Malware

ValleyRAT (Win64/Valley.E) — Multi-Stage BYOVD RAT with Kernel Driver

PublishedMarch 13, 2026

RATc2exploitapt

Executive Summary

This sample is a ValleyRAT variant E (Win64/Valley.E) delivered as a 32-bit DLL loader masquerading as the SQLite3 library (SQL3.DLL). It implements a three-stage execution chain terminating in a sophisticated 64-bit RAT that:

Disables Windows Defender's Vulnerable Driver Blocklist (VulnerableDriverBlocklistEnable = 0) across both SYSTEM\ControlSet001 and SYSTEM\CurrentControlSet registry hives.
Drops and loads a kernel-mode driver (DiskDump Driver) via NtLoadDriver, granting kernel-level persistence and EDR evasion capabilities.
Establishes C2 to 103.210.238.29 (Hong Kong, HK Kwaifong Group Limited), with the C2 address double-base64 encoded in the binary to evade signature detection.
Performs geo-filtering via ip-api.com/json/ checking countryCode before activating.
Achieves UAC bypass via computerdefaults.exe and achieves persistence via Windows Task Scheduler.

ValleyRAT (also tracked as "Silver Fox" activity) is associated with Chinese-speaking threat actors targeting financial, manufacturing, and technology sectors. Compile timestamps and Chinese-language debug strings confirm the operator speaks Simplified Chinese. The fake company name "Golden Club Corpration." (deliberate typo) is a known ValleyRAT campaign branding.

Detection: 30/76 engines on VirusTotal. ESET labels it Win64/Valley.E, Rising Trojan.Valley!8.1D169, Kaspersky UDS:Backdoor.Win32.Xkcp.

Sample Metadata

Field	Value
SHA256	`1144433760a0683413a85da271bc37ff9f296ac287e722825f27577b529b9d27`
MD5	`8e8319ef77aa12f2335b339abf0ddadb`
SHA1	`7e0e21949852a56e1179302ecef5898086aef80a`
File Type	PE32 DLL (32-bit, Intel 80386)
File Size	1,015,296 bytes
First Seen	2026-03-13 15:25:17 UTC
Compile Timestamp	2026-03-13 00:01:27 UTC (same day as submission)
VT Detections	30/76
Suggested Label	`trojan.convagent/hack`
Tags	`dll`, `RAT`, `ValleyRAT`, `executes-dropped-file`, `detect-debug-environment`
Reporter	abuse_ch

Static Analysis

Stage 1 — DLL Loader (`SQL3.DLL`)

Architecture: 32-bit PE DLL, 6 sections.

Masquerading: Version resource declares SQL3.DLL / SQL3 product with Copyright (C) 2026, and the DLL exports 200+ fake sqlite3 API symbols — all pointing to the same function address (0x3de0). This causes any host application that calls sqlite3 functions to actually execute the RAT's entry point. Additional fake exports include CreatePlugin, GetHandleVerifier, GetPluginEffects, HostMainLoop, RunDLL, and yangeshi (Chinese: "style" — an accidental threat actor artifact).

Section Entropy:

Section	VA	Raw Size	Entropy
`.text`	0x1000	0x23800	6.58
`.rdata`	0x25000	0xEE00	5.30
`.data`	0x34000	0x1200	3.51
`.fptable`	0x36000	0x200	0.00
`.rsrc`	0x37000	0xC1E00	7.82
`.reloc`	0xF9000	0x2200	6.43

The .rsrc section (793,864 bytes, entropy 7.82) contains the entire encrypted payload chain.

Key Imports (Stage 1):

KERNEL32.dll: LoadResource, LockResource, CreateProcessW, GetTempPathW
ADVAPI32.dll: RegCreateKeyExW, RegSetValueExW
WS2_32.dll: WSAStartup, socket, connect, send, recv
ntdll.dll: NtQueryInformationProcess (anti-debug)
ole32.dll: CoCreateGuid, StringFromCLSID (bot UUID generation)
USER32.dll: ShowWindow

Embedded Payload: Resource type RDATA, ID 101, Language 1028 (Traditional Chinese locale), size 792,576 bytes, starts with MZ magic — this is Stage 2.

Fake Version Resource (resource 2, language 0):

CompanyName: Golden Club Corpration. (deliberate typo)
FileDescription: Installer
FileVersion: 12.8.17.13
InternalName: Setup.exe
OriginalFilename: Setup.exe
ProductName: Installer
Copyright: Copyright (C) 2025

Stage 2 — UPX-Packed Dropper (extracted from .rsrc)

Hashes:

SHA256: c9a152ce795cad9b667a64b66abe473ff89310486c00a0b83f420ddb3db2548a
MD5: 8fdfc384f8c423b2452adb819c989b97

Architecture: 64-bit PE (x86_64), compiled 2026-03-13 00:00:51 UTC. Packing: UPX 4.2.2 — UPX0/UPX1 sections. Unpacked to 1,032,704 bytes (from 792,576 compressed).

Post-Unpack Sections:

Section	VA	Entropy
`.text`	0x1000	6.45
`.rdata`	0x26000	5.12
`.data`	0x3E000	3.26
`.rsrc`	0x45000	7.61

The .rsrc section (625KB, entropy 7.61) contains Stage 3 and two AES-encrypted blobs.

Defender Binary Masquerade (double-base64 encoded):

The following strings are stored as double base64 (outer → inner → plaintext):

VFhCRVpXWmxibVJsY2tOdmNtVlRaWEoyYVdObExtVjRaUT09
  → TXBEZWZlbmRlckNvcmVTZXJ2aWNlLmV4ZQ==
  → MpDefenderCoreService.exe

VFhCRGJXUlNkVzR1WlhobA==
  → TXBDbWRSdW4uZXhl
  → MpCmdRun.exe

Stage 2 masquerades execution as legitimate Microsoft Defender binaries using this double-encoding, likely for DLL side-loading into Defender process space.

C2 IP (double-base64 encoded):

TVRBekxqSXhNQzR5TXpndU1qaz0=
  → MTAzLjIxMC4yMzguMjk=
  → 103.210.238.29

Key Stage 2 Capabilities:

IP geolocation via ip-api.com/json/ → extracts countryCode (geo-filtering)
Flushes DNS cache via DnsFlushResolverCache / 8.8.8.8
Routing table manipulation: GetIpForwardTable, CreateIpForwardEntry, DeleteIpForwardEntry, FlushIpNetTable — redirects victim traffic
UAC bypass: computerdefaults.exe (high-integrity COM elevation), winver.exe technique
Integrity level detection: checks Medium, High Integrity, System Integrity
Installation path: \Golden\ (matches "Golden Club Corpration." branding)
Registry: Software\Classes\CLSID\ + \Shell\Manage\command (shell handler hijacking)
Process creation: explorer.exe shell::: (spawns Explorer to break process chain)
Bot ID generation: CoCreateGuid → StringFromCLSID
RPC async communication: NdrAsyncClientCall, RpcAsyncInitializeHandle

Stage 2 Embedded Resources:

Resource	ID	Size	Notes
Encrypted blob A	2201	131,072 bytes	Entropy 8.00 — AES-encrypted
Encrypted blob B	2203	131,072 bytes	Entropy 8.00 — AES-encrypted
Stage 3 PE	2159	342,528 bytes	MZ header — another UPX binary

Stage 3 — ValleyRAT Core RAT (`conhost.exe` masquerade)

Hashes:

SHA256: 4a27b00d07c618eb0f58137ef3f01adc3d6963da2aae6cd23fe5e8b6aafe8e8e
MD5: 5e1b156ac3db0b0b056193ebf62d08d3

Architecture: 64-bit PE, compiled 2026-03-12 23:59:47 UTC. Packing: UPX 4.2.2 — unpacked from 342,528 to 1,018,880 bytes. Masquerade: Version info:

CompanyName: ReCommer
FileDescription: conhost.exe
InternalName: conhost.exe
OriginalFilename: conhost.exe
ProductName: ConHost
FileVersion: 23.2026.3.5
LegalCopyright: ReCommer Copyright © 2026

The RAT impersonates the Windows Console Host (conhost.exe), a trusted system binary.

Core Capabilities:

1. Vulnerable Driver Blocklist Bypass

Chinese debug string (GBK-encoded): 两个 Config 路径不存在，已创建并设置 VulnerableDriverBlocklistEnable 为 0。 Translation: "Both Config paths do not exist, have been created and set VulnerableDriverBlocklistEnable to 0."

Registry keys modified:

HKLM\SYSTEM\ControlSet001 → VulnerableDriverBlocklistEnable = 0
HKLM\SYSTEM\CurrentControlSet → VulnerableDriverBlocklistEnable = 0

This disables Windows Defender's driver blocklist, allowing installation of revoked or vulnerable kernel-mode drivers. The malware explicitly handles: "The driver's certificate has been revoked."

2. BYOVD Kernel Driver Installation

Driver name: DiskDump Driver
Debug strings: DiskDump Driver Installing..., LOAD DRIVER 权限已成功启用。 ("LOAD DRIVER privilege has been successfully enabled.")
Registry service path: \Registry\Machine\System\CurrentControlSet\services\
Driver attributes set: ImagePath, Type
Load sequence: RtlInitUnicodeString → RtlAdjustPrivilege (SeLoadDriverPrivilege) → NtLoadDriver
Error handling: [-] Driver Not Dropped, [-] Driver Not Loaded, Driver Load error..

3. Task Scheduler Persistence

Full task lifecycle implemented:

Create task → Register task → Set trigger → Run task → Check task state → Delete task
WMI query: SELECT * FROM Win32_ScheduledJob WHERE Name = '...'
Functions: Task Service connection, task definition manipulation, principal manipulation
Additional WMI: SELECT ExecutablePath FROM Win32_Process WHERE ProcessId = ...

4. UAC Bypass

~Start.exe + RunExternalUAC, RunUAC — drops a helper binary for elevation
Uses computerdefaults.exe technique (Sigma high rule: UAC Bypass Tools Using ComputerDefaults)
GUID-based COM object: 201ef99a-7fa0-444c-9399-19ba84f12a1a
Window station: WinSta0\Default
Named pipe RPC: ncalrpc protocol

5. Network Communication

C2 IP: 103.210.238.29 (double-base64 encoded in .rdata)
Protocol: Raw TCP sockets (WS2_32.dll: socket, connect, send, recv, recvfrom)
HTTP: Host: header, HTTP/1.1 (also makes HTTP requests for geolocation)
Fallback error handling: Could not connect. Error code = , Could not connect. Error:

6. Anti-Analysis

IsDebuggerPresent check
NtQueryInformationProcess (ProcessDebugPort)
Privilege check: [-] No SeDebugPriv. — attempts SeDebugPrivilege
Anti-debug string: obfuscated code around You Got [...] Stopped (evasion marker)

7. Service Control Manager Operations

OpenServiceW, CloseServiceHandle, DeleteService — service lifecycle management
SetSecurityDescriptorDacl — DACL manipulation for privilege escalation

Infection Chain / Kill Chain

[Stage 1: SQL3.DLL - 32-bit loader DLL]
    |
    | 1. All 200+ exports → 0x3DE0 (single entry point)
    | 2. LoadResource("RDATA", 101) → 792KB encrypted blob
    | 3. Decrypt → Stage 2 PE (MZ)
    |
    ↓
[Stage 2: UPX-packed 64-bit dropper]
    |
    | 1. Unpacks via UPX stub
    | 2. ip-api.com/json/ → countryCode check (geo-filtering)
    | 3. DnsFlushResolverCache (8.8.8.8)
    | 4. Routing table manipulation (IPHLPAPI)
    | 5. UAC bypass (computerdefaults.exe / winver.exe)
    | 6. Drops ~Start.exe for elevation
    | 7. Explorer.exe spawn (process chain break)
    | 8. Decodes C2: TVRBek... → MTAzL... → 103.210.238.29
    | 9. Drops Stage 3 from resource 2159
    |    Encrypted resources 2201+2203 → AES-encrypted payloads
    |
    ↓
[Stage 3: UPX-packed 64-bit RAT (conhost.exe masquerade)]
    |
    | 1. Unpacks via UPX stub
    | 2. Disables VulnerableDriverBlocklistEnable in registry
    | 3. Extracts + drops DiskDump kernel driver
    | 4. RtlAdjustPrivilege(SeLoadDriverPrivilege)
    | 5. NtLoadDriver(\Registry\Machine\SYSTEM\CurrentControlSet\services\DiskDump)
    | 6. Task Scheduler persistence (trigger-based)
    | 7. GUID generation (UuidCreate) for bot ID
    | 8. Connect to 103.210.238.29 for C2
    |
    ↓
[KERNEL MODE: DiskDump driver]
    | - Rootkit-level access
    | - EDR/AV evasion at kernel level
    ↓
[COMPROMISED HOST]

Behavioral Analysis (Inferred)

Behavior	Evidence
Geo-filtering	ip-api.com countryCode check (likely skips China, possibly CN/TW)
DLL Side-loading	SQL3.DLL loaded by legitimate app expecting sqlite3.dll
Process hollowing/injection	Explorer.exe spawn + process chain break
Credential harvesting	Likely via kernel driver (BYOVD)
Persistence	Task Scheduler + Registry `\Shell\Manage\command`
Defense evasion	VulnerableDriverBlocklistEnable=0, kernel driver, anti-debug
C2 beacon	Raw TCP to 103.210.238.29, HTTP/1.1 with Host header
Discovery	Process enumeration (CreateToolhelp32Snapshot), WMI queries
Privilege escalation	UAC bypass (computerdefaults.exe), driver privilege escalation

Network Indicators

C2 Infrastructure

Indicator	Type	Details
`103.210.238.29`	C2 IPv4	Primary C2 server

Hosting details for 103.210.238.29:

Network: HKKFGL-HK — HK Kwaifong Group Limited
Country: Hong Kong (HK)
Network Range: 103.210.236.0 – 103.210.239.255
Abuse contact: abuse@kfglobal.hk
APNIC Org: ORG-HKIS1-AP
Shodan/InternetDB: No results (C2 spun up recently, same day as sample)

Encoding: C2 IP stored as double-base64 in both Stage 2 and Stage 3:

Layer 1: TVRBekxqSXhNQzR5TXpndU1qaz0=
Layer 2: MTAzLjIxMC4yMzguMjk=
Plaintext: 103.210.238.29

Port: Not recovered from static analysis (not base64-encoded; possibly in AES-encrypted config blobs 2201/2203). Active port scan (2026-03-13): host responds to TCP but ports 80, 443, 6666, 7777, 8888, 8080, 9999, 12345 all filtered/closed. C2 likely uses non-standard high port or strict allowlist firewall. Common ValleyRAT C2 ports observed in other campaigns: 6666, 7777, 8888.

Geolocation Check

Indicator	Type	Notes
`ip-api.com`	FQDN	IP geolocation service
`http://ip-api.com/json/`	URL	Victim country discovery
`208.95.112.1`	IPv4	ip-api.com resolved IP (in sandbox)

MITRE ATT&CK TTPs

Technique	ID	Description
DLL Side-Loading	T1574.002	SQL3.DLL loaded by app expecting sqlite3.dll
Masquerading	T1036.005	Masquerades as SQL3.DLL, MpCmdRun.exe, MpDefenderCoreService.exe, conhost.exe
Obfuscated Files	T1027.013	Double base64 encoding of C2 IP and binary names
Resource Forking	T1564.009	Payload embedded in PE resource section (.rsrc)
Virtualization/Sandbox Evasion	T1497.001	IsDebuggerPresent, NtQueryInformationProcess
System Location Discovery	T1614.001	ip-api.com countryCode check
UAC Bypass: COM Object Elevation	T1548.002	computerdefaults.exe UAC bypass
Exploit Kernel Driver	T1543.003	Windows Service (DiskDump driver) via NtLoadDriver
BYOVD	T1014	Disable driver blocklist + load kernel rootkit
Impair Defenses	T1562.010	VulnerableDriverBlocklistEnable = 0
Scheduled Task Persistence	T1053.005	Task Scheduler full lifecycle
Registry Run Keys	T1547.001	Shell\Manage\command + CLSID registration
System Binary Proxy Execution	T1218.011	rundll32, regsvr32 execution chain
Process Injection	T1055	Explorer process tree break
Native API	T1106	NtLoadDriver, NtQueryInformationProcess, NtDuplicateObject
Process Discovery	T1057	CreateToolhelp32Snapshot, WMI Win32_Process
System Service Discovery	T1007	OpenServiceW, service enumeration
Network Configuration Discovery	T1016	GetAdaptersInfo, GetIpForwardTable
Exfiltration Over C2	T1041	Raw TCP + HTTP to C2 IP
Bot Unique ID	T1033	CoCreateGuid/UuidCreate for bot fingerprint

IOCs

File Hashes

Hash Type	Stage 1 DLL	Stage 2 Dropper	Stage 3 RAT
SHA256	`1144433760a0683413a85da271bc37ff9f296ac287e722825f27577b529b9d27`	`c9a152ce795cad9b667a64b66abe473ff89310486c00a0b83f420ddb3db2548a`	`4a27b00d07c618eb0f58137ef3f01adc3d6963da2aae6cd23fe5e8b6aafe8e8e`
MD5	`8e8319ef77aa12f2335b339abf0ddadb`	`8fdfc384f8c423b2452adb819c989b97`	`5e1b156ac3db0b0b056193ebf62d08d3`

Network IOCs

Indicator	Type	Context
`103.210.238.29`	IPv4	C2 server (HK Kwaifong Group Ltd, Hong Kong)
`ip-api.com`	FQDN	Geo-filtering check
`http://ip-api.com/json/`	URL	Victim IP/country lookup

Registry IOCs

Key	Value	Notes
`HKLM\SYSTEM\ControlSet001`	`VulnerableDriverBlocklistEnable = 0`	Disables WDAC driver blocklist
`HKLM\SYSTEM\CurrentControlSet`	`VulnerableDriverBlocklistEnable = 0`	Disables WDAC driver blocklist
`HKLM\SYSTEM\CurrentControlSet\services\DiskDump`	`ImagePath = <driver path>`	Kernel driver service
`HKLM\Software\Classes\CLSID\{...}`	—	COM object registration
`HKLM\Software\Classes\CLSID\{...}\Shell\Manage\command`	—	Shell command hijacking

File System IOCs

Path	Notes
`<TempPath>\SQL3.DLL`	Stage 1 loader DLL
`\Golden\`	Installation directory (linked to "Golden Club" campaign)
`~Start.exe`	UAC elevation helper
`conhost.exe` (malicious copy)	Stage 3 RAT masquerade
`Setup.exe` (malicious)	Dropper masquerade name

Process / Behavioral IOCs

Indicator	Notes
`explorer.exe` spawned by `rundll32.exe`	RunDLL32 spawning Explorer (Sigma HIGH)
`computerdefaults.exe` spawned	UAC bypass via ComputerDefaults (Sigma HIGH)
`powershell.exe` non-interactive	PowerShell spawning (Sigma MEDIUM)
`svchost.exe` unusual parameters	Uncommon Svchost (Sigma HIGH)
GUID `201ef99a-7fa0-444c-9399-19ba84f12a1a`	COM object used for UAC bypass

Mutex / Unique Identifiers

Value	Notes
`BtCpH9`	Possible mutex or key string found in encrypted region
`ru=IPH9=`	Possible encoded identifier
`yangeshi` (DLL export)	Chinese word "style" — threat actor artifact

Campaign Context

Operator name: Golden Club (based on fake company name "Golden Club Corpration." — note deliberate typo)
Campaign: ValleyRAT variant E — ongoing campaign with fresh compile timestamps (same-day compilation)
Hosting: C2 at HK Kwaifong Group Limited (Hong Kong) — a commonly abused Hong Kong VPS provider for Chinese-nexus actors

Compilation Artifacts

Stage 1 DLL compiled: 2026-03-13 00:01:27 UTC
Stage 2 dropper compiled: 2026-03-13 00:00:51 UTC
Stage 3 RAT compiled: 2026-03-12 23:59:47 UTC
All three stages compiled within ~2 minutes of each other, 15 hours before first submission — fresh build

Chinese Language Artifacts

All GBK-encoded debug strings are in Simplified Chinese, indicating a Chinese-speaking developer:

两个 Config 路径不存在，已创建并设置 VulnerableDriverBlocklistEnable 为 0。 — "Both Config paths do not exist; have been created and VulnerableDriverBlocklistEnable set to 0."
LOAD DRIVER 权限已成功启用。 — "LOAD DRIVER privilege has been successfully enabled."
分配磁盘 : — "Allocate disk :"

Attribution

Attribute	Assessment	Confidence
Malware Family	ValleyRAT (variant E)	HIGH — ESET, Rising, CTX confirmed
Language	Simplified Chinese	HIGH — GBK-encoded debug strings
Threat Actor	Silver Fox / "Golden Club" operator	MEDIUM — branding, infrastructure
Nexus	China (PRC)	MEDIUM — Chinese strings, HK C2 hosting
Target	Likely financial/tech (typical ValleyRAT targeting)	MEDIUM
Delivery	DLL side-loading via fake sqlite3	HIGH — confirmed by export table

OPSEC mistakes:

Deliberate typo "Corpration" (instead of "Corporation") — reused brand identifier
yangeshi export left in DLL — Chinese word leaking operator language
GBK-encoded debug strings not stripped — developer operating environment leaked
Compile times within 2 minutes of each other — same build system, same session

Infrastructure Map

[103.210.238.29] — C2 Server
    |
    ├── Network: 103.210.236.0/22 (HKKFGL-HK)
    ├── Provider: HK Kwaifong Group Limited
    ├── Country: Hong Kong
    ├── Abuse: abuse@kfglobal.hk
    └── Status: Fresh (no prior Shodan/InternetDB data — spun up same day)

[ip-api.com] — Geo-filtering
    |
    ├── IP: 208.95.112.1
    └── Protocol: HTTP/1.1 GET /json/