ValleyRAT / SilverFox — WinRAR SFX Dropper with WeChat Disguise (Chinese Fraud-Lure Campaign)

Executive Summary

This sample is a ValleyRAT v3 Remote Access Trojan dropper attributed to the SilverFox threat group, a Chinese-speaking threat actor known for targeting mainland Chinese users through social engineering lures. The dropper is a modified WinRAR SFX (self-extracting archive) that masquerades as a legitimate document by using a Chinese-language filename referencing Southeast Asian fraud compounds — a topic of high public interest in China. Upon execution, it silently extracts a multi-stage payload into C:\WeChat\, leverages a legitimate WeChat application as a decoy, and deploys a shellcode runner (WechatLog.exe) alongside a malicious DLL (xweb_elf.dll) that loads an AES-encrypted second-stage payload (ra.log). The malware performs locale-based geofencing to avoid running on non-Chinese systems and uses hardware AES-NI instructions for payload decryption.

Primary C2: 156.254.21.227 (Hong Kong, Fastmos Co Limited) — a dedicated command-and-control server with WinRM exposed, linked to a dozen+ related campaign samples. Secondary payload host: 45.151.135.211 (Spartan Host, Seattle) serving live encrypted payloads (sys.log) over HTTP on port 8889.

The campaign is active as of 2026-03-13, with samples first seen on VirusTotal at 14:46 UTC the same day.

---

Sample Metadata

Field	Value
SHA256	43b3eb69729a82c9babd44da03348659ba8c8f55afd6e8cb23ccae78eb09c890
MD5	cccb3fc5f563efa516289b98590ffcd1
SHA1	e20abf6021fa99f41da19b5b1507bd8c0d39ab72
File Type	PE32+ executable (GUI) x86-64, Windows
File Size	2,331,712 bytes (2.22 MB)
Compile Timestamp	2024-02-26 09:01:47 UTC
First Seen (VT)	2026-03-13 14:46:59 UTC
VT Detections	20/76 malicious
Suggested Label	trojan.shellcode/valleyrat
Reporter	CNGaoLing
MIME	application/x-dosexec
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb

VT Detection Highlights:

Vendor	Detection
TrendMicro	Backdoor.Win64.VALLEYRAT.YXGCMZ
TrendMicro-HouseCall	Backdoor.Win64.VALLEYRAT.YXGCMZ
Sangfor	Trojan.Win32.Silverfox.Cont
ESET-NOD32	Win64/ShellcodeRunner.CBF trojan
Kaspersky	UDS:Exploit.Win32.Shellcode.cfjj
ClamAV	Win.Exploit.Rozena-10037100-0
Rising	Exploit.Shellcode!8.2A
Microsoft	Trojan:Win64/Malgent!MSR
CrowdStrike	win/malicious_confidence_100%
Elastic	malicious (high confidence)

---

Lure Analysis

The filename 黑园区及死者身份信息详情.exe translates as "Black (fraud) zone area and deceased identity information details.exe". This is a deliberate social engineering lure exploiting intense Chinese public interest in Southeast Asian fraud compounds (particularly Cambodia and Myanmar), where mainland Chinese victims have been trafficked into forced cybercrime operations. Sibling samples in the same campaign use related lures:

• 柬埔寨西港园区女狗推盗刷公司8万U躲在酒店被抓到脱衣殴打.exe — Sihanoukville compound lure
• 2026最新一批非法滞留境外网逃人员名单.exe — "2026 latest online wanted list for persons illegally abroad"
• 中国女孩失足园区遭多人小黑屋开火车视频曝光.exe — viral abuse video lure
• 2026警方发布缉拿在柬涉案人员名单.exe — "2026 police arrest list Cambodia"
• 园区长期诱骗多名女性囚禁沦为性奴.exe — trafficking lure

This lure strategy targets emotionally charged topics to maximize click-through on Chinese social media platforms.

---

Static Analysis

PE Header

Field	Value
Architecture	x86-64 (AMD64)
Image Base	0x140000000
Entry Point	0x32E60
Subsystem	Windows GUI (2)
Number of Sections	8
Characteristics	0x22 (executable, large address aware)

Section Table

Section	VirtAddr	VirtSize	RawSize	Entropy
.text	0x1000	0x466EE	0x46800	6.47
.rdata	0x48000	0x128C4	0x12A00	5.27
.data	0x5B000	0xE75C	0x1A00	3.26
.pdata	0x6A000	0x306C	0x3200	5.50
.didat	0x6E000	0x360	0x400	3.03
_RDATA	0x6F000	0x15C	0x200	3.31
.rsrc	0x70000	0x6C854	0x6CA00	3.81
.reloc	0xDD000	0x970	0xA00	5.34

PE Overlay: The PE image (SizeOfImage: 0xDE000 = 909 KB) is followed by a 1,497,152-byte overlay (1.43 MB) starting at file offset 0x0CB800. The overlay begins with magic bytes 52 61 72 21 1A 07 01 00 — the RAR5 archive signature.

Packer/Dropper Identification

The sample is a WinRAR SFX (Self-Extracting Archive) built with the legitimate WinRAR SFX module (sfxrar64.dll). The PDB path D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb confirms use of the authentic WinRAR SFX build chain. The dialog resources (ASKNEXTVOL, GETPASSWORD1, LICENSEDLG, RENAMEDLG, etc.) are standard WinRAR SFX UI components. The SFX uses RAR5 compression with a silent install configuration.

Embedded RAR Archive Contents

The embedded RAR5 archive contains a SFX comment/script:

;下面的注释包含自解压脚本命令
; (The following comment contains SFX script commands)

Path=C:\WeChat
Setup=WechatLog.exe
Setup=WeChatAppEx.exe
Silent=1
Overwrite=2

Archived files:

Filename	Size (decompressed)	Size (compressed)	Timestamp
ra.log	287,073 bytes	287,073 (uncompressed)	2026-03-12 13:17:22
WeChatAppEx.exe	3,534,432 bytes	1,086,556 bytes	2025-01-13 11:21:58
WechatLog.exe	126,464 bytes	58,569 bytes	2026-03-13 05:16:18
xweb_elf.dll	140,800 bytes	64,328 bytes	2026-03-12 13:42:50

Note: WechatLog.exe was compiled only hours before the sample was first uploaded to VirusTotal (05:16 UTC vs 14:46 UTC), suggesting a fresh build for this campaign.

Encrypted Payload: ra.log

ra.log is stored uncompressed inside the RAR and has near-perfect entropy (7.9994/8.0), indicating strong encryption (AES-256 or ChaCha20). Byte frequency analysis shows uniform distribution across all 256 byte values, ruling out simple XOR. CAPA analysis confirms AES-NI hardware acceleration (aesdec/aesdeclast mnemonics) and SHA256 for key derivation.

• SHA256: c7cf10d353e7c0d9f5f62354b0bfe0b20037e3c0c00831402ab213f8ccae2a2d
• MD5: e5da2578bf9f780193b9110e64e8237e
• Size: 287,073 bytes
• Entropy: 7.9994

Important Imports

DLL	Notable Imports
KERNEL32.dll	CreateThread, VirtualQuery, GlobalMemoryStatusEx, CreateFileMappingW, OpenFileMappingW, MoveFileExW, DeleteFileW, GetVersionExW
ADVAPI32.dll	AdjustTokenPrivileges, OpenProcessToken, CryptProtectMemory, CryptUnprotectMemory, RegCreateKeyExW, RegOpenKeyExW
OLEAUT32.dll	SysAllocString, VariantClear
gdiplus.dll	GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap (PNG resources for decoy UI)
SHLWAPI.dll	Path manipulation

The presence of CryptProtectMemory/CryptUnprotectMemory (DPAPI) alongside AES-NI instructions suggests a layered key protection scheme.

Anti-Analysis Features (from CAPA/CAPE)

1. Geofencing — Queries keyboard layout, checks system locale, reads registry keys:

   • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
   • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US Exits if system is not configured for Chinese locale (avoids sandbox/Western analyst machines).

2. Anti-VM — Checks available physical memory (GlobalMemoryStatusEx), queries display device information to detect virtual environments.

3. Anti-debug — SetUnhandledExceptionFilter call for anti-debug.

4. Time-based evasion — Possible date-expiry check ("exits too soon after checking local time" per CAPE signature stealth_timeout).

5. Window hiding — ShowWindow(SW_HIDE) to suppress any UI.

6. Process injection — Creates processes in suspended state for shellcode injection.

7. Self-reading — Reads own binary image (for overlay extraction).

---

Infection Chain

[1] User receives/opens lure
     黑园区及死者身份信息详情.exe
     (Chinese fraud-zone lure filename)
            │
            ▼
[2] WinRAR SFX executes silently
     Extracts to C:\WeChat\:
     ├── WechatLog.exe    (shellcode loader, 126 KB)
     ├── WeChatAppEx.exe  (legit WeChat client, decoy)
     ├── xweb_elf.dll     (malicious DLL, 140 KB)
     └── ra.log           (AES-encrypted shellcode, 287 KB)
            │
            ▼
[3] WechatLog.exe executes
     - Reads ra.log from disk
     - Derives AES key via SHA256
     - Decrypts ra.log using AES-NI (aesdec/aesdeclast)
     - Loads xweb_elf.dll (DLL side-loading)
     - Injects decrypted shellcode into suspended process
            │
            ▼
[4] WeChatAppEx.exe executes (decoy)
     - Legitimate WeChat binary launches visible to user
     - User believes they opened a real document/app
            │
            ▼
[5] Injected shellcode runs in memory
     - System fingerprint via WMI:
       SELECT * FROM Win32_OperatingSystem
     - Geofence check (locale, keyboard layout)
     - Phone home to C2: 156.254.21.227:5985
            │
            ▼
[6] C2 communication (ValleyRAT protocol)
     - Downloads additional payload: sys.log
       from 45.151.135.211:8889/sys.log
     - sys.log: 206,811 bytes, entropy 7.9991
       (encrypted second-stage implant)
            │
            ▼
[7] Full ValleyRAT implant active
     - Remote shell / command execution
     - File upload/download
     - Screen capture / keylogging
     - Credential harvesting
     - Persistence establishment

---

Behavioral Analysis (Static + OSINT Inferred)

Based on static analysis, CAPA signatures, sandbox reports, and known ValleyRAT behavior:

Execution flow:

• SFX runs silently (Silent=1) and overwrites existing files (Overwrite=2)
• WechatLog.exe is the first process created; it reads ra.log, decrypts it with AES-256 using hardware AES-NI, and injects the resulting shellcode into a suspended child process
• WeChatAppEx.exe (legitimate WeChat) launches as a user-visible decoy to prevent suspicion
• xweb_elf.dll is side-loaded by WechatLog.exe using LoadLibraryW (DLL hijacking pattern)

System reconnaissance:

• WMI query: SELECT * FROM Win32_OperatingSystem (OS version, hostname, domain)
• GetLocaleInfoW and keyboard layout checks for geofencing
• GetVersionExW, GlobalMemoryStatusEx (anti-VM)
• GetCurrentProcessId, FindFirstFile/FindNextFile (process/file enumeration)

Persistence (likely):

• Registry autorun or scheduled task (typical ValleyRAT behavior; not observed in available sandboxes)
• Use of MoveFileExW for cleanup on reboot

Network activity:

• TCP connection to 156.254.21.227:5985 (WinRM port — possible custom C2 protocol over HTTP/WinRM)
• HTTP GET to 45.151.135.211:8889/sys.log (additional encrypted payload stage)
• The sys.log served from 45.151.135.211 (SHA256: 89808d9cc38579ec8346a621510ceaacd78d947d003d01981c02ad9c39223a0a, 206,811 bytes, entropy 7.9991) is a currently live C2-delivered encrypted payload

---

Network Indicators

Primary C2: 156.254.21.227

Field	Value
IP	156.254.21.227
Country	Hong Kong
City	Hong Kong
ASN	AS400619
ISP/Org	AROSSCLOUD INC. / Fastmos Co Limited
Netblock	156.254.20.0/23 (AFRINIC allocated, HK-hosted)
VT Malicious	10/76
VT Reputation	-11
SSL Cert	Default self-signed: O=Internet Widgits Pty Ltd (AU)
Shodan Ports	5985/tcp (WinRM), 47001/tcp (HTTP)
Role	Primary C2 — ValleyRAT C2 server

Port 5985 (WinRM / HTTP): ValleyRAT uses port 5985 for its C2 protocol, which mimics WinRM traffic to blend with legitimate Windows Remote Management traffic.

Port 47001 (HTTP): Secondary WinRM endpoint.

The self-signed SSL certificate with the default placeholder organization (Internet Widgits Pty Ltd) is a classic OPSEC failure — the operator did not replace the default OpenSSL certificate.

Attribution note: Fastmos Co Limited appears in multiple Chinese bulletproof hosting investigations. AROSSCLOUD INC. is a shell entity. No valid RDAP/abuse contact.

Secondary Payload Server: 45.151.135.211

Field	Value
IP	45.151.135.211
Country	United States (Seattle, WA)
ASN	AS201106
ISP/Org	Spartan Host Ltd
Netblock	45.151.132.0/22
Abuse contact	abuse@spartanhost.net
Port 22/tcp	OpenSSH 9.6p1 Ubuntu-3ubuntu13.14
Port 8889/tcp	Python SimpleHTTP/0.6 — ACTIVE PAYLOAD HOSTING
Live payload	http://45.151.135.211:8889/sys.log

Critical finding: Port 8889 is running a Python SimpleHTTPServer serving sys.log — a 206,811-byte encrypted payload retrieved live during analysis. The use of Python's built-in HTTP server is an OPSEC failure that reveals the operator's ad hoc infrastructure management style.

SSH fingerprint (port 22):

Key type: ssh-rsa
Key: AAAAB3NzaC1yc2EAAAADAQABAAABAQDH8H9Ly8OylW5JCZmNLZE7xxVfjQU41vrHTXBiGZMfQlMI...

---

MITRE ATT&CK TTPs

ID	Tactic	Technique	Evidence
T1027	Defense Evasion	Obfuscated Files or Information	AES-256 encrypted payloads (ra.log, sys.log), XOR encoding
T1027.002	Defense Evasion	Software Packing	WinRAR SFX dropper with RAR5 archive
T1036	Defense Evasion	Masquerading	Disguised as WeChat application (C:\WeChat), filename mimics document
T1055	Defense Evasion	Process Injection	Creates suspended process for shellcode injection
T1047	Execution	Windows Management Instrumentation	SELECT * FROM Win32_OperatingSystem WMI query
T1059	Execution	Command and Scripting Interpreter	Remote shell via ValleyRAT C2 protocol
T1082	Discovery	System Information Discovery	WMI, GetVersionExW, GlobalMemoryStatusEx
T1083	Discovery	File and Directory Discovery	FindFirstFile/FindNextFile enumeration
T1057	Discovery	Process Discovery	Enumerates running processes (CAPE: enumerates_running_processes)
T1614	Discovery	System Location Discovery	Locale, keyboard layout, registry language checks (geofencing)
T1134	Privilege Escalation	Access Token Manipulation	AdjustTokenPrivileges, OpenProcessToken
T1140	Defense Evasion	Deobfuscate/Decode Files or Information	AES-NI decryption of ra.log, sys.log
T1222	Defense Evasion	File and Directory Permissions Modification	SetFileAttributesW
T1129	Execution	Shared Modules	PE parsing and DLL loading (xweb_elf.dll side-loading)
T1071	Command and Control	Application Layer Protocol	C2 over HTTP/WinRM port 5985
T1105	Command and Control	Ingress Tool Transfer	sys.log downloaded from 45.151.135.211:8889
T1564.003	Defense Evasion	Hide Artifacts: Hidden Window	ShowWindow(SW_HIDE)
T1497	Defense Evasion	Virtualization/Sandbox Evasion	Memory checks, display device queries, locale-based geofencing, time-expiry

---

Campaign Context

Infrastructure Clustering

All confirmed samples share 156.254.21.227 as their primary C2:

SHA256	Classification	Filename / Lure
43b3eb69...	trojan.shellcode/valleyrat	黑园区及死者身份信息详情.exe
5387e0f7...	trojan.shellcode/cfiw	柬埔寨西港园区...脱衣殴打.exe
6600e79d...	trojan.shellcode/malgent	中国女孩失足园区...视频曝光.exe
5981f5bb...	trojan.dllhijack	dieheart.exe
12fa1a98...	trojan.farfli/trickbot	(no name)
23522f5d...	trojan.farfli/egairtigado	(no name)
2eea84e1...	trojan.farfli/fragtor	6ydbaypio.exe
3464dd56...	trojan.farfli/fragtor	an9rr.exe

Additional samples communicating with 45.151.135.211:

SHA256	Classification	Filename / Lure
6600e79d...	trojan.shellcode/malgent	中国女孩失足园区...视频曝光.exe
8a2886df...	trojan.shellcode/silverfox	失足缅北女猪仔被男友骗到园区后遭到主管暴力殴打强奸.7z
90c4400a...	trojan.fragtor/shellcode	2026警方发布缉拿在柬涉案人员名单.exe
1a4fcc27...	trojan.shellcode/misc	(no name)
4ff5dd9d...	trojan.shellcode	(no name)

Timeline

Date	Event
2024-02-26	WinRAR SFX loader compiled (PE timestamp)
2025-01-13	WeChatAppEx.exe (decoy) compiled
2026-03-12 13:17	ra.log (encrypted payload) last modified
2026-03-12 13:42	xweb_elf.dll compiled
2026-03-13 05:16	WechatLog.exe compiled (fresh build)
2026-03-13 14:46	Sample first submitted to VirusTotal

The WechatLog.exe was rebuilt only ~9 hours before submission, suggesting an active operation with fresh tooling.

---

Attribution

Threat Actor: SilverFox (Chinese-nexus, financially motivated) Malware Family: ValleyRAT v3 Confidence: HIGH

Supporting evidence:

• Vendor attribution: Sangfor Silverfox.Cont, TrendMicro VALLEYRAT.YXGCMZ
• Chinese-language lures targeting mainland Chinese users exclusively
• Geofencing to Chinese locale — operator does not want to infect non-Chinese targets
• Southeast Asian fraud compound lure themes consistent with SilverFox historical campaigns
• Infrastructure hosted on Hong Kong bulletproof providers (Fastmos Co Limited)
• WeChat impersonation tactic is a signature SilverFox delivery mechanism

OPSEC Failures:

1. Default self-signed TLS certificate on C2 (O=Internet Widgits Pty Ltd) — trivially fingerprinted
2. Python SimpleHTTPServer on port 8889 reveals operator's infrastructure management style
3. Consistent reuse of single C2 IP (156.254.21.227) across 8+ samples
4. WechatLog.exe compiled hours before campaign launch — visible in PE timestamp
5. ra.log stored uncompressed in the RAR (reveals true encrypted payload size)
6. Fastmos Co Limited / AROSSCLOUD hosting entity with no abuse contact — registrant is known bulletproof hoster

---

Infrastructure Map

┌─────────────────────────────────────────────────────┐
│              SilverFox Campaign Infrastructure       │
└─────────────────────────────────────────────────────┘

Lure Distribution (Chinese Social Media / Messaging)
        │
        ▼
   [SFX Dropper]
   43b3eb69... + sibling samples
   (8+ variants, all Chinese-lure filenames)
        │
        ├──────────────────────────────────┐
        ▼                                  ▼
  PRIMARY C2                        PAYLOAD HOST
  156.254.21.227:5985               45.151.135.211:8889
  ──────────────────                ──────────────────
  HK / Fastmos Co Ltd               US / Spartan Host
  AS400619                          AS201106
  WinRM (ValleyRAT C2)              Python SimpleHTTP
  Also: 47001/tcp                   Serving: sys.log
                                    (encrypted implant)
  ◄─── 8+ campaign samples ───►
  ◄─── shared C2 (all link here) ►

---

IOCs

File Hashes

Type	Hash	Description
SHA256	43b3eb69729a82c9babd44da03348659ba8c8f55afd6e8cb23ccae78eb09c890	Main dropper
MD5	cccb3fc5f563efa516289b98590ffcd1	Main dropper
SHA1	e20abf6021fa99f41da19b5b1507bd8c0d39ab72	Main dropper
SHA256	c7cf10d353e7c0d9f5f62354b0bfe0b20037e3c0c00831402ab213f8ccae2a2d	ra.log (embedded payload)
MD5	e5da2578bf9f780193b9110e64e8237e	ra.log
SHA256	89808d9cc38579ec8346a621510ceaacd78d947d003d01981c02ad9c39223a0a	sys.log (C2-delivered payload)
MD5	ae61f20584adfce7894c473653e8bd94	sys.log

Campaign Sibling Hashes

SHA256	Lure / Name
5387e0f73f88297997097fc526369a317e62abc1daf3c044eaa55a947cb8a4c9	Cambodia fraud compound lure
6600e79da01251789f8cfd6599d9f22edf1a6c4e3e8fb8a4123757bdcc26de57	Chinese girl abuse lure
5981f5bb23790380033b1eb9f6030ecd81b1280d885525e58b1b49939f98dcc5	dieheart.exe
12fa1a98ce60a647dbf440c685506d6a08eeeb4975809afc6651f996ac0c6ca3	Campaign sibling
23522f5dced89d4f874455de0a6b6a88fbd71e5811f4818630ea9d44924f410c	Campaign sibling
2eea84e111539b285a1600c69c25e1dee94dcbbf990c77faa91dfb2bf0eb31de	6ydbaypio.exe
3464dd56eea41e30b1bc9750f71b251931419435e1d1bd28f6de85ee6ad51e7e	an9rr.exe
8a2886df5539a8eb5ffc3b0d146143e7ef8415a5df4c10908fea8262abc7e500	Myanmar fraud compound lure (.7z)
90c4400a8cd15cce19df2d54b35537beabcdf40b6189db611df1a9c01405cc0a	Cambodia police list lure
1a4fcc27c0c5565c8dc8604fb1487900b8db8d1aa9505d879865995640930daf	Campaign sibling
4ff5dd9db077c725a2fab921f71fb153fed5f8c78b103b3dca0ad43e5b7765ea	Campaign sibling

Network Indicators

Type	Value	Description
IP	156.254.21.227	PRIMARY C2 (HK, AS400619, Fastmos)
IP	45.151.135.211	Payload host (US, AS201106, Spartan Host)
URL	http://45.151.135.211:8889/sys.log	Live encrypted payload download
Port	5985/tcp on 156.254.21.227	ValleyRAT C2 channel (WinRM masquerade)
Port	47001/tcp on 156.254.21.227	Secondary C2 HTTP channel
Port	8889/tcp on 45.151.135.211	Payload hosting (Python SimpleHTTP)

File System Indicators

Path	Description
C:\WeChat\WechatLog.exe	ValleyRAT shellcode loader
C:\WeChat\WeChatAppEx.exe	Legitimate WeChat decoy
C:\WeChat\xweb_elf.dll	Malicious side-loaded DLL
C:\WeChat\ra.log	AES-encrypted shellcode stage 1
C:\WeChat\__tmp_rar_sfx_access_check_*	Temporary SFX access check files

Registry Indicators

Key	Purpose
HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US	Geofencing locale check
HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US	Geofencing locale check

Behavioral Indicators

• Process creates C:\WeChat\WechatLog.exe and C:\WeChat\WeChatAppEx.exe
• Child process created in suspended state from non-WeChat parent
• WMI query: SELECT * FROM Win32_OperatingSystem
• TCP connection to 156.254.21.227:5985
• HTTP GET http://45.151.135.211:8889/sys.log
• File dropped with .log extension containing high-entropy (encrypted) data

---

Detection Recommendations

1. Block C2 IPs: 156.254.21.227 and 45.151.135.211 at perimeter firewall
2. Monitor: Outbound connections to port 5985 (WinRM) to non-AD infrastructure
3. Alert: Any process writing high-entropy .log files to C:\WeChat\
4. Alert: WechatLog.exe execution from C:\WeChat\
5. Alert: xweb_elf.dll loaded by any process
6. YARA: Use provided rules to scan endpoint memory and disk
7. Suricata: Deploy provided rules for network detection