Skip to content

S0476 Valak

Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.21

Item Value
ID S0476
Associated Names
Version 1.3
Created 19 June 2020
Last Modified 24 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Valak has the ability to enumerate local admin accounts.2
enterprise T1087.002 Domain Account Valak has the ability to enumerate domain admin accounts.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Valak has used HTTP in communications with C2.21
enterprise T1119 Automated Collection Valak can download a module to search for and build a report of harvested credential data.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Valak has used PowerShell to download additional modules.2
enterprise T1059.007 JavaScript Valak can execute JavaScript containing configuration data for establishing persistence.2
enterprise T1555 Credentials from Password Stores -
enterprise T1555.004 Windows Credential Manager Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.3
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Valak has returned C2 data as encoded ASCII.1
enterprise T1140 Deobfuscate/Decode Files or Information Valak has the ability to decode and decrypt downloaded files.21
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.2
enterprise T1041 Exfiltration Over C2 Channel Valak has the ability to exfiltrate data over the C2 channel.213
enterprise T1008 Fallback Channels Valak can communicate over multiple C2 hosts.1
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes Valak has the ability save and execute files as alternate data streams (ADS).213
enterprise T1105 Ingress Tool Transfer Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.12
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange Valak can execute tasks via OLE.3
enterprise T1112 Modify Registry Valak has the ability to modify the Registry key HKCU\Software\ApplicationContainer\Appsw64 to store information regarding the C2 server and downloads.213
enterprise T1104 Multi-Stage Channels Valak can download additional modules and malware capable of using separate C2 channels.1
enterprise T1027 Obfuscated Files or Information Valak has the ability to base64 encode and XOR encrypt strings.213
enterprise T1027.002 Software Packing Valak has used packed DLL payloads.3
enterprise T1027.011 Fileless Storage Valak has the ability to store information regarding the C2 server and downloads in the Registry key HKCU\Software\ApplicationContainer\Appsw64.213
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Valak has been delivered via spearphishing e-mails with password protected ZIP files.1
enterprise T1566.002 Spearphishing Link Valak has been delivered via malicious links in e-mail.3
enterprise T1057 Process Discovery Valak has the ability to enumerate running processes on a compromised host.2
enterprise T1012 Query Registry Valak can use the Registry for code updates and to collect credentials.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.213
enterprise T1113 Screen Capture Valak has the ability to take screenshots on a compromised host.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Valak can determine if a compromised host has security products installed.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 Valak has used regsvr32.exe to launch malicious DLLs.21
enterprise T1082 System Information Discovery Valak can determine the Windows version and computer name on a compromised host.23
enterprise T1016 System Network Configuration Discovery Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine.2
enterprise T1033 System Owner/User Discovery Valak can gather information regarding the user.2
enterprise T1552 Unsecured Credentials -
enterprise T1552.002 Credentials in Registry Valak can use the clientgrabber module to steal e-mail credentials from the Registry.3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Valak has been executed via Microsoft Word documents containing malicious macros.213
enterprise T1047 Windows Management Instrumentation Valak can use wmic process call create in a scheduled task to launch plugins and for execution.3

Groups That Use This Software

ID Name References
G0127 TA551 2145