Malware Analysis – Malicious Macros

June 26, 2020

Rewterz Threat Alert – APT C-35 Targeting Pakistani Organizations

June 26, 2020

Rewterz Threat Alert – Valak Malware

June 26, 2020

Severity

Medium

Analysis Summary

The Valak Malware is a sophisticated malware previously classified as a malware loader. Though it was first observed in late 2019, researchers have investigated a series of dramatic changes, an evolution of over 30 different versions in less than six months. This research shows that Valak is more than just a loader for other malware, and can also be used independently as an information stealer to target individuals and enterprises. More recent versions of Valak target Microsoft Exchange servers to steal enterprise mailing information and passwords along with the enterprise certificate. This has the potential to access critical enterprise accounts, causing damage to organizations, brand degradation, and ultimately a loss of consumer trust.

Impact

Credential theft
Information theft
Exposure of sensitive data

Indicators of Compromise

MD5

85c8e02d944c693dc8395e9b726fe380
b2558caa32fa209d99afac52d2930ca2
8170b1d3bb3364c0c92de81d9345c7c6
21e1a393f9ba44049c307b357875afde
7b31397bd5a2880823ca5272249eb4fe
4706cb0d87c35fa805f28091e529d682
e7b579ba890af51b66d659e588db776b
099d36c2071d381ad775ac6ecf6fb0b9
cee71ff0a2adf356b6ede758b1591f7b
af4fd920e097695781424662e7c120a3
5498b94db695ad6656dfa02c3a4c4317
95d0edc1349faa8ecd1a26980072b46d
f421d7ca0d6d4c6737af88868173e705
d78232c9862f86712d41237c20f5ab80
ff432ec7c351fb14af67d44eb4483c84
0c1ceab2d27259405602f7d2c22ecafe
c0ef686b11f5422620db63927444580d
113b4a7fd32dea42f8efc6282110cd73
6db614240e162a0c72174b5a48693c93
30bd8f82026c68425df6b9d034611720
cf41b835fb331b3ccd70a2fcb97427e8
a2145dee7e0be6a56c9a4023f0174711
e25e1cae62f221294651984e6615f7eb
34356355a617f271fbb8301cfbe86367
34256f3930f4b9d4a23abda8d46b32f7
0dcee360983fa2e073e9f07e06b6d695
4ff917822f2156c046a96ac78381e216
656668547b65c909c50225f25b726056
94a028c3032c634f5100201e02361f3e
70cb1f07a676f287792d78cfcfdb2aa3

SHA-256

f3dc311a18bd3c048677bf5939156efd3180496e518f0160f26cc4d48cc66655
be7c1fe502940405a9647aaedb888eccae68fb13bbd8f158a920b1555bf8ba1e
fcd622c65e374f7d7212770a65f4474fa2a683bae869116ef52cc2a2566303d5
15bcff3285cb41339b5de38526aa37a06627b05c340cea5c52cdd94e088993a7
c5d8a8a77399958936cef96f3c8c9d0d6c2ae89437e6d6471dfa36893180d689
c7bc266367b277f1e9e4510a23a38fbf0bdf7a851b026a340eba3ad8c8e8a1c9
9b52277574e9b452d2bd77d3f1d6cc3084ec523057eb19ab26d34bf349e6d6b0
6c0e63de41e14f74191fbbea4a001af4b3ad744f6138848be92e2177517ef887
602bcef0404f128c0f8ee68d644a37bb4430ba8d70939dcea814dd8cf22a97a7
c065f5e4493fd5493a012f0e05ba2aa3914745e97c2ed91fbfc3d5106bc4782b
6466ca90f8e03192bfb602d5db96804a1d1ea8cdfef1b74d02e1159a63077acc
bd58160966981dd4b04af8530e3320edbddfc2b83a82b47a76f347d0fb4ca93a
afc8fd02926a7dee0d71c8735b7f9cb5074ff7c3c4e2fa8c0cb5508b1e8170dd
96e29e78b5f8e9bd5a152bad67dc4637babf1bab73c45226b831473e9b75cf57
9a11e6ae98e4e26dcc240ec3ff0cc34d99e6d3414bd4caf340fb09649e94e4bd
8b721d87f4dec06597cc0ecb09ce47f10ddcf294e8b4b23bdf74246bce327e94
09448d9ba61f5c4d8ee1698cdadf398cbf97000a239c43c95972693b1a9311c8
deb0b28e72150db07cc9c2f5efc8f26a3be022c81c7544317a5717566a4c0302
5624e6cb352c82b2c032a1018cea979f01f0cac2e552fe4d7016ced32f1cb581
112f8cefb5aedfb0c92e7c947214b8bd4c30be5879d5f3263a7d6eeb07004d09
4468edc18de42e61b64441c75aedcb15d553410d473e77fc8ae31b358acd506a
eb14e6ed547411a4930034be80453841e9b474225ec3a32ddc32c01263781c67
5397b18ce5cf38f66bfd782c8d6ef331d90597fe0fe841c60f437acfd171d61f
363b7bfb0f4a329b67cff96d1a1d888f99da44cae2d6f7b24e8b45a76b39a5f2
1c3d130fd8473aea8b9286732db6ff2d3762ca1a70312bfbc9a4528d86b3b093
4f3ffaef0cf5a9a799d7026a547e2c9a777946709112dcbb2a0b588228016439

SHA1

daaeaba45589187696bbc1aec7df7844e451cdcd
9a42f69a4a7d157b975ea8093d0eb397392608f4
ec705dd7835614d21202c316ae25c2c95088af07
ec257f1a01f20560a4e869027382058b4a087615
e43490cb1f8dcac038b8814ff5c4ece8028ecb85
5f8c22c7041e5279785f66fdba8d1b0b414d917e
bf480aa047342f106693ed696dc3162f0776db0e
505b96b31b19a1d85276d3a71e1d6398abe3bea5
e22b404e1fec743f0795cdea8a95337660878860
e397cdcaf65b54c89d92e0ef49d40f22c8ed5526
9441495ead24cdf62536075bb212a5cf88af5d91
3f37ceaf50af6a1afa62de9522e2e998ca9f6a66
a9d57c0a838559156387b7f0b3af6ecabdf07e67
4e6953fe1580d4d178d053fc906f441d5c72f2fc
3a25af6c4214f70aa71b1253db048333b05f140f
865e19a4dd150b0a8b60f4dbb49173fe48d11980
fcac8890f45140398f9595106477ba105fdeee0b
b51f8d9870886d6fd331c19d28160196e76b8e4a
30fd553dedfadc81522adf37e11dfc4039d4ea31
bd9c4f7631beb455525bf7dfb3b64c5cfd47f0c2
03810cd2c5cd29898f20cf33d8084926b685c879
1d19d630e0c311e6a102e3b34cccec6360553497
b729bdd3a0fecb5ddc4eb0fea5ab32c08a29bee5
1d8de1bd76fc66fa8f367e4904aee92cb576deb4

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders
Search for IOCs in your existing environment.

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Python RAT Uses Discord Interface to Execute Remote Attacks

Critical Alert: Jordanian Banks Under Siege by Everest Ransomware Group

The SocGholish-RansomHub Connection – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Malware Analysis – Malicious Macros

Rewterz Threat Alert – APT C-35 Targeting Pakistani Organizations

The Wait Is Over!

The Rewterz Annual Threat Intelligence Report 2024 is finally here.