← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits
WHITE PetrP.73 2025-12-11 Modified: 2025-12-11
124
IOCs
HIGH VOLUME
Check Point Research conducted a thorough technical analysis of the ValleyRAT malware, also referred to as Winos or Winos4.0. The research primarily focuses on ValleyRAT's sophisticated modular architecture and plugin system, revealing significant insights into its potentially broad deployment following the public release of its builder. This malware notably includes a kernel-mode rootkit within its “Driver Plugin,” which retains valid signatures that allow it to operate on updated Windows 11 systems, thereby circumventing native security features.
valleyratlabccorporationcwindowshidden rootkitdriver pluginsilver foxpluginstudioliefstealthrootkitjunevirustotalextractorkeyloggertelegramenumeratetriggershellcodeinto
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (39 / 124 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 04d689e2d7283e4ec292a32e7c25b154d3cb5d3a SHA1 of 74d70f53748125eb4439cb790817fb1d0e9159f75c7dd5148444f507ba6dee1d 2025-12-11
FileHash-SHA1 0cc2eefef326caf094f2d44969656fae36e43d5b SHA1 of 9f456f3125d7f6ce907e13ec637b9b8c6e4a43b1c9f352d233cfebbc2d0fff32 2025-12-11
FileHash-SHA1 0ce8ac907c9c6dfac05debb8aa3322b361c18179 SHA1 of 55c07dd40ffcf07d569b8b762513cdbfc51e7a4c77ce6613524794515b7d6682 2025-12-11
FileHash-SHA1 20fdac864a021d3287a7a2b3c89dcde481111ba7 SHA1 of 85296ee0d867175da1b790f472824f6e702930676aa9b41c4f40f62f41e91652 2025-12-11
FileHash-SHA1 2440bfbb368114b93514609795b78e0619380ecf SHA1 of 96c54665cda4f04e9ff60faebcd993d0cf98988258249d9e00fe563be7923899 2025-12-11
FileHash-SHA1 2680846007c2319266e349be27491ed5a05140c8 SHA1 of a57dd44b7bc6233496657867cf053199213289f58c1c3c8d4eb565ed3707deb1 2025-12-11
FileHash-SHA1 29d0e1dd2b95ba452e91ae0e606db9c33ceb7065 SHA1 of 5dcde82f7a2db50dddf9b42dab3e3affabedfe237d7c956a1de660a702fa74b6 2025-12-11
FileHash-SHA1 2c23f4cb5dbf64471a5fb8b0c1eefb6f84001460 SHA1 of 4d0517229ef88f2410a2a1983eaf4036872911c8cf31c3ceb38c11210d02e91e 2025-12-11
FileHash-SHA1 2ce43e9502d78bac18437f948a18fb54596fa9fc SHA1 of 35fbedfafa9a2267d8eab711ce0e9db66dca304a4b4379d7a965ce3893b51fc1 2025-12-11
FileHash-SHA1 34d3ff69dffef8240d181f804daca68803df30b0 SHA1 of aaf8258585d086cce588a3e870eb485270ee135087eee9ef8766db9f86677ecd 2025-12-11
FileHash-SHA1 38d24f88c5f6b4ec323ae48902a053f5efd9159c SHA1 of 746f2d5d727511c1bd1ad936f35ac0851a520aadcf201f0d5e23dc6cd728dd4a 2025-12-11
FileHash-SHA1 3c92981e2fc1c9b7f75cfae9d80b0d410a49ac06 SHA1 of 93e75eada1b8f155bdb41c1af0f7d7ea390b280c6f49c8834c11af2e8f6c3a1c 2025-12-11
FileHash-SHA1 44e76db27c9544b83676cb79be8430ae206e17fb SHA1 of 14b85b07bfdd134e709ff973871d75d33ecca964457373b76b34a70183c2b1d0 2025-12-11
FileHash-SHA1 4b620980914ba3e3bd9f5e54bb1a005c71ac6a18 SHA1 of 6f79ee17dbb75d1ed7e0535a7b498c2249d538c0836d6ecee16fec491b200ce9 2025-12-11
FileHash-SHA1 4d7dc12dbdf48d30c495d1a5d0385146d77449f9 SHA1 of dca90d7d9e5770acbd991af69bafa80fe596430c29c78d5036a8fb08ff900e12 2025-12-11
FileHash-SHA1 656237d3f9e93bfd7c5fdbde66249903ba1f66a8 SHA1 of 7c9554c18a6b8fe87a570dd5cd5a0f041a782fc2424ab02ac675e474e2e0a9ce 2025-12-11
FileHash-SHA1 68a3f5be90046496e14a3769ce59523b8809962c SHA1 of 9e82fe6322585d613c8409fa445394e2e38f24ef85733b8dafcfa3ce8dc23517 2025-12-11
FileHash-SHA1 6d06e15da128d46a7b09cbd63af5bb66b3f50820 SHA1 of 13d7380344bf1f9e17e8970c01127a2fe2528d3e640b36ef478ccd4024033411 2025-12-11
FileHash-SHA1 7332f9767223de2605ee24710df46ff227f579a6 SHA1 of 90f24d6175e1b5fac4e2844e77554ff03dec2174f18c07c008699af540fe2788 2025-12-11
FileHash-SHA1 803c4d07ac3b137d4ee811332a59d4fb83a33280 SHA1 of e22fb0c295eefaeb4b25a0b9038a0c60cec9389b894fa22902a7122ddb8779a2 2025-12-11
FileHash-SHA1 81c9010e3633a0006e43b063b10fcf1b30c0e60a SHA1 of 2c34d8fc0881d3cd4fb693fc5fe2edf405b8424174d3dbb800385fd70969f39d 2025-12-11
FileHash-SHA1 8c05d4d3af8590df402d0c60658b33ec42bcf74e SHA1 of ed4a064ef099e0ea40faf4b1e3618f20c52833b148ae578f80f09eabd2d6acd2 2025-12-11
FileHash-SHA1 8ceafb332982ddcb0e38f2e762f818ecec80deda SHA1 of a38b91c061157011a00d29c5e3169fbf2b29c0b0cacc0153dc0cf9918e92c9b7 2025-12-11
FileHash-SHA1 97e1c4781b95918077fe48206011a39eabb79bca SHA1 of 5e4085553f083d1fd31d673f0746670dfc1f9ebb9911f2fe754e59d9ca6176dc 2025-12-11
FileHash-SHA1 9ed6bf66d6d566a5648f5580d6c0664b4c9699b4 SHA1 of 79daa001c67dc83bdd6189417ccf4bf83ea5da4c6211bbac91c1d7d55f76fa5f 2025-12-11
FileHash-SHA1 a2271c1f932f8fa43829bbb45c12a2b203d42f7c SHA1 of 0a6376107abdf30ea14f4bdaf785b2db7d18e0818bd332511dcce3824b8a42b6 2025-12-11
FileHash-SHA1 a7090a8655e06671831d2211ae7e635730b8566a SHA1 of 61598b986aeaeb24d7565a7bb3a113e61f88b4d4c6169d2bd7fd0b988d3e41c9 2025-12-11
FileHash-SHA1 a82526d5a437536afca3a60960f84bf7ef43eb8f SHA1 of 2aa029088c04eb10b056c18fcc39395936e6f01ee9ebdeed2558e4899116ee86 2025-12-11
FileHash-SHA1 a907b5dbdae54025541ff986aa61490bb75264dc SHA1 of 05e578a967168b704d8bdcba95a8d69fdda25854263e037990add05ccb403115 2025-12-11
FileHash-SHA1 ae01fb75f40e7bec4af1ad01ebbda3815dc0e273 SHA1 of 1bd71ea3b9409a6e86fac12039258f8ed8b59261ff2509673544e4a548987931 2025-12-11
FileHash-SHA1 cd87f5b5c01f4f0e4d03c3f338beb4edf8ea19a8 SHA1 of 9dd0e7dccc7105a30b3a71f10126be4ee5a8e770e743fc4f0bbea0e45cafb39f 2025-12-11
FileHash-SHA1 cf5a331f16135fd55098b3e6676033b326f28609 SHA1 of dee2b2da6b917d2dc7d3dcbbd3c505dd4f128c07059659f9e891000faef2512c 2025-12-11
FileHash-SHA1 d5e9c608f4347e3d965707d68c2523e4deb9bb5c SHA1 of 054a22279de7a8c0fd75a72b39648dd2429bef07c268756087ed96792dde4a4c 2025-12-11
FileHash-SHA1 d902b0d80422b264a403e747d25c2bd50a2c35c8 SHA1 of e60298307befa4b22eeedef02019a39c93729567fcd4a7745350fd27a92538bd 2025-12-11
FileHash-SHA1 e7349b599bf033cde62520d2c4cb242463a83720 SHA1 of 9ec3c31ca3bcdd4597d3e928e36fb0202a5111da7e5d169c58bd97b4ae61ee38 2025-12-11
FileHash-SHA1 ee6636e2eab1d5fb64f8c4df33a9c4a1aff22f4b SHA1 of 7f5bad67cec7492b023ca08e8fa3ed5db9eb186fab0472b34993fe3cb96383be 2025-12-11
FileHash-SHA1 f775eccb937f4dc523a7b65a1c8226abddc87fa4 SHA1 of 860acd2b9aec21cf03e1c5ec8f79b1ef4e7b78eb9ba7a6c0a915586957356aea 2025-12-11
FileHash-SHA1 fc3c9803671f2471981f5bb8042fd442b25e585d SHA1 of e19ae27f03c252d4e7b44c462a4edaa1ae759888bcd25cb7863c3c08c35936f1 2025-12-11
FileHash-SHA1 ffb8e7a6fd660faad8e7d137862f6d7f9cde499a SHA1 of d17bf1c3d50bf4acba18418b0cdcc524be268848b15542e4895a74dd0e4606fb 2025-12-11
References (1)
↗ https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/