valak | 304b63a4364fd1a92dce9fe0fd15a299ff5fd01ab4a2185dab446486ffe22694

Analysis

Target

304b63a4364fd1a92dce9fe0fd15a299ff5fd01ab4a2185dab446486ffe22694.dll
Size

242KB
MD5

69937b0f8c5f19070132f1a63427414a
SHA1

61bb61cce8bc6e7789bbf5021b4326b41fc8d0e5
SHA256

304b63a4364fd1a92dce9fe0fd15a299ff5fd01ab4a2185dab446486ffe22694
SHA512

9a71a0838321d4b9aadb28823a4d255e2d9959f0bab29abdd382982a0e3ec068a31ad73754f62decbc30b89c53755ed438249428a086541899b51b214969d519

Score

10^/10

valak Loader

Valak
Valak is a JavaScript loader, a link in a chain of distribution of other malware families.
Loader valak

Valak JavaScript Loader 2 IoCs

Processes:

resource	yara_rule
C:\Users\Public\anFJjtYxH.eB_c_	valak
C:\Users\Public\anFJjtYxH.eB_c_	valak_js

Blocklisted process makes network request 4 IoCs

Processes:

wscript.exe

flow pid process

5 1036 wscript.exe
8 1036 wscript.exe
11 1036 wscript.exe
13 1036 wscript.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1588 wrote to memory of 1688	1588	rundll32.exe	rundll32.exe
PID 1588 wrote to memory of 1688	1588	rundll32.exe	rundll32.exe
PID 1588 wrote to memory of 1688	1588	rundll32.exe	rundll32.exe
PID 1588 wrote to memory of 1688	1588	rundll32.exe	rundll32.exe
PID 1588 wrote to memory of 1688	1588	rundll32.exe	rundll32.exe
PID 1588 wrote to memory of 1688	1588	rundll32.exe	rundll32.exe
PID 1588 wrote to memory of 1688	1588	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1036	1688	rundll32.exe	wscript.exe
PID 1688 wrote to memory of 1036	1688	rundll32.exe	wscript.exe
PID 1688 wrote to memory of 1036	1688	rundll32.exe	wscript.exe
PID 1688 wrote to memory of 1036	1688	rundll32.exe	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\304b63a4364fd1a92dce9fe0fd15a299ff5fd01ab4a2185dab446486ffe22694.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\304b63a4364fd1a92dce9fe0fd15a299ff5fd01ab4a2185dab446486ffe22694.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\anFJjtYxH.eB_c_
3⤵
- Blocklisted process makes network request
PID:1036

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1868

C:\Users\Public\anFJjtYxH.eB_c_

MD5
bf9cfe46e69997b0d8ac4ffb528ab0df

SHA1
399337ad73221675067a85f3251e31042886d536

SHA256
395df3a563bc865221738b938998e6a45094f5c396302e4f151631e78aeb9d2d

SHA512
f432a42d355d5ac058dd68660b9d0a7bd901eaf3b55fd184b3fb2c7b075523eca7e1262bc757fc2600934112fde781823d721a32754f87f6501f487b36b10fa9

Download Submit
memory/1688-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1688-63-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download