MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43fd77d5c17fe83426f69d80761716b61759744c2f23a5efeffac6c07e97372b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43fd77d5c17fe83426f69d80761716b61759744c2f23a5efeffac6c07e97372b
SHA3-384 hash: 84bacba66da66ee5939bdcaa0004b09553f814fefd7956542fb4c5842c19ab4c54ba3dbb140d46224ef340a85b3c45c5
SHA1 hash: ebd68be5f994e9a63b01b5a4c5565429d51b34ba
MD5 hash: 37df365d3717a7e0c5e1f5923096430d
humanhash: low-aspen-december-undress
File name:43fd77d5c17fe83426f69d80761716b61759744c2f23a5efeffac6c07e97372b
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:2'055'600 bytes
First seen:2021-05-12 10:36:39 UTC
Last seen:2021-05-12 11:59:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a7d65c09859bf3644a45cb38958d7206 (3 x ParallaxRAT, 1 x BitRAT)
ssdeep 49152:fF+TPAyuQUYZTntAd7shhk+SM2H2HMXN5qywXpFrztV:fFMAEUYZTtAJsDky2H2HMXN5qywXpFrT
Threatray 1'290 similar samples on MalwareBazaar
TLSH D3956B2231C14B77C1231E31B969F638F3ACAE352E3D41C753E4B61C29355829BADD6A
Reporter JAMESWT_WT
Tags:5.2.68.82 LAEN ApS ParallaxRAT signed

Code Signing Certificate

Organisation:LAEN ApS
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-04-23T00:00:00Z
Valid to:2022-04-23T23:59:59Z
Serial number: d0eda76c13d30c97015708790bb94214
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 98e1f71ef64b0d91c443017631f550871096d66e60f72d90bb9503ba64c5d74d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TradingScheduleTransaction.pif
Verdict:
Suspicious activity
Analysis date:
2021-05-11 12:52:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8406d709-5f91-450c-aecf-be63bfa447de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.Rat.354.19666.362.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/779748
Signature
Allocates memory in foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412146 Sample: D2TpKZjN72 Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 50 strattonprlxmaespm.com 2->50 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 2 other signatures 2->58 8 D2TpKZjN72.exe 2->8         started        11 D2TpKZjN72.exe 2->11         started        signatures3 process4 signatures5 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->60 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 13 cmd.exe 1 8->13         started        16 sxstrace.exe 8->16         started        19 cmd.exe 1 8->19         started        66 Multi AV Scanner detection for dropped file 11->66 68 Maps a DLL or memory area into another process 11->68 21 sxstrace.exe 11->21         started        23 cmd.exe 1 11->23         started        25 cmd.exe 1 11->25         started        process6 dnsIp7 70 Uses schtasks.exe or at.exe to add and modify task schedules 13->70 27 xcopy.exe 4 13->27         started        30 conhost.exe 13->30         started        48 strattonprlxmaespm.com 5.2.68.82, 49729, 49736, 49748 LITESERVERNL Netherlands 16->48 72 Tries to detect virtualization through RDTSC time measurements 16->72 32 conhost.exe 19->32         started        34 schtasks.exe 1 19->34         started        36 conhost.exe 23->36         started        38 xcopy.exe 1 23->38         started        40 conhost.exe 25->40         started        42 schtasks.exe 1 25->42         started        signatures8 process9 file10 44 C:\Users\user\AppData\...\D2TpKZjN72.exe, PE32 27->44 dropped 46 C:\Users\...\D2TpKZjN72.exe:Zone.Identifier, ASCII 27->46 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43fd77d5c17fe83426f69d80761716b61759744c2f23a5efeffac6c07e97372b/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 15:51:33 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0cfa9021ddabb0a9f3306397234f3f19ce70da1082b4291bfe9477c974aebbec
ParallaxRAT
222c327eef40050baf9e05f80d39f53bf7955bd84bf212887405a665060c369f
ParallaxRAT
645dbb6df97018fafb4285dc18ea374c721c86349cb75494c7d63d6a6afc27e6
ParallaxRAT
6a28f7fb457fb484c1fbcceb41b10637345b18950b62df89c0a7689dd4f20d68
ParallaxRAT
6f522cc6adbe791575df40a518ba10c89cb54af0d849be0841b036b05d441fa9
ParallaxRAT
83afabd3bf44ba07ad9b09ffc85db8ea7ff0a32d888bd829e8733dcd2cd2779e
ParallaxRAT
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
ParallaxRAT
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
ParallaxRAT
ccc04dc8264252deee19e690583b72d4c056b93bcdb492665877cc60973ac18a
ParallaxRAT
ebf0083ad227764b7963171f0c2d156f56ad5a5835ce1a74e3c85b4902b04695
ParallaxRAT
+ 1'280 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210512-683jbatyaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Glupteba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43fd77d5c17fe83426f69d80761716b61759744c2f23a5efeffac6c07e97372b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1392424512738709507?s=20

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-12 11:29:21 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.012] Anti-Behavioral Analysis::Human User Check
2) [F0002.002] Collection::Polling
3) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
4) [C0028.002] Cryptography Micro-objective::RC4 KSA::Encryption Key
5) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0030.005] Data Micro-objective::FNV::Non-Cryptographic Hash
8) [C0045] File System Micro-objective::Copy File
9) [C0047] File System Micro-objective::Delete File
10) [C0049] File System Micro-objective::Get File Attributes
11) [C0051] File System Micro-objective::Read File
12) [C0052] File System Micro-objective::Writes File
13) [C0007] Memory Micro-objective::Allocate Memory
14) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0040] Process Micro-objective::Allocate Thread Local Storage
23) [C0017] Process Micro-objective::Create Process
24) [C0038] Process Micro-objective::Create Thread
25) [C0054] Process Micro-objective::Resume Thread
26) [C0041] Process Micro-objective::Set Thread Local Storage Value
27) [C0018] Process Micro-objective::Terminate Process