valak | 4216955b348944c3b5801607dd14f27433273f2f2e20b133a61c62b353f692a1

Analysis

Target

4216955b348944c3b5801607dd14f27433273f2f2e20b133a61c62b353f692a1.dll
Size

191KB
MD5

3c333422b46165447cc4ba0b720bbd44
SHA1

557cdb8345666fe7095a91f26c4f0c8dc99e637f
SHA256

4216955b348944c3b5801607dd14f27433273f2f2e20b133a61c62b353f692a1
SHA512

401191df089503c2ca15708ff7cee83f132296dce585330572833390f29e79a567fd5501510f68ff894a549d2f741d4b24035391999632a08a537d0563ef69e9

Score

10^/10

valak Loader

Valak
Valak is a JavaScript loader, a link in a chain of distribution of other malware families.
Loader valak

Valak JavaScript Loader 1 IoCs

Processes:

resource	yara_rule
C:\Users\Public\mZAMEJmgn.sJBjU	valak_js

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exe

flow pid process

35 4896 wscript.exe
50 4896 wscript.exe

flow	pid	process
35	4896	wscript.exe
50	4896	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1412 wrote to memory of 2740	1412	regsvr32.exe	regsvr32.exe
PID 1412 wrote to memory of 2740	1412	regsvr32.exe	regsvr32.exe
PID 1412 wrote to memory of 2740	1412	regsvr32.exe	regsvr32.exe
PID 2740 wrote to memory of 4896	2740	regsvr32.exe	wscript.exe
PID 2740 wrote to memory of 4896	2740	regsvr32.exe	wscript.exe
PID 2740 wrote to memory of 4896	2740	regsvr32.exe	wscript.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4216955b348944c3b5801607dd14f27433273f2f2e20b133a61c62b353f692a1.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\4216955b348944c3b5801607dd14f27433273f2f2e20b133a61c62b353f692a1.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\mZAMEJmgn.sJBjU
3⤵
- Blocklisted process makes network request
PID:4896

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4268

C:\Users\Public\mZAMEJmgn.sJBjU

Filesize
98KB

MD5
6d49c20a8624eadb095a88642bd4b415

SHA1
60656c1474221b72f914ca5575c96f1144d11894

SHA256
58d3c3d8eac234361e5bc866d0c144b04f134381eb409d594ba98fd6f588dcac

SHA512
47b9b9695a5c8b95df12f2ed0c5d8895835a4b0807e82f0c3495e9166febfce19b3cb375ffa750cafce5b087509dc9e43b4a3278b080211f45f76041b8f2a654

Download Submit
memory/2740-130-0x0000000000000000-mapping.dmp

Download
memory/4896-131-0x0000000000000000-mapping.dmp

Download