MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 377ecfd2413aa044082c4f89e7c50baaeac0acbae8d7f5ada32ad915ad905557. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ParallaxRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	377ecfd2413aa044082c4f89e7c50baaeac0acbae8d7f5ada32ad915ad905557
SHA3-384 hash:	4270aae44000f10f081c37da906eb97208a1bce87fca555c6785e3927f4316960a1b2b15bf4a4285f9f8ce0b06f08b4a
SHA1 hash:	3d59eb485c26c3afcb302559281478c9ae733b9b
MD5 hash:	e416cd8a227a835be660f5664ed80058
humanhash:	snake-idaho-hawaii-lion
File name:	377ecfd2413aa044082c4f89e7c50baaeac0acbae8d7f5ada32ad915ad905557
Download:	download sample
Signature	ParallaxRAT Create hunting rule
File size:	4'019'240 bytes
First seen:	2022-05-06 08:02:51 UTC
Last seen:	2022-05-06 08:39:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	64e6a9ff9e7228c21348997eb96a2b62 (3 x ParallaxRAT)
ssdeep	49152:+IjzyjnpUhMhukQNosSICGr8CLBb4O5k42LB0N8pq:+IjzyjnpUMONosSxGrhN8Scnpq
Threatray	11'115 similar samples on MalwareBazaar
TLSH	T131169E23B3F58064F5F32B306D3662649A79BD719938C6BE87903D0E6D71A40E935B23
TrID	75.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 4.0% (.EXE) Win64 Executable (generic) (10523/12/4) 2.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	655a787dc5e5514d (2 x ParallaxRAT)
Reporter	JAMESWT_WT
Tags:	exe ParallaxRAT signed Toliz Info Tech Solutions INC.

Code Signing Certificate

Organisation:	Toliz Info Tech Solutions INC.
Issuer:	GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-02-03T12:53:30Z
Valid to:	2023-02-04T12:53:30Z
Serial number:	05d50a0e09bb9a836ffb90a3
Intelligence:	6 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	2d072e0e80885a82d5e35806b052ca416994e0fe06da1cfdcebd509d967a1aae
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

278

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

377ecfd2413aa044082c4f89e7c50baaeac0acbae8d7f5ada32ad915ad905557

Verdict:

Malicious activity

Analysis date:

2022-05-06 08:08:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9dfb852f-a80f-4106-bd03-a7c124ee3f97

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/269016/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.50194768.24924.15965.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Sending a custom TCP request

Reading critical registry keys

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16516/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

80%

Tags:

anti-debug control.exe datper exploit explorer.exe fingerprint greyware hacktool keylogger overlay packed reg.exe shell32.dll tracker.exe update.exe wacatac wscript.exe

Link:

https://www.filescan.io/uploads/6274d64eb119a5f609a7b655/reports/56d8b95c-ccd7-4489-b7c2-13fd07670897/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3614daf0-dc0b-4027-a71b-8202efd26d49

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/988947

Signature

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/377ecfd2413aa044082c4f89e7c50baaeac0acbae8d7f5ada32ad915ad905557/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-04-22 00:50:38 UTC

File Type:

PE (Exe)

Extracted files:

342

AV detection:

14 of 42 (33.33%)

Threat level:

5/5

Verdict:

malicious

ParallaxRAT

5190e1a71856cab812f3ae7fca561216355fb65740106f8467486ded57c5e30c

ParallaxRAT

525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c

ParallaxRAT

5c9106490619ef294e77900e55f81a756e68b5b117458b2c6df8eac742b6ebf8

ParallaxRAT

6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725

ParallaxRAT

83f44e82a91a47bd830546b2beb5dc6cae3df0dea74ba2873c1646fd3e3bb98a

ParallaxRAT

9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3

ParallaxRAT

d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175

ParallaxRAT

df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34

ParallaxRAT

+ 11'105 additional samples on MalwareBazaar

Result

Malware family:

parallax

Score:

10/10

Tags:

family:parallax rat

Link:

https://tria.ge/reports/220506-jxn7dshfa6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops startup file

ParallaxRat

ParallaxRat payload

Unpacked files

SH256 hash:

377ecfd2413aa044082c4f89e7c50baaeac0acbae8d7f5ada32ad915ad905557

MD5 hash:

e416cd8a227a835be660f5664ed80058

SHA1 hash:

3d59eb485c26c3afcb302559281478c9ae733b9b

Link:

https://www.unpac.me/results/5d3d5329-ab4f-484e-a45c-dba5470d3c08/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/377ecfd2413a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.48

Link:

https://yomi.yoroi.company/submissions/377ecfd2413aa044082c4f89e7c50baaeac0acbae8d7f5ada32ad915ad905557

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/269016/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample