MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3361515c7847b7f3aa44b45da30581ad9e5af35fdc2489ff95d312a3f4a5e4a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ParallaxRAT

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	3361515c7847b7f3aa44b45da30581ad9e5af35fdc2489ff95d312a3f4a5e4a7
SHA3-384 hash:	96b686b6555071b8cba9a6a21a72cc6550527b6bc15f758e7842ecf8d1a3612e1c12dfecfda03791dd7548577ca1299d
SHA1 hash:	c50b220f1193a75198f7dadaafa2d0f045f9449a
MD5 hash:	56116fa25cf66f595374b8ce3a1b4e2c
humanhash:	ceiling-mississippi-undress-uncle
File name:	3361515c7847b7f3aa44b45da30581ad9e5af35fdc2489ff95d312a3f4a5e4a7
Download:	download sample
Signature	ParallaxRAT Create hunting rule
File size:	2'060'760 bytes
First seen:	2021-02-04 11:30:27 UTC
Last seen:	2021-02-04 13:47:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	99d6c1d9ce4c50e43c847105f20cdecf (2 x ParallaxRAT)
ssdeep	24576:4udiLvkVtDNgOC6ifaaWrLpBOSkFmGOVyhXB2g+Mszh2T:ClhSoSdGOVyd+hq
Threatray	5 similar samples on MalwareBazaar
TLSH	DF958D13B2913437C427063A496797A46C3FBA102B9649A76FF09C4C3F3AA853C36797
Reporter	JAMESWT_WT
Tags:	Pushka LLC signed

Code Signing Certificate

Organisation:	AAA Certificate Services
Issuer:	AAA Certificate Services
Algorithm:	sha1WithRSAEncryption
Valid from:	Jan 1 00:00:00 2004 GMT
Valid to:	Dec 31 23:59:59 2028 GMT
Serial number:	01
Intelligence:	384 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/115550/

Detection(s):

PUA.Win.Malware.Speedingupmypc-6718419-0

PUA.Win.Packer.Exe-6

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching cmd.exe command interpreter

Sending a UDP request

Unauthorized injection to a system process

Sending a TCP request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Parallax RAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/599325

Signature

Allocates memory in foreign processes

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Parallax RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3361515c7847b7f3aa44b45da30581ad9e5af35fdc2489ff95d312a3f4a5e4a7/

Threat name:

Win32.Trojan.GenCBL

Status:

Malicious

First seen:

2021-02-04 06:53:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Verdict:

malicious

ParallaxRAT

1f54c4b578cdcaf15c817f18ee715a8cf2b7944c44e268ae8fa8bc9427922bf2

ParallaxRAT

3e8962da569e1d2ab460b1713859a54d0f8f930a2b5113c95d109e94f231ecb0

ParallaxRAT

63222c4e479192d47d229876df69205e26452f0468fe0e9e522c2e6bba85f02c

ParallaxRAT

8f9d53981687f9cb6b3e49f03565cdda8e4ca9ccce56122f435f8851d7425f2b

ParallaxRAT

Result

Malware family:

parallax

Score:

10/10

Tags:

family:parallax ransomware rat

Link:

https://tria.ge/reports/210204-lp1aqrbrkn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops startup file

Blocklisted process makes network request

ParallaxRat

ParallaxRat payload

Unpacked files

SH256 hash:

3361515c7847b7f3aa44b45da30581ad9e5af35fdc2489ff95d312a3f4a5e4a7

MD5 hash:

56116fa25cf66f595374b8ce3a1b4e2c

SHA1 hash:

c50b220f1193a75198f7dadaafa2d0f045f9449a

Link:

https://www.unpac.me/results/2bc946d1-b7d7-49bf-b3cf-e0c5a3ecdb40/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/3361515c7847b7f3aa44b45da30581ad9e5af35fdc2489ff95d312a3f4a5e4a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/115550/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample