MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a
SHA3-384 hash: 885421162dba26bf50941901d423299586bf8ef6fd9b290e9cd73248ceae921d357639ad6a7c76400f0f31033ee16e81
SHA1 hash: 796231aacfe6bf73ac73e95f1f061307f6c3ae68
MD5 hash: 415c3aa31822921311e2f080b3814924
humanhash: sierra-louisiana-lamp-butter
File name:389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:14'279'368 bytes
First seen:2021-08-25 12:10:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 393216:TeA/ly6FTl79SxeT1/SV2VvI9CmowsGaW8oc0a:M6h3SwT5f1zXk8o8
Threatray 148 similar samples on MalwareBazaar
TLSH T124E6333BF294A13EC5AF1B3205B39360557BBA65A90A8C1B03FC350CDF765611E3EA46
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter JAMESWT_WT
Tags:exe ParallaxRAT signed Special Floors ApS

Code Signing Certificate

Organisation:Special Floors ApS
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-07-27T00:00:00Z
Valid to:2022-07-27T23:59:59Z
Serial number: bfcea72a7a44662e74e77163bd89c2aa
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 93cfd60f705bc0d37993fb0a96cdebae1e1fe2c64edd5f2e1069f308eea4a70b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
322530679
Verdict:
Suspicious activity
Analysis date:
2021-08-25 11:12:09 UTC
Tags:
installer
Link:
https://app.any.run/tasks/842dd01d-aecc-411c-be99-aad1de74b335

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% directory
Deleting a recently created file
Sending a UDP request
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Moving a recently created file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Parallax RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21c32a86-45d7-46f8-a004-8b181a5f722f
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/839020
Signature
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471450 Sample: hUA54RdKOo Startdate: 25/08/2021 Architecture: WINDOWS Score: 60 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Parallax RAT 2->42 9 hUA54RdKOo.exe 2 2->9         started        process3 file4 28 C:\Users\user\AppData\...\hUA54RdKOo.tmp, PE32 9->28 dropped 12 hUA54RdKOo.tmp 3 39 9->12         started        process5 file6 30 C:\Users\user\AppData\...\UtorrentV4.exe, PE32 12->30 dropped 32 C:\Users\user\AppData\Roaming\rtl220.bpl, PE32 12->32 dropped 34 C:\Users\user\AppData\Roaming\cc32220mt.dll, PE32 12->34 dropped 36 22 other files (none is malicious) 12->36 dropped 15 UtorrentV4.exe 12->15         started        18 MpCmdRun.exe 1 12->18         started        process7 signatures8 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->54 56 Hijacks the control flow in another process 15->56 20 notepad.exe 15->20         started        23 conhost.exe 18->23         started        process9 signatures10 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->44 46 Hijacks the control flow in another process 20->46 48 Writes to foreign memory regions 20->48 50 Maps a DLL or memory area into another process 20->50 25 cmd.exe 1 20->25         started        process11 signatures12 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 25->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a/
Verdict:
malicious
Similar samples:
2ab38fdbe562dd5a6be9651562e1523dbf7f3fd7d720d57bc9a25b0e2b665640
ParallaxRAT
458a03ecc28d7f704b5059263cfcad7cb94e51d5f5f2e0ad85e4e5b25da1e253
ParallaxRAT
66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c
ParallaxRAT
7ce31f51f539761f9922bec50d38c6b9c0d6cc3a912517d947bc0a49dd507026
ParallaxRAT
dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb
ParallaxRAT
df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34
ParallaxRAT
f5a558eba4843612e1b2e7bbfb431932a94bdc86f9411c0529f4216bcfe0ef02
ParallaxRAT
+ 138 additional samples on MalwareBazaar
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
family:parallax rat upx
Link:
https://tria.ge/reports/210825-55z4q96vl2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
ParallaxRat
ParallaxRat payload
Unpacked files
SH256 hash:
3f6e45c4072a09e985d764f72b3fed05d4e284f3a0d53b05b691c7de6e02e8eb
MD5 hash:
e7772da490bec982d110aea689c1b927
SHA1 hash:
d6fe58391cfd78d76c793963ab3265138fda7d21
Link:
https://www.unpac.me/results/04615882-9ee1-4a0b-9873-759e3ccaf8dc/
SH256 hash:
cf6e0c19f399e9435b71e514c200b524c572600854f707e8ff1b630a7fbc508c
MD5 hash:
13111dd97fc93175e97196f51f47e964
SHA1 hash:
8f97470e213377a46aad4380dc40b7f82fdf5066
Link:
https://www.unpac.me/results/04615882-9ee1-4a0b-9873-759e3ccaf8dc/
SH256 hash:
ee6ba1a2075a374fbfa2e5953ea91145030510cb52d21cc09822697acfd8e02a
MD5 hash:
9c2b718a18a4b41fdc16c0cc5678acbe
SHA1 hash:
bda226401314c6de92ddf00559e3be5acdd18b9d
Link:
https://www.unpac.me/results/04615882-9ee1-4a0b-9873-759e3ccaf8dc/
SH256 hash:
ae472a6b3edd11cb07080d4f84a614181f8a2af0ddba3c31b0f490b3dfbb504d
MD5 hash:
4bdb42e1c3d0fe1a3aa5c13d04bbaa50
SHA1 hash:
7c49fea8ff423abe4d5d0d611e91b7a5c7845c6d
Detections:
win_houdini_auto
Create hunting rule
Link:
https://www.unpac.me/results/04615882-9ee1-4a0b-9873-759e3ccaf8dc/
SH256 hash:
4d8560e8c6372d6ae427ac918b43bd87e52a9f1577b028f1d9bd20aa673b7485
MD5 hash:
00d4663e420c061c00844173eb92f308
SHA1 hash:
62431e57d6561173c36514deb458f7832cd1607d
Link:
https://www.unpac.me/results/04615882-9ee1-4a0b-9873-759e3ccaf8dc/
SH256 hash:
389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a
MD5 hash:
415c3aa31822921311e2f080b3814924
SHA1 hash:
796231aacfe6bf73ac73e95f1f061307f6c3ae68
Link:
https://www.unpac.me/results/04615882-9ee1-4a0b-9873-759e3ccaf8dc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/389c556e3025/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.79
Link:
https://yomi.yoroi.company/submissions/389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1430471918499635206?s=20

Comments