← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits
WHITE PetrP.73 2025-12-11 Modified: 2025-12-11
124
IOCs
HIGH VOLUME
Check Point Research conducted a thorough technical analysis of the ValleyRAT malware, also referred to as Winos or Winos4.0. The research primarily focuses on ValleyRAT's sophisticated modular architecture and plugin system, revealing significant insights into its potentially broad deployment following the public release of its builder. This malware notably includes a kernel-mode rootkit within its “Driver Plugin,” which retains valid signatures that allow it to operate on updated Windows 11 systems, thereby circumventing native security features.
valleyratlabccorporationcwindowshidden rootkitdriver pluginsilver foxpluginstudioliefstealthrootkitjunevirustotalextractorkeyloggertelegramenumeratetriggershellcodeinto
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (39 / 124 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 054a22279de7a8c0fd75a72b39648dd2429bef07c268756087ed96792dde4a4c 2025-12-11
FileHash-SHA256 05e578a967168b704d8bdcba95a8d69fdda25854263e037990add05ccb403115 2025-12-11
FileHash-SHA256 0a6376107abdf30ea14f4bdaf785b2db7d18e0818bd332511dcce3824b8a42b6 2025-12-11
FileHash-SHA256 13d7380344bf1f9e17e8970c01127a2fe2528d3e640b36ef478ccd4024033411 2025-12-11
FileHash-SHA256 14b85b07bfdd134e709ff973871d75d33ecca964457373b76b34a70183c2b1d0 2025-12-11
FileHash-SHA256 1bd71ea3b9409a6e86fac12039258f8ed8b59261ff2509673544e4a548987931 2025-12-11
FileHash-SHA256 2aa029088c04eb10b056c18fcc39395936e6f01ee9ebdeed2558e4899116ee86 2025-12-11
FileHash-SHA256 2c34d8fc0881d3cd4fb693fc5fe2edf405b8424174d3dbb800385fd70969f39d 2025-12-11
FileHash-SHA256 35fbedfafa9a2267d8eab711ce0e9db66dca304a4b4379d7a965ce3893b51fc1 2025-12-11
FileHash-SHA256 4d0517229ef88f2410a2a1983eaf4036872911c8cf31c3ceb38c11210d02e91e 2025-12-11
FileHash-SHA256 55c07dd40ffcf07d569b8b762513cdbfc51e7a4c77ce6613524794515b7d6682 2025-12-11
FileHash-SHA256 5dcde82f7a2db50dddf9b42dab3e3affabedfe237d7c956a1de660a702fa74b6 2025-12-11
FileHash-SHA256 5e4085553f083d1fd31d673f0746670dfc1f9ebb9911f2fe754e59d9ca6176dc 2025-12-11
FileHash-SHA256 61598b986aeaeb24d7565a7bb3a113e61f88b4d4c6169d2bd7fd0b988d3e41c9 2025-12-11
FileHash-SHA256 6f79ee17dbb75d1ed7e0535a7b498c2249d538c0836d6ecee16fec491b200ce9 2025-12-11
FileHash-SHA256 746f2d5d727511c1bd1ad936f35ac0851a520aadcf201f0d5e23dc6cd728dd4a 2025-12-11
FileHash-SHA256 74d70f53748125eb4439cb790817fb1d0e9159f75c7dd5148444f507ba6dee1d 2025-12-11
FileHash-SHA256 79daa001c67dc83bdd6189417ccf4bf83ea5da4c6211bbac91c1d7d55f76fa5f 2025-12-11
FileHash-SHA256 7c9554c18a6b8fe87a570dd5cd5a0f041a782fc2424ab02ac675e474e2e0a9ce 2025-12-11
FileHash-SHA256 7f5bad67cec7492b023ca08e8fa3ed5db9eb186fab0472b34993fe3cb96383be 2025-12-11
FileHash-SHA256 85296ee0d867175da1b790f472824f6e702930676aa9b41c4f40f62f41e91652 2025-12-11
FileHash-SHA256 860acd2b9aec21cf03e1c5ec8f79b1ef4e7b78eb9ba7a6c0a915586957356aea 2025-12-11
FileHash-SHA256 90f24d6175e1b5fac4e2844e77554ff03dec2174f18c07c008699af540fe2788 2025-12-11
FileHash-SHA256 93e75eada1b8f155bdb41c1af0f7d7ea390b280c6f49c8834c11af2e8f6c3a1c 2025-12-11
FileHash-SHA256 96c54665cda4f04e9ff60faebcd993d0cf98988258249d9e00fe563be7923899 2025-12-11
FileHash-SHA256 9dd0e7dccc7105a30b3a71f10126be4ee5a8e770e743fc4f0bbea0e45cafb39f 2025-12-11
FileHash-SHA256 9e82fe6322585d613c8409fa445394e2e38f24ef85733b8dafcfa3ce8dc23517 2025-12-11
FileHash-SHA256 9ec3c31ca3bcdd4597d3e928e36fb0202a5111da7e5d169c58bd97b4ae61ee38 2025-12-11
FileHash-SHA256 9f456f3125d7f6ce907e13ec637b9b8c6e4a43b1c9f352d233cfebbc2d0fff32 2025-12-11
FileHash-SHA256 a38b91c061157011a00d29c5e3169fbf2b29c0b0cacc0153dc0cf9918e92c9b7 2025-12-11
FileHash-SHA256 a57dd44b7bc6233496657867cf053199213289f58c1c3c8d4eb565ed3707deb1 2025-12-11
FileHash-SHA256 aaf8258585d086cce588a3e870eb485270ee135087eee9ef8766db9f86677ecd 2025-12-11
FileHash-SHA256 d17bf1c3d50bf4acba18418b0cdcc524be268848b15542e4895a74dd0e4606fb 2025-12-11
FileHash-SHA256 dca90d7d9e5770acbd991af69bafa80fe596430c29c78d5036a8fb08ff900e12 2025-12-11
FileHash-SHA256 dee2b2da6b917d2dc7d3dcbbd3c505dd4f128c07059659f9e891000faef2512c 2025-12-11
FileHash-SHA256 e19ae27f03c252d4e7b44c462a4edaa1ae759888bcd25cb7863c3c08c35936f1 2025-12-11
FileHash-SHA256 e22fb0c295eefaeb4b25a0b9038a0c60cec9389b894fa22902a7122ddb8779a2 2025-12-11
FileHash-SHA256 e60298307befa4b22eeedef02019a39c93729567fcd4a7745350fd27a92538bd 2025-12-11
FileHash-SHA256 ed4a064ef099e0ea40faf4b1e3618f20c52833b148ae578f80f09eabd2d6acd2 2025-12-11
References (1)
↗ https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/