Pulse Detail — Threat Intelligence

PULSE NAME

Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits

WHITE PetrP.73 2025-12-11 Modified: 2025-12-11

124

IOCs

HIGH VOLUME

Check Point Research conducted a thorough technical analysis of the ValleyRAT malware, also referred to as Winos or Winos4.0. The research primarily focuses on ValleyRAT's sophisticated modular architecture and plugin system, revealing significant insights into its potentially broad deployment following the public release of its builder. This malware notably includes a kernel-mode rootkit within its “Driver Plugin,” which retains valid signatures that allow it to operate on updated Windows 11 systems, thereby circumventing native security features.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1114 T1055.004 T1056.001 T1106 T1112 T1547.006 T1562.001

Indicators of Compromise (124)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	062d3294506887a635d66f68e757f2c3	MD5 of 96c54665cda4f04e9ff60faebcd993d0cf98988258249d9e00fe563be7923899	2025-12-11
FileHash-MD5	0ac0a0a4839145c441ac0f143bad0b3a	MD5 of 9dd0e7dccc7105a30b3a71f10126be4ee5a8e770e743fc4f0bbea0e45cafb39f	2025-12-11
FileHash-MD5	106ac89e14ab5b6af1ea439459179fe5	MD5 of 860acd2b9aec21cf03e1c5ec8f79b1ef4e7b78eb9ba7a6c0a915586957356aea	2025-12-11
FileHash-MD5	13399ccf17d3e744f8d37a30b813294b	MD5 of e19ae27f03c252d4e7b44c462a4edaa1ae759888bcd25cb7863c3c08c35936f1	2025-12-11
FileHash-MD5	1db92863b5ad745acb13c102c4b1130b	MD5 of 2aa029088c04eb10b056c18fcc39395936e6f01ee9ebdeed2558e4899116ee86	2025-12-11
FileHash-MD5	224caf49c4474b41b57333d912e50690	MD5 of 054a22279de7a8c0fd75a72b39648dd2429bef07c268756087ed96792dde4a4c	2025-12-11
FileHash-MD5	29ccc6ef0a6b123c0649327b004f6c7f	MD5 of e60298307befa4b22eeedef02019a39c93729567fcd4a7745350fd27a92538bd	2025-12-11
FileHash-MD5	2a3c92899d1e8e495ccde926cf9dfe81	MD5 of 9e82fe6322585d613c8409fa445394e2e38f24ef85733b8dafcfa3ce8dc23517	2025-12-11
FileHash-MD5	2eba998601f71a2a49510a7d1da5b87c	MD5 of 7f5bad67cec7492b023ca08e8fa3ed5db9eb186fab0472b34993fe3cb96383be	2025-12-11
FileHash-MD5	2f2f8f86319c328a6ed0556f171b8933	MD5 of 74d70f53748125eb4439cb790817fb1d0e9159f75c7dd5148444f507ba6dee1d	2025-12-11
FileHash-MD5	31b0c0a3f72e3d231013d0e1c1ecaa5e	MD5 of 90f24d6175e1b5fac4e2844e77554ff03dec2174f18c07c008699af540fe2788	2025-12-11
FileHash-MD5	4f1c4979e421cfffa4af1805129b4051	MD5 of dca90d7d9e5770acbd991af69bafa80fe596430c29c78d5036a8fb08ff900e12	2025-12-11
FileHash-MD5	532940ce0f0344e351897dc2391eea05	MD5 of 0a6376107abdf30ea14f4bdaf785b2db7d18e0818bd332511dcce3824b8a42b6	2025-12-11
FileHash-MD5	565cd4c6a515d387f29e7bbb4ffcdc88	MD5 of a57dd44b7bc6233496657867cf053199213289f58c1c3c8d4eb565ed3707deb1	2025-12-11
FileHash-MD5	60c0d75e07934c82e64c8dee563e394e	MD5 of 4d0517229ef88f2410a2a1983eaf4036872911c8cf31c3ceb38c11210d02e91e	2025-12-11
FileHash-MD5	62446c702bd776f1864e6ba5e6c9a206	MD5 of 9ec3c31ca3bcdd4597d3e928e36fb0202a5111da7e5d169c58bd97b4ae61ee38	2025-12-11
FileHash-MD5	646e02ff05cee993a39400b5b9fed553	MD5 of 35fbedfafa9a2267d8eab711ce0e9db66dca304a4b4379d7a965ce3893b51fc1	2025-12-11
FileHash-MD5	64b999f0b77849d592b324852dc9014e	MD5 of d17bf1c3d50bf4acba18418b0cdcc524be268848b15542e4895a74dd0e4606fb	2025-12-11
FileHash-MD5	7c06c303328ef876266fa2152c97d58c	MD5 of 5dcde82f7a2db50dddf9b42dab3e3affabedfe237d7c956a1de660a702fa74b6	2025-12-11
FileHash-MD5	7d4e6913c98b3e19db47aa3fb8d3019e	MD5 of 93e75eada1b8f155bdb41c1af0f7d7ea390b280c6f49c8834c11af2e8f6c3a1c	2025-12-11
FileHash-MD5	84234295b59126236da37cb796104d1b	MD5 of 61598b986aeaeb24d7565a7bb3a113e61f88b4d4c6169d2bd7fd0b988d3e41c9	2025-12-11
FileHash-MD5	8baaab8fdd33e9b891ca04ee6d53a4cf	MD5 of e22fb0c295eefaeb4b25a0b9038a0c60cec9389b894fa22902a7122ddb8779a2	2025-12-11
FileHash-MD5	a0bccb2edc0e858362d15148a5a65dee	MD5 of 55c07dd40ffcf07d569b8b762513cdbfc51e7a4c77ce6613524794515b7d6682	2025-12-11
FileHash-MD5	a7a3582acaf1c6d3441add4c689ee8aa	MD5 of 746f2d5d727511c1bd1ad936f35ac0851a520aadcf201f0d5e23dc6cd728dd4a	2025-12-11
FileHash-MD5	a859513bc5e1bcb8702bdc9e3ea56793	MD5 of 2c34d8fc0881d3cd4fb693fc5fe2edf405b8424174d3dbb800385fd70969f39d	2025-12-11
FileHash-MD5	aab362452ee077bc136058ec78a0b095	MD5 of 05e578a967168b704d8bdcba95a8d69fdda25854263e037990add05ccb403115	2025-12-11
FileHash-MD5	b6b2ac95fd2dbf34d5f05d83fb89c8f1	MD5 of 9f456f3125d7f6ce907e13ec637b9b8c6e4a43b1c9f352d233cfebbc2d0fff32	2025-12-11
FileHash-MD5	b895bdefa25044c3f093101b36938208	MD5 of 13d7380344bf1f9e17e8970c01127a2fe2528d3e640b36ef478ccd4024033411	2025-12-11
FileHash-MD5	c04d731cd26a4a7f31404d9ccb16320e	MD5 of 14b85b07bfdd134e709ff973871d75d33ecca964457373b76b34a70183c2b1d0	2025-12-11
FileHash-MD5	c3b950e4a3906dee3ab6a0462cf5ff4e	MD5 of ed4a064ef099e0ea40faf4b1e3618f20c52833b148ae578f80f09eabd2d6acd2	2025-12-11
FileHash-MD5	ca0c1f306bed4c7f9e811afa7ebfa196	MD5 of 5e4085553f083d1fd31d673f0746670dfc1f9ebb9911f2fe754e59d9ca6176dc	2025-12-11
FileHash-MD5	d8a13696c9a56005f4223b123480aa71	MD5 of 7c9554c18a6b8fe87a570dd5cd5a0f041a782fc2424ab02ac675e474e2e0a9ce	2025-12-11
FileHash-MD5	e31b897e008fabdc8296a2d747661201	MD5 of 1bd71ea3b9409a6e86fac12039258f8ed8b59261ff2509673544e4a548987931	2025-12-11
FileHash-MD5	e4ba0b12f40063f45f2ee12cf056cb5b	MD5 of aaf8258585d086cce588a3e870eb485270ee135087eee9ef8766db9f86677ecd	2025-12-11
FileHash-MD5	e6ad6fd01427ef32af4f420103bb0a22	MD5 of 6f79ee17dbb75d1ed7e0535a7b498c2249d538c0836d6ecee16fec491b200ce9	2025-12-11
FileHash-MD5	e7c908d632225f6701eb44789024c4c6	MD5 of 85296ee0d867175da1b790f472824f6e702930676aa9b41c4f40f62f41e91652	2025-12-11
FileHash-MD5	e8017ca9ef422e5bfcaf96a63ee20796	MD5 of dee2b2da6b917d2dc7d3dcbbd3c505dd4f128c07059659f9e891000faef2512c	2025-12-11
FileHash-MD5	ecc181a922b99ad769aa77f9ab090aa5	MD5 of a38b91c061157011a00d29c5e3169fbf2b29c0b0cacc0153dc0cf9918e92c9b7	2025-12-11
FileHash-MD5	f212f481c6579d1b9cfc4eb3a9cee5f0	MD5 of 79daa001c67dc83bdd6189417ccf4bf83ea5da4c6211bbac91c1d7d55f76fa5f	2025-12-11
FileHash-SHA1	04d689e2d7283e4ec292a32e7c25b154d3cb5d3a	SHA1 of 74d70f53748125eb4439cb790817fb1d0e9159f75c7dd5148444f507ba6dee1d	2025-12-11
FileHash-SHA1	0cc2eefef326caf094f2d44969656fae36e43d5b	SHA1 of 9f456f3125d7f6ce907e13ec637b9b8c6e4a43b1c9f352d233cfebbc2d0fff32	2025-12-11
FileHash-SHA1	0ce8ac907c9c6dfac05debb8aa3322b361c18179	SHA1 of 55c07dd40ffcf07d569b8b762513cdbfc51e7a4c77ce6613524794515b7d6682	2025-12-11
FileHash-SHA1	20fdac864a021d3287a7a2b3c89dcde481111ba7	SHA1 of 85296ee0d867175da1b790f472824f6e702930676aa9b41c4f40f62f41e91652	2025-12-11
FileHash-SHA1	2440bfbb368114b93514609795b78e0619380ecf	SHA1 of 96c54665cda4f04e9ff60faebcd993d0cf98988258249d9e00fe563be7923899	2025-12-11
FileHash-SHA1	2680846007c2319266e349be27491ed5a05140c8	SHA1 of a57dd44b7bc6233496657867cf053199213289f58c1c3c8d4eb565ed3707deb1	2025-12-11
FileHash-SHA1	29d0e1dd2b95ba452e91ae0e606db9c33ceb7065	SHA1 of 5dcde82f7a2db50dddf9b42dab3e3affabedfe237d7c956a1de660a702fa74b6	2025-12-11
FileHash-SHA1	2c23f4cb5dbf64471a5fb8b0c1eefb6f84001460	SHA1 of 4d0517229ef88f2410a2a1983eaf4036872911c8cf31c3ceb38c11210d02e91e	2025-12-11
FileHash-SHA1	2ce43e9502d78bac18437f948a18fb54596fa9fc	SHA1 of 35fbedfafa9a2267d8eab711ce0e9db66dca304a4b4379d7a965ce3893b51fc1	2025-12-11
FileHash-SHA1	34d3ff69dffef8240d181f804daca68803df30b0	SHA1 of aaf8258585d086cce588a3e870eb485270ee135087eee9ef8766db9f86677ecd	2025-12-11
FileHash-SHA1	38d24f88c5f6b4ec323ae48902a053f5efd9159c	SHA1 of 746f2d5d727511c1bd1ad936f35ac0851a520aadcf201f0d5e23dc6cd728dd4a	2025-12-11
FileHash-SHA1	3c92981e2fc1c9b7f75cfae9d80b0d410a49ac06	SHA1 of 93e75eada1b8f155bdb41c1af0f7d7ea390b280c6f49c8834c11af2e8f6c3a1c	2025-12-11
FileHash-SHA1	44e76db27c9544b83676cb79be8430ae206e17fb	SHA1 of 14b85b07bfdd134e709ff973871d75d33ecca964457373b76b34a70183c2b1d0	2025-12-11
FileHash-SHA1	4b620980914ba3e3bd9f5e54bb1a005c71ac6a18	SHA1 of 6f79ee17dbb75d1ed7e0535a7b498c2249d538c0836d6ecee16fec491b200ce9	2025-12-11
FileHash-SHA1	4d7dc12dbdf48d30c495d1a5d0385146d77449f9	SHA1 of dca90d7d9e5770acbd991af69bafa80fe596430c29c78d5036a8fb08ff900e12	2025-12-11
FileHash-SHA1	656237d3f9e93bfd7c5fdbde66249903ba1f66a8	SHA1 of 7c9554c18a6b8fe87a570dd5cd5a0f041a782fc2424ab02ac675e474e2e0a9ce	2025-12-11
FileHash-SHA1	68a3f5be90046496e14a3769ce59523b8809962c	SHA1 of 9e82fe6322585d613c8409fa445394e2e38f24ef85733b8dafcfa3ce8dc23517	2025-12-11
FileHash-SHA1	6d06e15da128d46a7b09cbd63af5bb66b3f50820	SHA1 of 13d7380344bf1f9e17e8970c01127a2fe2528d3e640b36ef478ccd4024033411	2025-12-11
FileHash-SHA1	7332f9767223de2605ee24710df46ff227f579a6	SHA1 of 90f24d6175e1b5fac4e2844e77554ff03dec2174f18c07c008699af540fe2788	2025-12-11
FileHash-SHA1	803c4d07ac3b137d4ee811332a59d4fb83a33280	SHA1 of e22fb0c295eefaeb4b25a0b9038a0c60cec9389b894fa22902a7122ddb8779a2	2025-12-11
FileHash-SHA1	81c9010e3633a0006e43b063b10fcf1b30c0e60a	SHA1 of 2c34d8fc0881d3cd4fb693fc5fe2edf405b8424174d3dbb800385fd70969f39d	2025-12-11
FileHash-SHA1	8c05d4d3af8590df402d0c60658b33ec42bcf74e	SHA1 of ed4a064ef099e0ea40faf4b1e3618f20c52833b148ae578f80f09eabd2d6acd2	2025-12-11
FileHash-SHA1	8ceafb332982ddcb0e38f2e762f818ecec80deda	SHA1 of a38b91c061157011a00d29c5e3169fbf2b29c0b0cacc0153dc0cf9918e92c9b7	2025-12-11
FileHash-SHA1	97e1c4781b95918077fe48206011a39eabb79bca	SHA1 of 5e4085553f083d1fd31d673f0746670dfc1f9ebb9911f2fe754e59d9ca6176dc	2025-12-11
FileHash-SHA1	9ed6bf66d6d566a5648f5580d6c0664b4c9699b4	SHA1 of 79daa001c67dc83bdd6189417ccf4bf83ea5da4c6211bbac91c1d7d55f76fa5f	2025-12-11
FileHash-SHA1	a2271c1f932f8fa43829bbb45c12a2b203d42f7c	SHA1 of 0a6376107abdf30ea14f4bdaf785b2db7d18e0818bd332511dcce3824b8a42b6	2025-12-11
FileHash-SHA1	a7090a8655e06671831d2211ae7e635730b8566a	SHA1 of 61598b986aeaeb24d7565a7bb3a113e61f88b4d4c6169d2bd7fd0b988d3e41c9	2025-12-11
FileHash-SHA1	a82526d5a437536afca3a60960f84bf7ef43eb8f	SHA1 of 2aa029088c04eb10b056c18fcc39395936e6f01ee9ebdeed2558e4899116ee86	2025-12-11
FileHash-SHA1	a907b5dbdae54025541ff986aa61490bb75264dc	SHA1 of 05e578a967168b704d8bdcba95a8d69fdda25854263e037990add05ccb403115	2025-12-11
FileHash-SHA1	ae01fb75f40e7bec4af1ad01ebbda3815dc0e273	SHA1 of 1bd71ea3b9409a6e86fac12039258f8ed8b59261ff2509673544e4a548987931	2025-12-11
FileHash-SHA1	cd87f5b5c01f4f0e4d03c3f338beb4edf8ea19a8	SHA1 of 9dd0e7dccc7105a30b3a71f10126be4ee5a8e770e743fc4f0bbea0e45cafb39f	2025-12-11
FileHash-SHA1	cf5a331f16135fd55098b3e6676033b326f28609	SHA1 of dee2b2da6b917d2dc7d3dcbbd3c505dd4f128c07059659f9e891000faef2512c	2025-12-11
FileHash-SHA1	d5e9c608f4347e3d965707d68c2523e4deb9bb5c	SHA1 of 054a22279de7a8c0fd75a72b39648dd2429bef07c268756087ed96792dde4a4c	2025-12-11
FileHash-SHA1	d902b0d80422b264a403e747d25c2bd50a2c35c8	SHA1 of e60298307befa4b22eeedef02019a39c93729567fcd4a7745350fd27a92538bd	2025-12-11
FileHash-SHA1	e7349b599bf033cde62520d2c4cb242463a83720	SHA1 of 9ec3c31ca3bcdd4597d3e928e36fb0202a5111da7e5d169c58bd97b4ae61ee38	2025-12-11
FileHash-SHA1	ee6636e2eab1d5fb64f8c4df33a9c4a1aff22f4b	SHA1 of 7f5bad67cec7492b023ca08e8fa3ed5db9eb186fab0472b34993fe3cb96383be	2025-12-11
FileHash-SHA1	f775eccb937f4dc523a7b65a1c8226abddc87fa4	SHA1 of 860acd2b9aec21cf03e1c5ec8f79b1ef4e7b78eb9ba7a6c0a915586957356aea	2025-12-11
FileHash-SHA1	fc3c9803671f2471981f5bb8042fd442b25e585d	SHA1 of e19ae27f03c252d4e7b44c462a4edaa1ae759888bcd25cb7863c3c08c35936f1	2025-12-11
FileHash-SHA1	ffb8e7a6fd660faad8e7d137862f6d7f9cde499a	SHA1 of d17bf1c3d50bf4acba18418b0cdcc524be268848b15542e4895a74dd0e4606fb	2025-12-11
FileHash-SHA256	054a22279de7a8c0fd75a72b39648dd2429bef07c268756087ed96792dde4a4c	—	2025-12-11
FileHash-SHA256	05e578a967168b704d8bdcba95a8d69fdda25854263e037990add05ccb403115	—	2025-12-11
FileHash-SHA256	0a6376107abdf30ea14f4bdaf785b2db7d18e0818bd332511dcce3824b8a42b6	—	2025-12-11
FileHash-SHA256	13d7380344bf1f9e17e8970c01127a2fe2528d3e640b36ef478ccd4024033411	—	2025-12-11
FileHash-SHA256	14b85b07bfdd134e709ff973871d75d33ecca964457373b76b34a70183c2b1d0	—	2025-12-11
FileHash-SHA256	1bd71ea3b9409a6e86fac12039258f8ed8b59261ff2509673544e4a548987931	—	2025-12-11
FileHash-SHA256	2aa029088c04eb10b056c18fcc39395936e6f01ee9ebdeed2558e4899116ee86	—	2025-12-11
FileHash-SHA256	2c34d8fc0881d3cd4fb693fc5fe2edf405b8424174d3dbb800385fd70969f39d	—	2025-12-11
FileHash-SHA256	35fbedfafa9a2267d8eab711ce0e9db66dca304a4b4379d7a965ce3893b51fc1	—	2025-12-11
FileHash-SHA256	4d0517229ef88f2410a2a1983eaf4036872911c8cf31c3ceb38c11210d02e91e	—	2025-12-11
FileHash-SHA256	55c07dd40ffcf07d569b8b762513cdbfc51e7a4c77ce6613524794515b7d6682	—	2025-12-11
FileHash-SHA256	5dcde82f7a2db50dddf9b42dab3e3affabedfe237d7c956a1de660a702fa74b6	—	2025-12-11
FileHash-SHA256	5e4085553f083d1fd31d673f0746670dfc1f9ebb9911f2fe754e59d9ca6176dc	—	2025-12-11
FileHash-SHA256	61598b986aeaeb24d7565a7bb3a113e61f88b4d4c6169d2bd7fd0b988d3e41c9	—	2025-12-11
FileHash-SHA256	6f79ee17dbb75d1ed7e0535a7b498c2249d538c0836d6ecee16fec491b200ce9	—	2025-12-11
FileHash-SHA256	746f2d5d727511c1bd1ad936f35ac0851a520aadcf201f0d5e23dc6cd728dd4a	—	2025-12-11
FileHash-SHA256	74d70f53748125eb4439cb790817fb1d0e9159f75c7dd5148444f507ba6dee1d	—	2025-12-11
FileHash-SHA256	79daa001c67dc83bdd6189417ccf4bf83ea5da4c6211bbac91c1d7d55f76fa5f	—	2025-12-11
FileHash-SHA256	7c9554c18a6b8fe87a570dd5cd5a0f041a782fc2424ab02ac675e474e2e0a9ce	—	2025-12-11
FileHash-SHA256	7f5bad67cec7492b023ca08e8fa3ed5db9eb186fab0472b34993fe3cb96383be	—	2025-12-11
FileHash-SHA256	85296ee0d867175da1b790f472824f6e702930676aa9b41c4f40f62f41e91652	—	2025-12-11
FileHash-SHA256	860acd2b9aec21cf03e1c5ec8f79b1ef4e7b78eb9ba7a6c0a915586957356aea	—	2025-12-11
FileHash-SHA256	90f24d6175e1b5fac4e2844e77554ff03dec2174f18c07c008699af540fe2788	—	2025-12-11
FileHash-SHA256	93e75eada1b8f155bdb41c1af0f7d7ea390b280c6f49c8834c11af2e8f6c3a1c	—	2025-12-11
FileHash-SHA256	96c54665cda4f04e9ff60faebcd993d0cf98988258249d9e00fe563be7923899	—	2025-12-11
FileHash-SHA256	9dd0e7dccc7105a30b3a71f10126be4ee5a8e770e743fc4f0bbea0e45cafb39f	—	2025-12-11
FileHash-SHA256	9e82fe6322585d613c8409fa445394e2e38f24ef85733b8dafcfa3ce8dc23517	—	2025-12-11
FileHash-SHA256	9ec3c31ca3bcdd4597d3e928e36fb0202a5111da7e5d169c58bd97b4ae61ee38	—	2025-12-11
FileHash-SHA256	9f456f3125d7f6ce907e13ec637b9b8c6e4a43b1c9f352d233cfebbc2d0fff32	—	2025-12-11
FileHash-SHA256	a38b91c061157011a00d29c5e3169fbf2b29c0b0cacc0153dc0cf9918e92c9b7	—	2025-12-11
FileHash-SHA256	a57dd44b7bc6233496657867cf053199213289f58c1c3c8d4eb565ed3707deb1	—	2025-12-11
FileHash-SHA256	aaf8258585d086cce588a3e870eb485270ee135087eee9ef8766db9f86677ecd	—	2025-12-11
FileHash-SHA256	d17bf1c3d50bf4acba18418b0cdcc524be268848b15542e4895a74dd0e4606fb	—	2025-12-11
FileHash-SHA256	dca90d7d9e5770acbd991af69bafa80fe596430c29c78d5036a8fb08ff900e12	—	2025-12-11
FileHash-SHA256	dee2b2da6b917d2dc7d3dcbbd3c505dd4f128c07059659f9e891000faef2512c	—	2025-12-11
FileHash-SHA256	e19ae27f03c252d4e7b44c462a4edaa1ae759888bcd25cb7863c3c08c35936f1	—	2025-12-11
FileHash-SHA256	e22fb0c295eefaeb4b25a0b9038a0c60cec9389b894fa22902a7122ddb8779a2	—	2025-12-11
FileHash-SHA256	e60298307befa4b22eeedef02019a39c93729567fcd4a7745350fd27a92538bd	—	2025-12-11
FileHash-SHA256	ed4a064ef099e0ea40faf4b1e3618f20c52833b148ae578f80f09eabd2d6acd2	—	2025-12-11
URL	https://lief.re/	—	2025-12-11
URL	https://www.angusj.com/resourcehacker/	—	2025-12-11
URL	https://www.sun-rat.com/	—	2025-12-11
domain	args.directory	—	2025-12-11
domain	lief.re	—	2025-12-11
hostname	www.angusj.com	—	2025-12-11
hostname	www.sun-rat.com	—	2025-12-11

References (1)

↗ https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/