valak | 2c75e5005993fff65b5b8310c3c50c2e0ac219ba7014f5c480736636e7c5dcd5

Analysis

Target

2c75e5005993fff65b5b8310c3c50c2e0ac219ba7014f5c480736636e7c5dcd5.dll
Size

304KB
MD5

fc3ee202834c5bfd785b2b93c1608a08
SHA1

ac7fdde56e486989d88290d6fc71f61c86958079
SHA256

2c75e5005993fff65b5b8310c3c50c2e0ac219ba7014f5c480736636e7c5dcd5
SHA512

fada49bc8ecc55c864ec4efdcd7e46240e583b5ece71f28a94badf8d528cf6aed8bcd200885c4ab7375835403505c9131447fd49bb9f49800668f1dd5cd56b2d

Score

10^/10

valak Loader

Valak
Valak is a JavaScript loader, a link in a chain of distribution of other malware families.
Loader valak

Valak JavaScript Loader 2 IoCs

Processes:

resource	yara_rule
C:\Users\Public\iVIwVADQD.eLxan	valak
C:\Users\Public\iVIwVADQD.eLxan	valak_js

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exe

flow pid process

5 1252 wscript.exe
8 1252 wscript.exe

flow	pid	process
5	1252	wscript.exe
8	1252	wscript.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 604 wrote to memory of 820	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 820	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 820	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 820	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 820	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 820	604	rundll32.exe	rundll32.exe
PID 604 wrote to memory of 820	604	rundll32.exe	rundll32.exe
PID 820 wrote to memory of 1252	820	rundll32.exe	wscript.exe
PID 820 wrote to memory of 1252	820	rundll32.exe	wscript.exe
PID 820 wrote to memory of 1252	820	rundll32.exe	wscript.exe
PID 820 wrote to memory of 1252	820	rundll32.exe	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c75e5005993fff65b5b8310c3c50c2e0ac219ba7014f5c480736636e7c5dcd5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c75e5005993fff65b5b8310c3c50c2e0ac219ba7014f5c480736636e7c5dcd5.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\iVIwVADQD.eLxan
3⤵
- Blocklisted process makes network request
PID:1252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1204

C:\Users\Public\iVIwVADQD.eLxan

MD5
bc9ac467126926bfd2782428da6f1a09

SHA1
f9d6fbc917446025fb63cc622a117a11544ce34b

SHA256
0eab2d2538e95419e764bd23408ad7e0cb830b3df3e3e1a77c71af75e6184dd9

SHA512
f82193aa1551794f5fbaeb2f958cf00a2b43ea2f135be338425e677ad99b523bb6f3787348e3e714f23f9c037ad21a4925db9c40b432a5c4da460f46fed8a62c

Download Submit
memory/820-54-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/820-56-0x0000000010000000-0x0000000010151000-memory.dmp

Filesize
1.3MB

Download
memory/820-55-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/820-58-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download