MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b58394b23c0116c5f2442da28309baee99b2b4ef870aa5381cdd03ce6480cd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ParallaxRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	2b58394b23c0116c5f2442da28309baee99b2b4ef870aa5381cdd03ce6480cd6
SHA3-384 hash:	9e0490fe55775e7c6d607a9c34d08776d46050fddd052ee5ed03f0dca2870f132395a95147abf5dda840f414585ea020
SHA1 hash:	597b11af8917523ae93d4855582101f9f452dc2c
MD5 hash:	f72d60aee446e6e8f41abdf05af864e2
humanhash:	november-solar-iowa-steak
File name:	2b58394b23c0116c5f2442da28309baee99b2b4ef870aa5381cdd03ce6480cd6
Download:	download sample
Signature	ParallaxRAT Create hunting rule
File size:	2'987'560 bytes
First seen:	2022-05-06 08:00:40 UTC
Last seen:	2022-05-06 08:38:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2cf76a41316b193194b2b00cba882a63 (2 x ParallaxRAT)
ssdeep	24576:loaxr53vZ0lTCsHNKOgE+qXVqBxbsENaUuFMxQ3EdJjDB:vr53vZ0llAs+q8vsKaUz2Sjd
Threatray	11'115 similar samples on MalwareBazaar
TLSH	T1F4D58D22F3F544B1F5F32BB05D3A62504A3A3D65A934C5AF4E60390E1D72A40E9B5F2B
TrID	75.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 4.0% (.EXE) Win64 Executable (generic) (10523/12/4) 2.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	009280b28eaa9600 (6 x CoinMiner, 1 x ParallaxRAT, 1 x Vidar)
Reporter	JAMESWT_WT
Tags:	exe ParallaxRAT signed Toliz Info Tech Solutions INC.

Code Signing Certificate

Organisation:	Toliz Info Tech Solutions INC.
Issuer:	GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-02-03T12:53:30Z
Valid to:	2023-02-04T12:53:30Z
Serial number:	05d50a0e09bb9a836ffb90a3
Intelligence:	6 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	2d072e0e80885a82d5e35806b052ca416994e0fe06da1cfdcebd509d967a1aae
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2b58394b23c0116c5f2442da28309baee99b2b4ef870aa5381cdd03ce6480cd6

Verdict:

Malicious activity

Analysis date:

2022-05-06 08:03:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/89551afc-5268-41bd-a8bd-cb3ed9b05a83

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/269011/

Detection(s):

SecuriteInfo.com.BackDoor.Rat.391.5691.4394.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Sending a custom TCP request

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16528/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

75%

Tags:

control.exe datper explorer.exe fingerprint greyware keylogger overlay packed reg.exe setupapi.dll shell32.dll stealer update.exe wscript.exe

Link:

https://www.filescan.io/uploads/6274d5c2d4bfd83491bf54b8/reports/9b51d099-b800-4598-b006-73cf410168c6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e21c1714-e4c0-499e-8b62-bf0f0337d218

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/988945

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file registry)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2b58394b23c0116c5f2442da28309baee99b2b4ef870aa5381cdd03ce6480cd6/

Threat name:

Win32.Trojan.Fugrafa

Status:

Malicious

First seen:

2022-04-04 01:41:52 UTC

File Type:

PE (Exe)

Extracted files:

179

AV detection:

18 of 42 (42.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fnmdsszdyaiwyxzeilncqme3v3uzwk2o7bykuu4bzxidzzsibtla._file

Verdict:

malicious

ParallaxRAT

5b9eef2199515e5bf4cd00a176b35747f8bc9984183213fec864aca2c1918a70

ParallaxRAT

5c9106490619ef294e77900e55f81a756e68b5b117458b2c6df8eac742b6ebf8

ParallaxRAT

6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725

ParallaxRAT

9ccce653cb66833e9396151f5bc65f6c2744d955a9eaedad81eccd3da252803e

ParallaxRAT

9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3

ParallaxRAT

d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296

ParallaxRAT

df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34

ParallaxRAT

+ 11'105 additional samples on MalwareBazaar

Result

Malware family:

parallax

Score:

10/10

Tags:

family:parallax rat

Link:

https://tria.ge/reports/220506-jwjkhsccfq/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Enumerates physical storage devices

Drops startup file

ParallaxRat

ParallaxRat payload

Unpacked files

SH256 hash:

2b58394b23c0116c5f2442da28309baee99b2b4ef870aa5381cdd03ce6480cd6

MD5 hash:

f72d60aee446e6e8f41abdf05af864e2

SHA1 hash:

597b11af8917523ae93d4855582101f9f452dc2c

Link:

https://www.unpac.me/results/8a0879bc-94d6-4180-8f43-56c4aad74038/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2b58394b23c0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.48

Link:

https://yomi.yoroi.company/submissions/2b58394b23c0116c5f2442da28309baee99b2b4ef870aa5381cdd03ce6480cd6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/269011/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample