Analysis by: Mariefher Grace Villanueva
ALIASES:

Trojan:Win32/Egairtigado!rfn (MICROSOFT)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

  TECHNICAL DETAILS

File Size: 509,952 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 17 Apr 2026

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following processes:

  • `cmd.exe /c "{command}"` → command execution capability

Other System Modifications

This Backdoor modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers
authenticodeenabled = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers
DefaultLevel = 0x40000

(Note: The default value data of the said registry entry is 0 → Setting this to 0x40000 sets the execution level to Unrestricted, effectively disabling Software Restriction Policies.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\CI\Config
VulnerableDriverBlocklistEnable = 0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\CI\Config
VulnerableDriverBlocklistEnable = 0

Propagation

This Backdoor does not have any propagation routine.

Backdoor Routine

This Backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

  • {BLOCKED}.{BLOCKED}.238.29:22022

Rootkit Capabilities

This Backdoor does not have rootkit capabilities.

Information Theft

This Backdoor gathers the following data:

  • User SID
  • Network adapter details (via WMI)
  • Process ID

Other Details

This Backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers\262144\Paths

It does the following:

  • It accepts the following parameters:
    • `-start` → Primary initialization mode that creates scheduled task persistence and enters monitoring loop
    • `-bypass` → Continuous bypass mode with persistent monitoring that periodically recreates scheduled tasks for resilience
    • `-bypassonce` → Single-run bypass execution mode used as the default from the loader component
    • `-resurrection` → Self-healing mode that recreates scheduled tasks when process termination is detected
  • Checks for the presence of the following security products and creates Software Restriction Policy path rules to whitelist their installation directories, ensuring the malware's SRP modifications do not interfere with installed security products:
    • Qihoo 360 (360Safe, 360SD, 360Quarant, 360MobileMgr, 360Login, 360huabao, 360Game5, 360DesktopLite)
    • Tencent (QQPCMgr, Yuanbao)
    • Kingsoft
    • Huorong
    • 2345Soft
    • Microsoft Windows Defender (including Windows Defender Platform)
    • Avast Software
    • Bitdefender (including Bitdefender Agent, Common Files\Bitdefender)
    • ESET
    • McAfee
    • Kaspersky Lab
    • Trend Micro
    • Norton
    • Symantec
    • AVG
  • Communicates with the kernel driver device object `\.\EraseCode` for kernel-level operations
  • Creates staging paths `\dump.tmp` and `\dump\diskdumps` for kernel driver data
  • Adjusts its process token to enable the following privileges:
    • SeLoadDriverPrivilege
    • SeDebugPrivilege
    • SeShutdownPrivilege
  • Contains embedded PowerShell shellcode loader that allocates executable memory, decodes shellcode, and executes it via delegate invocation
  • It uses a custom pipe-delimited protocol with the following fields for command and control communication:
    • `|p1:|o1:|t1:|p2:|o2:|t2:|p3:|o3:|t3:|dd:|cl:|fz:|bb:|bz:|jp:|bh:|ll:|dl:|sh:|kl:|bd:`
  • Setting the value of the registry entry "DefaultLevel" of the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers to 0x40000 (262144) whitelists the following 31 file extensions under the unrestricted execution policy:
    • ADE
    • ADP
    • BAS
    • BAT
    • CHM
    • CMD
    • COM
    • CPL
    • CRT
    • EXE
    • HLP
    • HTA
    • INF
    • INS
    • ISP
    • LNK
    • MDB
    • MDE
    • MSC
    • MSI
    • MSP
    • MST
    • OCX
    • PCD
    • PIF
    • REG
    • SCR
    • SHS
    • URL
    • VB
    • WS

It does not exploit any vulnerability.

It adds the following scheduled tasks:

  • Task Name: StartMonitor_{random 3 digits}
    Task Action: Executes the malware copy with `-start` argument at logon trigger → full initialization of the backdoor
  • Task Name: StartMonitor_RESU_{random 3 digits}
    Task Action: Monitors and resurrects the primary scheduled task
  • Task Name: RunUser
    Task Action: Executes the malware copy with `-bypass` argument for continuous resilience

  SOLUTION

Minimum Scan Engine: 9.800
FIRST VSAPI PATTERN FILE: 20.896.07
FIRST VSAPI PATTERN DATE: 14 Apr 2026
VSAPI OPR PATTERN File: 20.897.00
VSAPI OPR PATTERN Date: 15 Apr 2026

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

     TROJ.Win32.TRX.XXPE50FFF104

Step 2

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Restart in Safe Mode

[ Learn More ]

Step 5

Deleting Scheduled Tasks while in Safe Mode

  1. Still in safe mode, the following {Task Name}-{Task to be run} listed should be used in the steps identified below:
    • Task Name: StartMonitor_{random 3 digits}
      Task to be run: `{Malware Path}\{Malware Filename} -start`
    • Task Name: StartMonitor_RESU_{random 3 digits}
      Task to be run: `{Malware Path}\{Malware Filename} -bypassonce`
    • Task Name: RunUser
      Task to be run: `{Malware Path}\{Malware Filename} -bypass`
  2. For Windows 7 and Server 2008 (R2) users, click Start>Computer.
    • For Windows 8, 8.1, 10, and Server 2012 users, right-click on the lower left corner of the screen, then click File Explorer.
  3. In the Search Computer/This PC input box, type:
    • %System%\Tasks\{Task Name}
  4. Once located, select the file then press SHIFT+DELETE to delete it.
  5. Open Registry Editor. To do this:
    • For Windows 7 and Server 2008 (R2) users, click the Start button, type regedit in the Search input field, and press Enter.
    • For Windows 8, 8.1, 10, and Server 2012 (R2) users, right-click on the lower left corner of the screen, click Run, type regedit in the text box
  6. In the left panel of the Registry Editor window, double-click the following:
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Schedule>TaskCache>Tree>{Task Name}
  7. Locate the created entry and take note of the registry value's data:
    • ID={Task Data}
  8. After taking note of the data, delete the registry key:
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Schedule>TaskCache>Tree>{Task Name}
  9. In the left panel of the Registry Editor window, double-click the following:
    • HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Schedule>TaskCache>Tasks
  10. Still in the left panel, locate and delete the registry key with the same name as the located Task Data in step #6:
    • ={Task Data}
  11. Close Registry Editor.

Step 6

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144

Step 7

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator’s help. You may also check out this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    • authenticodeenabled = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config
    • VulnerableDriverBlocklistEnable = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config
    • VulnerableDriverBlocklistEnable = 1

Step 8

Restart in normal mode and scan your computer with your Trend Micro product for files detected as Backdoor.Win64.VALLEYRAT.GH. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.