MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 222c327eef40050baf9e05f80d39f53bf7955bd84bf212887405a665060c369f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 222c327eef40050baf9e05f80d39f53bf7955bd84bf212887405a665060c369f
SHA3-384 hash: d2cebb766ea67c87440261bae140fc2183f5e809df82fd2879fcc2c3ab4924403a117cf092b494083da17204288a40dc
SHA1 hash: aa2f67289004be38332ae651d80b6865ff1261e0
MD5 hash: ec40f3c3dccb6e762d5271aac454a133
humanhash: twenty-early-seven-bakerloo
File name:222c327eef40050baf9e05f80d39f53bf7955bd84bf212887405a665060c369f
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:3'434'944 bytes
First seen:2021-05-06 09:53:01 UTC
Last seen:2021-05-06 11:06:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ab133939b1aac0018176dad636a9f16 (1 x ParallaxRAT)
ssdeep 98304:Bg8We8xMKAJElIoFB+6TuzU/hym48IQeAeME0J:BRo6JpeIQeAC0J
Threatray 1'169 similar samples on MalwareBazaar
TLSH A1F58EF0B941446ADA233331CA1AF278F2AD64738737F2C7AA5C561D2D7D1934A2816F
Reporter JAMESWT_WT
Tags:IQ Trade ApS ParallaxRAT signed

Code Signing Certificate

Organisation:IQ Trade ApS
Issuer:TrustOcean Organization Software Vendor CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-25T00:00:00Z
Valid to:2022-03-25T23:59:59Z
Serial number: 066276af2f2c7e246d3b1cab1b4aa42e
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 3b13378fcc6a31baa5eea98a73c7569778556ef19c873195f61348b45f04ec66
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
222c327eef40050baf9e05f80d39f53bf7955bd84bf212887405a665060c369f
Verdict:
No threats detected
Analysis date:
2021-05-06 09:50:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9064ce3c-8f27-44b7-b980-38ba0b503411

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151485/
Detection(s):
SecuriteInfo.com.LresultFromObject.9205.13313.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/713670
Signature
Allocates memory in foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 405759 Sample: dV9gVH0J2w Startdate: 06/05/2021 Architecture: WINDOWS Score: 92 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Yara detected Parallax RAT 2->55 57 Sigma detected: Copying Sensitive Files with Credential Data 2->57 7 dV9gVH0J2w.exe 2->7         started        10 dV9gVH0J2w.exe 2->10         started        12 dV9gVH0J2w.exe 2->12         started        process3 signatures4 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->59 61 Writes to foreign memory regions 7->61 63 Allocates memory in foreign processes 7->63 14 cmd.exe 1 7->14         started        17 sxstrace.exe 7->17         started        20 cmd.exe 1 7->20         started        65 Maps a DLL or memory area into another process 10->65 22 sxstrace.exe 10->22         started        24 cmd.exe 1 10->24         started        26 cmd.exe 1 10->26         started        process5 dnsIp6 67 Uses schtasks.exe or at.exe to add and modify task schedules 14->67 28 xcopy.exe 4 14->28         started        31 conhost.exe 14->31         started        49 probablatesay.pw 38.146.57.37, 49766, 49770, 5555 BASS-TRADINGUS United States 17->49 69 Tries to detect virtualization through RDTSC time measurements 17->69 33 conhost.exe 20->33         started        35 schtasks.exe 1 20->35         started        37 conhost.exe 24->37         started        39 xcopy.exe 1 24->39         started        41 conhost.exe 26->41         started        43 schtasks.exe 1 26->43         started        signatures7 process8 file9 45 C:\Users\user\AppData\...\dV9gVH0J2w.exe, PE32 28->45 dropped 47 C:\Users\...\dV9gVH0J2w.exe:Zone.Identifier, ASCII 28->47 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/222c327eef40050baf9e05f80d39f53bf7955bd84bf212887405a665060c369f/
Verdict:
unknown
Similar samples:
2dc2cf646b7c31af83b7e91b3fabcb0c86cefea53aca57ce7e0d52aa943de13c
ParallaxRAT
414d612f1134c580046095e37ead026b1c2fbfa31432e1ee662276286983fa24
ParallaxRAT
49db3918a64a934e5fcfe8940f47af2927a9e67a79371fc7b5cc19d5ec5aeaf5
ParallaxRAT
5346d8a0c2bba4d4f5f5c336958bc5ca5c797649df51a815bafcdc619bc07a9e
ParallaxRAT
8f22d0bc0ecaabfea46715aafcaae5db27c74dc564a47c66fd7ffdb53e18e0bf
ParallaxRAT
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
ParallaxRAT
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
ParallaxRAT
c8a0556f803e6e456cfea037885f007dba3b69287459562324460829c57380b7
ParallaxRAT
ccc04dc8264252deee19e690583b72d4c056b93bcdb492665877cc60973ac18a
ParallaxRAT
ffec3bddbb7b0af2ea2ba4cef9756b43adb1fdac458fd14b122ef1aefa5aa15b
ParallaxRAT
+ 1'159 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210506-nxy5fyjshs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
222c327eef40050baf9e05f80d39f53bf7955bd84bf212887405a665060c369f
MD5 hash:
ec40f3c3dccb6e762d5271aac454a133
SHA1 hash:
aa2f67289004be38332ae651d80b6865ff1261e0
Link:
https://www.unpac.me/results/f07b4ab3-544a-4bae-8a1d-066492c52720/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/222c327eef40050baf9e05f80d39f53bf7955bd84bf212887405a665060c369f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1390241821515829250?s=20
Cape
Cape
https://www.capesandbox.com/analysis/151485/

Comments