MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 464b01b713a4c97b736dae0ea19855e97a172e7c11e9f7fe9ac0e054326c340c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 464b01b713a4c97b736dae0ea19855e97a172e7c11e9f7fe9ac0e054326c340c
SHA3-384 hash: ec3422ca8587d428c0e9100a6eece2dde062b6fd490eb7203e0ab9a8d46bedc41cc638fffa84e58c84f1d9097eeed291
SHA1 hash: ff8159da86f6a43d07831c31b3b702375e71edf5
MD5 hash: 4d0a93f479c185879347cff75337de5f
humanhash: sad-eight-solar-mexico
File name:packing list.xlsx.scr
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:1'332'736 bytes
First seen:2020-10-16 10:22:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:BYHFkzF6mxsCeyyANaNvGkOqWRT6lJUIYAqv1rKfCXA7Y:hxCGWZnqJ
Threatray 34 similar samples on MalwareBazaar
TLSH 7D551B3DADC8223795B7D6B6C9E65587BA127D433122AC0E60D733420A33B973DC691E
Reporter abuse_ch
Tags:ParallaxRAT RAT scr


Avatar
abuse_ch
Malspam distributing ParallaxRAT:

HELO: vps61348.inmotionhosting.com
Sending IP: 104.152.110.49
From: Angela Benett <Angela.Benett@aircharter.co.uk>
Reply-To: Angela Benett <kimjoy001@gmail.com>
Subject: urgent charter request
Attachment: packing list.xlsx.zip (contains "packing list.xlsx.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71890/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Creating a file
Creating a window
DNS request
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493361
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/464b01b713a4c97b736dae0ea19855e97a172e7c11e9f7fe9ac0e054326c340c/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 15:29:31 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=izfqdnytutexw43nvyhkdgcv5f5bolt4chu7p7u2ydqfimtmgqga._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
002b81b464fe41cfe17a2a59fdcea647ea5af9e8bfcbfc78ae4fc4c076765629
ParallaxRAT
0cb94dd180548e55a02a5a8c75e601816746105eb6c8e62cb53b7fa2cddfa9c6
ParallaxRAT
52610d8b6b7199cca5c5bb423edc65f316e8ab960774aa7348490899c125bcaf
ParallaxRAT
6ca93eb4511997137870cc14dc0b80859d47a1ed6e98a74e47558a931179d0b6
ParallaxRAT
7fd613b9b27239f8bd2aaaa338d6aef3649893befba81e7075a9ff72df8e2eae
ParallaxRAT
95e512f980e10547b613b0ee9fde0e49716e338cdf16e9b50956e0b3a807ad20
ParallaxRAT
bbe2a604c11442ee74adb7fa17910ca8e5665ab463e4a45b478707faa3a284e4
ParallaxRAT
bc2cea17da33c23edbb0c86ab00b3ec3b4a2f4da84fb075922e41b7bf6b654f0
ParallaxRAT
c2e30f7fb4bd1be4de7a4322f2a1d1b489259c1a54cc372a55148eca640d5a9e
ParallaxRAT
c62e5304821abc306872ea97c88a8d7dc800f7b63380b2cf89153c639de4704c
ParallaxRAT
+ 24 additional samples on MalwareBazaar
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
rat family:parallax
Link:
https://tria.ge/reports/201016-n963mq3w6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
ParallaxRat
ParallaxRat payload
Unpacked files
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/4a1649ea-2055-48d3-bef4-c844dd615741/
SH256 hash:
eb74eff29c645b713f6710a68244b0d54fd394c310ea52bcc8e15272865460fe
MD5 hash:
c4c27d36f733d6af2123603a1dbaff26
SHA1 hash:
9dfe4ce46c36c201dd9da689affa33b096824c32
Link:
https://www.unpac.me/results/4a1649ea-2055-48d3-bef4-c844dd615741/
SH256 hash:
464b01b713a4c97b736dae0ea19855e97a172e7c11e9f7fe9ac0e054326c340c
MD5 hash:
4d0a93f479c185879347cff75337de5f
SHA1 hash:
ff8159da86f6a43d07831c31b3b702375e71edf5
Link:
https://www.unpac.me/results/4a1649ea-2055-48d3-bef4-c844dd615741/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/464b01b713a4c97b736dae0ea19855e97a172e7c11e9f7fe9ac0e054326c340c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_parralax_load_1
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax loader sequence
Reference:https://twitter.com/VK_Intel/status/1240676463126380545
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:win_parallax_w0
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ParallaxRAT

zip 8d6e17c9b63c736c6380bc367b09572c9adc95e916c275296d0692a81191f242

ParallaxRAT

Executable exe 464b01b713a4c97b736dae0ea19855e97a172e7c11e9f7fe9ac0e054326c340c

(this sample)

  
Dropped by
MD5 5fcb322ff0ed7eabe10145fa4cf78768
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71890/
  
Dropped by
SHA256 8d6e17c9b63c736c6380bc367b09572c9adc95e916c275296d0692a81191f242

Comments