MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 252ed32b4eaa2631fd004cb2124b6fd02a76f729a78ca51354cef21dd69f8cb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 252ed32b4eaa2631fd004cb2124b6fd02a76f729a78ca51354cef21dd69f8cb5
SHA3-384 hash: 4c789cf4b0898fde5e6a92e13d44f8d68c75899526863054f65a108b20baacbf57c63be015dbd1bd0b46acabd2948e30
SHA1 hash: 236b7e6fc1c0b45a9510b4e94ca8161dc2151e3b
MD5 hash: 55fd96b39330b0f1b40757cb26cfb57d
humanhash: ack-uncle-carbon-angel
File name:252ed32b4eaa2631fd004cb2124b6fd02a76f729a78ca51354cef21dd69f8cb5
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:8'250'880 bytes
First seen:2020-10-27 08:24:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 98304:Ensmtk2ab1DsQ8gSIyweHifuwjRuCr1TUMfpF35emtCWvrYi2huQbu0TlnqAeA/X:qLe6IyweHiGwjRuCrOMfLpxugDP+5
Threatray 30 similar samples on MalwareBazaar
TLSH 39869D52B2A18C73D46355388C1B97E9AA35BE202F344AC737B17E4D3F766D13928386
Reporter JAMESWT_WT
Tags:STA-R TOV

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Moving a recently created file
Searching for the window
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
Deleting a recently created file
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Infecting executable files
Unauthorized injection to a system process
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/513031
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 305628 Sample: 4AXKXtaavC Startdate: 27/10/2020 Architecture: WINDOWS Score: 100 37 cropovick.ga 2->37 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for dropped file 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 9 other signatures 2->71 8 4AXKXtaavC.exe 1 6 2->8         started        11 EXCEL.EXE 23 15 2->11         started        14 Synaptics.exe 2->14         started        signatures3 process4 file5 31 C:\Users\user\...\._cache_4AXKXtaavC.exe, PE32 8->31 dropped 33 C:\ProgramData\Synaptics\Synaptics.exe, PE32 8->33 dropped 35 C:\ProgramData\Synaptics\RCX7F1A.tmp, PE32 8->35 dropped 16 ._cache_4AXKXtaavC.exe 8->16         started        19 Synaptics.exe 27 8->19         started        77 Injects files into Windows application 11->77 signatures6 process7 dnsIp8 49 Multi AV Scanner detection for dropped file 16->49 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->51 53 Hijacks the control flow in another process 16->53 63 3 other signatures 16->63 23 rundll32.exe 16->23         started        39 googlehosted.l.googleusercontent.com 216.58.215.225, 443, 49719, 49720 GOOGLEUS United States 19->39 41 freedns.afraid.org 69.42.215.252, 49716, 80 AWKNET-LLCUS United States 19->41 43 5 other IPs or domains 19->43 29 C:\Users\user\Documents\~$cache1, PE32 19->29 dropped 55 Antivirus detection for dropped file 19->55 57 Drops PE files to the document folder of the user 19->57 59 Machine Learning detection for dropped file 19->59 61 Contains functionality to detect sleep reduction / modifications 19->61 27 WerFault.exe 23 9 19->27         started        file9 signatures10 process11 dnsIp12 45 graphicalcatty.com 195.140.215.120, 49732, 8585 BANDWIDTH-ASGB United Kingdom 23->45 47 cropovick.ga 195.140.215.79, 8585 BANDWIDTH-ASGB United Kingdom 23->47 73 System process connects to network (likely due to code injection or exploit) 23->73 75 Tries to detect virtualization through RDTSC time measurements 23->75 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/252ed32b4eaa2631fd004cb2124b6fd02a76f729a78ca51354cef21dd69f8cb5/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 06:25:04 UTC
File Type:
PE (Exe)
Extracted files:
947
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
6b4db883cf4c04eedb117c22ea5adf581c76a1ceff8ace962182866f91587120
ParallaxRAT
6ca93eb4511997137870cc14dc0b80859d47a1ed6e98a74e47558a931179d0b6
ParallaxRAT
bbe2a604c11442ee74adb7fa17910ca8e5665ab463e4a45b478707faa3a284e4
ParallaxRAT
bc2cea17da33c23edbb0c86ab00b3ec3b4a2f4da84fb075922e41b7bf6b654f0
ParallaxRAT
beb4b506d74d13c15ed9df5db430dbaed172f50056890e9eaccf176c45b0d633
ParallaxRAT
bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8
ParallaxRAT
bff48c0188b7943167243494c88f35cccc508fa1cd70db2116a5532dc403038b
ParallaxRAT
c62e5304821abc306872ea97c88a8d7dc800f7b63380b2cf89153c639de4704c
ParallaxRAT
d6db5bf67ccbc30492f2c23903eed093e14016b094aa0729567d250bf1dcf8ae
ParallaxRAT
eb7eed8c7501eb5cc824c4ecfa140b577faff4af728ab272ecff573a2ca06d2c
ParallaxRAT
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201027-fs78aqtdda/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Adds Run key to start application
Loads dropped DLL
Checks computer location settings
Blacklisted process makes network request
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments