Rewterz Threat Alert – Valak Malware

Severity

Medium

Analysis Summary

The Valak Malware is a sophisticated malware previously classified as a malware loader. Though it was first observed in late 2019, researchers have investigated a series of dramatic changes, an evolution of over 30 different versions in less than six months. This research shows that Valak is more than just a loader for other malware, and can also be used independently as an information stealer to target individuals and enterprises. More recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust.

Impact

• Credential theft 
• Information theft
• Exposure of sensitive data 

Indicators of Compromise

MD5

• 85c8e02d944c693dc8395e9b726fe380
• b2558caa32fa209d99afac52d2930ca2
• 8170b1d3bb3364c0c92de81d9345c7c6
• 21e1a393f9ba44049c307b357875afde
• 7b31397bd5a2880823ca5272249eb4fe
• 4706cb0d87c35fa805f28091e529d682
• e7b579ba890af51b66d659e588db776b
• 099d36c2071d381ad775ac6ecf6fb0b9
• cee71ff0a2adf356b6ede758b1591f7b
• af4fd920e097695781424662e7c120a3
• 5498b94db695ad6656dfa02c3a4c4317
• 95d0edc1349faa8ecd1a26980072b46d
• f421d7ca0d6d4c6737af88868173e705
• d78232c9862f86712d41237c20f5ab80
• ff432ec7c351fb14af67d44eb4483c84
• 0c1ceab2d27259405602f7d2c22ecafe
• c0ef686b11f5422620db63927444580d
• 113b4a7fd32dea42f8efc6282110cd73
• 6db614240e162a0c72174b5a48693c93
• 30bd8f82026c68425df6b9d034611720
• cf41b835fb331b3ccd70a2fcb97427e8
• a2145dee7e0be6a56c9a4023f0174711
• e25e1cae62f221294651984e6615f7eb
• 34356355a617f271fbb8301cfbe86367
• 34256f3930f4b9d4a23abda8d46b32f7
• 0dcee360983fa2e073e9f07e06b6d695
• 4ff917822f2156c046a96ac78381e216
• 656668547b65c909c50225f25b726056
• 94a028c3032c634f5100201e02361f3e
• 70cb1f07a676f287792d78cfcfdb2aa3

SHA-256

• f3dc311a18bd3c048677bf5939156efd3180496e518f0160f26cc4d48cc66655
• be7c1fe502940405a9647aaedb888eccae68fb13bbd8f158a920b1555bf8ba1e
• fcd622c65e374f7d7212770a65f4474fa2a683bae869116ef52cc2a2566303d5
• 15bcff3285cb41339b5de38526aa37a06627b05c340cea5c52cdd94e088993a7
• c5d8a8a77399958936cef96f3c8c9d0d6c2ae89437e6d6471dfa36893180d689
• c7bc266367b277f1e9e4510a23a38fbf0bdf7a851b026a340eba3ad8c8e8a1c9
• 9b52277574e9b452d2bd77d3f1d6cc3084ec523057eb19ab26d34bf349e6d6b0
• 6c0e63de41e14f74191fbbea4a001af4b3ad744f6138848be92e2177517ef887
• 602bcef0404f128c0f8ee68d644a37bb4430ba8d70939dcea814dd8cf22a97a7
• c065f5e4493fd5493a012f0e05ba2aa3914745e97c2ed91fbfc3d5106bc4782b
• 6466ca90f8e03192bfb602d5db96804a1d1ea8cdfef1b74d02e1159a63077acc
• bd58160966981dd4b04af8530e3320edbddfc2b83a82b47a76f347d0fb4ca93a
• afc8fd02926a7dee0d71c8735b7f9cb5074ff7c3c4e2fa8c0cb5508b1e8170dd
• 96e29e78b5f8e9bd5a152bad67dc4637babf1bab73c45226b831473e9b75cf57
• 9a11e6ae98e4e26dcc240ec3ff0cc34d99e6d3414bd4caf340fb09649e94e4bd
• 8b721d87f4dec06597cc0ecb09ce47f10ddcf294e8b4b23bdf74246bce327e94
• 09448d9ba61f5c4d8ee1698cdadf398cbf97000a239c43c95972693b1a9311c8
• deb0b28e72150db07cc9c2f5efc8f26a3be022c81c7544317a5717566a4c0302
• 5624e6cb352c82b2c032a1018cea979f01f0cac2e552fe4d7016ced32f1cb581
• 112f8cefb5aedfb0c92e7c947214b8bd4c30be5879d5f3263a7d6eeb07004d09
• 4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
• eb14e6ed547411a4930034be80453841e9b474225ec3a32ddc32c01263781c67
• 5397b18ce5cf38f66bfd782c8d6ef331d90597fe0fe841c60f437acfd171d61f
• 363b7bfb0f4a329b67cff96d1a1d888f99da44cae2d6f7b24e8b45a76b39a5f2
• 1c3d130fd8473aea8b9286732db6ff2d3762ca1a70312bfbc9a4528d86b3b093
• 4f3ffaef0cf5a9a799d7026a547e2c9a777946709112dcbb2a0b588228016439

SHA1

• daaeaba45589187696bbc1aec7df7844e451cdcd
• 9a42f69a4a7d157b975ea8093d0eb397392608f4
• ec705dd7835614d21202c316ae25c2c95088af07
• ec257f1a01f20560a4e869027382058b4a087615
• e43490cb1f8dcac038b8814ff5c4ece8028ecb85
• 5f8c22c7041e5279785f66fdba8d1b0b414d917e
• bf480aa047342f106693ed696dc3162f0776db0e
• 505b96b31b19a1d85276d3a71e1d6398abe3bea5
• e22b404e1fec743f0795cdea8a95337660878860
• e397cdcaf65b54c89d92e0ef49d40f22c8ed5526
• 9441495ead24cdf62536075bb212a5cf88af5d91
• 3f37ceaf50af6a1afa62de9522e2e998ca9f6a66
• a9d57c0a838559156387b7f0b3af6ecabdf07e67
• 4e6953fe1580d4d178d053fc906f441d5c72f2fc
• 3a25af6c4214f70aa71b1253db048333b05f140f
• 865e19a4dd150b0a8b60f4dbb49173fe48d11980
• fcac8890f45140398f9595106477ba105fdeee0b
• b51f8d9870886d6fd331c19d28160196e76b8e4a
• 30fd553dedfadc81522adf37e11dfc4039d4ea31
• bd9c4f7631beb455525bf7dfb3b64c5cfd47f0c2
• 03810cd2c5cd29898f20cf33d8084926b685c879
• 1d19d630e0c311e6a102e3b34cccec6360553497
• b729bdd3a0fecb5ddc4eb0fea5ab32c08a29bee5
• 1d8de1bd76fc66fa8f367e4904aee92cb576deb4

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders
• Search  for IOCs in your existing environment.