyRAT Trojan
BlindEDR ValleyRAT
2025-09-24NetresecErik Hjelmvik
Gh0stKCP Protocol
PseudoManuscrypt ValleyRAT
2025-09-07Hexastrike CybersecurityMaurice Fielenbach
ValleyRAT Exploiting BYOVD to Kill Endpoint Security
ValleyRAT
2025-08-28CheckpointCheckpoint Research
Chasing the Silver Fox: Cat & Mouse in Kernel Shadows
ValleyRAT
2025-07-14SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2025
Coper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT WarmCookie XWorm
2025-04-07ANY.RUNANY.RUN
ValleyRAT
ValleyRAT
2025-02-27FortinetPei Han Liao
Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan
ValleyRAT Winos
2025-02-20Silent PushSilent Push
Tweet on Tracking ValleyRAT Domains with ICP Licenses
ValleyRAT
2025-01-29Palo Alto Networks Unit 42Lior Rochberger, Yoav Zemah
CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia
Cobalt Strike MimiKatz PlugX ValleyRAT Winos CL-STA-0048
2024-12-18eSentireeSentire Threat Response Unit (TRU)
Winos4.0 “Online Module” Staging Component Used in CleverSoar Campaign
ValleyRAT
2024-11-27Rapid7Natalie Zargarov
New “CleverSoar” Installer Targets Chinese and Vietnamese Users
ValleyRAT
2024-06-19Trend MicroAhmed Mohamed Ibrahim, Aliakbar Zahravi, Peter Girnus
Behind the Great Wall: Void Arachne Targets Chinese-Speaking Users With the Winos 4.0 C&C Framework
ValleyRAT Void Arachne
2024-06-10ZscalerManisha Ramcharan Prajapati, Muhammed Irfan V A
Technical Analysis of the Latest Variant of ValleyRAT
ValleyRAT
2023-09-20ProofpointProofpoint Threat Research Team
Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
FatalRat PurpleFox ValleyRAT
2023-02-18secrssQianxin Virus Response Center
Don’t follow in the footsteps of the 4 billion data leak incident! Early warning for attacks in the financial and securities industries
ValleyRAT
Yara Rules
[TLP:WHITE] win_valley_rat_auto (20260504 | Detects win.valley_rat.)
rule win_valley_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.valley_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.valley_rat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 005c7e46 00847e46008a46 0323 d188470383ee }
            // n = 4, score = 100
            //   005c7e46             | add                 byte ptr [esi + edi*2 + 0x46], bl
            //   00847e46008a46       | add                 byte ptr [esi + edi*2 + 0x468a0046], al
            //   0323                 | add                 esp, dword ptr [ebx]
            //   d188470383ee         | ror                 dword ptr [eax - 0x117cfcb9], 1

        $sequence_1 = { c785a8feffffab9ba19b c785acfefffff79bf09b c785b0feffffe79bab9b c785b4feffffa19bf39b c785b8feffffe89be79b c785bcfeffffab9ba19b c785c0fefffff79bff9b }
            // n = 7, score = 100
            //   c785a8feffffab9ba19b     | mov    dword ptr [ebp - 0x158], 0x9ba19bab
            //   c785acfefffff79bf09b     | mov    dword ptr [ebp - 0x154], 0x9bf09bf7
            //   c785b0feffffe79bab9b     | mov    dword ptr [ebp - 0x150], 0x9bab9be7
            //   c785b4feffffa19bf39b     | mov    dword ptr [ebp - 0x14c], 0x9bf39ba1
            //   c785b8feffffe89be79b     | mov    dword ptr [ebp - 0x148], 0x9be79be8
            //   c785bcfeffffab9ba19b     | mov    dword ptr [ebp - 0x144], 0x9ba19bab
            //   c785c0fefffff79bff9b     | mov    dword ptr [ebp - 0x140], 0x9bff9bf7

        $sequence_2 = { 00bcaf4500c5af 45 00f8 af }
            // n = 4, score = 100
            //   00bcaf4500c5af       | add                 byte ptr [edi + ebp*4 - 0x503affbb], bh
            //   45                   | inc                 ebp
            //   00f8                 | add                 al, bh
            //   af                   | scasd               eax, dword ptr es:[edi]

        $sequence_3 = { 0101 0101 0201 0102 }
            // n = 4, score = 100
            //   0101                 | add                 dword ptr [ecx], eax
            //   0101                 | add                 dword ptr [ecx], eax
            //   0201                 | add                 al, byte ptr [ecx]
            //   0102                 | add                 dword ptr [edx], eax

        $sequence_4 = { 0101 33c0 8be5 5d }
            // n = 4, score = 100
            //   0101                 | add                 dword ptr [ecx], eax
            //   33c0                 | xor                 eax, eax
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_5 = { c785a8faffff02246d9b c785acfaffff9b9b6c64 c785b0faffff10e8c398 c785b4faffffee6310de c785b8faffff63f1911b c785bcfaffff59d7ab8d c785c0faffff02c56c65 }
            // n = 7, score = 100
            //   c785a8faffff02246d9b     | mov    dword ptr [ebp - 0x558], 0x9b6d2402
            //   c785acfaffff9b9b6c64     | mov    dword ptr [ebp - 0x554], 0x646c9b9b
            //   c785b0faffff10e8c398     | mov    dword ptr [ebp - 0x550], 0x98c3e810
            //   c785b4faffffee6310de     | mov    dword ptr [ebp - 0x54c], 0xde1063ee
            //   c785b8faffff63f1911b     | mov    dword ptr [ebp - 0x548], 0x1b91f163
            //   c785bcfaffff59d7ab8d     | mov    dword ptr [ebp - 0x544], 0x8dabd759
            //   c785c0faffff02c56c65     | mov    dword ptr [ebp - 0x540], 0x656cc502

        $sequence_6 = { c78598f8ffffbffbf34c c7859cf8ffffe6c5e373 c785a0f8ffff7f9f9b9b c785a4f8ffff64efbfdb c785a8f8ffff12dfbff7 c785acf8fffff3531fa1 c785b0f8ffffaa73499f }
            // n = 7, score = 100
            //   c78598f8ffffbffbf34c     | mov    dword ptr [ebp - 0x768], 0x4cf3fbbf
            //   c7859cf8ffffe6c5e373     | mov    dword ptr [ebp - 0x764], 0x73e3c5e6
            //   c785a0f8ffff7f9f9b9b     | mov    dword ptr [ebp - 0x760], 0x9b9b9f7f
            //   c785a4f8ffff64efbfdb     | mov    dword ptr [ebp - 0x75c], 0xdbbfef64
            //   c785a8f8ffff12dfbff7     | mov    dword ptr [ebp - 0x758], 0xf7bfdf12
            //   c785acf8fffff3531fa1     | mov    dword ptr [ebp - 0x754], 0xa11f53f3
            //   c785b0f8ffffaa73499f     | mov    dword ptr [ebp - 0x750], 0x9f4973aa

        $sequence_7 = { c785e4f6ffff9d9b9b64 c785e8f6ffffefbfa312 c785ecf6ffffdfbfdff3 c785f0f6ffffe81bd39d c785f4f6ffff73149d9b }
            // n = 5, score = 100
            //   c785e4f6ffff9d9b9b64     | mov    dword ptr [ebp - 0x91c], 0x649b9b9d
            //   c785e8f6ffffefbfa312     | mov    dword ptr [ebp - 0x918], 0x12a3bfef
            //   c785ecf6ffffdfbfdff3     | mov    dword ptr [ebp - 0x914], 0xf3dfbfdf
            //   c785f0f6ffffe81bd39d     | mov    dword ptr [ebp - 0x910], 0x9dd31be8
            //   c785f4f6ffff73149d9b     | mov    dword ptr [ebp - 0x90c], 0x9b9d1473

        $sequence_8 = { 68a0120000 6a00 68???????? e8???????? }
            // n = 4, score = 100
            //   68a0120000           | push                0x12a0
            //   6a00                 | push                0
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_9 = { 0101 33c0 5e 5b }
            // n = 4, score = 100
            //   0101                 | add                 dword ptr [ecx], eax
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_10 = { 0101 0505050505 0505050505 0505050505 0505050505 0505050505 }
            // n = 6, score = 100
            //   0101                 | add                 dword ptr [ecx], eax
            //   0505050505           | add                 eax, 0x5050505
            //   0505050505           | add                 eax, 0x5050505
            //   0505050505           | add                 eax, 0x5050505
            //   0505050505           | add                 eax, 0x5050505
            //   0505050505           | add                 eax, 0x5050505

        $sequence_11 = { 3c58 770f 0fbec2 0fbe80186e0110 }
            // n = 4, score = 100
            //   3c58                 | cmp                 al, 0x58
            //   770f                 | ja                  0x11
            //   0fbec2               | movsx               eax, dl
            //   0fbe80186e0110       | movsx               eax, byte ptr [eax + 0x10016e18]

        $sequence_12 = { 0001 0101 0102 0101 }
            // n = 4, score = 100
            //   0001                 | add                 byte ptr [ecx], al
            //   0101                 | add                 dword ptr [ecx], eax
            //   0102                 | add                 dword ptr [edx], eax
            //   0101                 | add                 dword ptr [ecx], eax

        $sequence_13 = { c7857cf6ffffa864a050 c78580f6ffffe584942c c78584f6ffffa9185999 c78588f6ffff1865fae9 c7858cf6ffff9d1a5d7b c78590f6ffff649b9bf2 c78594f6ffff64189b9b }
            // n = 7, score = 100
            //   c7857cf6ffffa864a050     | mov    dword ptr [ebp - 0x984], 0x50a064a8
            //   c78580f6ffffe584942c     | mov    dword ptr [ebp - 0x980], 0x2c9484e5
            //   c78584f6ffffa9185999     | mov    dword ptr [ebp - 0x97c], 0x995918a9
            //   c78588f6ffff1865fae9     | mov    dword ptr [ebp - 0x978], 0xe9fa6518
            //   c7858cf6ffff9d1a5d7b     | mov    dword ptr [ebp - 0x974], 0x7b5d1a9d
            //   c78590f6ffff649b9bf2     | mov    dword ptr [ebp - 0x970], 0xf29b9b64
            //   c78594f6ffff64189b9b     | mov    dword ptr [ebp - 0x96c], 0x9b9b1864

        $sequence_14 = { 0101 0101 0101 0101 0101 0505050505 }
            // n = 6, score = 100
            //   0101                 | add                 dword ptr [ecx], eax
            //   0101                 | add                 dword ptr [ecx], eax
            //   0101                 | add                 dword ptr [ecx], eax
            //   0101                 | add                 dword ptr [ecx], eax
            //   0101                 | add                 dword ptr [ecx], eax
            //   0505050505           | add                 eax, 0x5050505

        $sequence_15 = { 8d4dcc c74508???????? e8???????? 68???????? 8d45cc 50 c745ccf0860110 }
            // n = 7, score = 100
            //   8d4dcc               | lea                 ecx, [ebp - 0x34]
            //   c74508????????       |                     
            //   e8????????           |                     
            //   68????????           |                     
            //   8d45cc               | lea                 eax, [ebp - 0x34]
            //   50                   | push                eax
            //   c745ccf0860110       | mov                 dword ptr [ebp - 0x34], 0x100186f0

    condition:
        7 of them and filesize < 2256896
}
Download all Yara Rules