MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5190e1a71856cab812f3ae7fca561216355fb65740106f8467486ded57c5e30c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ParallaxRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	5190e1a71856cab812f3ae7fca561216355fb65740106f8467486ded57c5e30c
SHA3-384 hash:	ced3379e9e9db60840a71840a8c6efc600872d0761bbefe1df8827e180120e967d352d473eb3d90c46651125215fadf2
SHA1 hash:	040e6bcc3332eb297878cf5eb5f6f71436958d11
MD5 hash:	c20752230ee0772a5ceba41aad6130e5
humanhash:	robin-oscar-december-spring
File name:	5190e1a71856cab812f3ae7fca561216355fb65740106f8467486ded57c5e30c
Download:	download sample
Signature	ParallaxRAT Create hunting rule
File size:	2'331'176 bytes
First seen:	2022-05-06 08:01:06 UTC
Last seen:	2022-05-06 08:39:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bd513421cff7901e6a4ab2d1d1f165ce (1 x ParallaxRAT)
ssdeep	24576:6EZJQN4qiQf6W4RtiqctlKaLLuntdIdbcDWfRsIA0FxnfT:6EZJhte/lboIdbhHfT
Threatray	11'117 similar samples on MalwareBazaar
TLSH	T178B58C52B3E68060F5F31FB0693A5260997A7C756838C58F9B903E1EA971B40ED35F23
TrID	37.9% (.EXE) InstallShield setup (43053/19/16) 27.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 4.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	79697171f584cd75 (1 x ParallaxRAT)
Reporter	JAMESWT_WT
Tags:	exe ParallaxRAT signed Toliz Info Tech Solutions INC.

Code Signing Certificate

Organisation:	Toliz Info Tech Solutions INC.
Issuer:	GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-02-03T12:53:30Z
Valid to:	2023-02-04T12:53:30Z
Serial number:	05d50a0e09bb9a836ffb90a3
Intelligence:	6 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	2d072e0e80885a82d5e35806b052ca416994e0fe06da1cfdcebd509d967a1aae
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5190e1a71856cab812f3ae7fca561216355fb65740106f8467486ded57c5e30c

Verdict:

Malicious activity

Analysis date:

2022-05-06 08:12:39 UTC

Tags:

installer

Link:

https://app.any.run/tasks/55a8ea2c-8870-4ca6-b78e-1ce21b491b1b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/269014/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.30560.2732.14981.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Sending a custom TCP request

Reading critical registry keys

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16499/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm anti-vm datper exploit explorer.exe fingerprint greyware keylogger overlay packed remote.exe shell32.dll wacatac

Link:

https://www.filescan.io/uploads/6274d60a40f9dd937ee8cd55/reports/4266da3a-05e0-439c-8de8-2757b957c50a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fcfb03bf-2347-4eb3-8135-1ecc84d457b9

Result

Threat name:

Parallax RAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/988942

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Creates a thread in another existing process (thread injection)

Detected unpacking (changes PE section rights)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects code into the Windows Explorer (explorer.exe)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Parallax RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5190e1a71856cab812f3ae7fca561216355fb65740106f8467486ded57c5e30c/

Threat name:

Win32.Adware.RedCap

Status:

Malicious

First seen:

2022-04-15 00:44:37 UTC

File Type:

PE (Exe)

Extracted files:

180

AV detection:

16 of 42 (38.10%)

Threat level:

1/5

Verdict:

malicious

ParallaxRAT

525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c

ParallaxRAT

5c9106490619ef294e77900e55f81a756e68b5b117458b2c6df8eac742b6ebf8

ParallaxRAT

6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725

ParallaxRAT

83f44e82a91a47bd830546b2beb5dc6cae3df0dea74ba2873c1646fd3e3bb98a

ParallaxRAT

9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3

ParallaxRAT

c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43

ParallaxRAT

d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296

ParallaxRAT

df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34

ParallaxRAT

+ 11'107 additional samples on MalwareBazaar

Result

Malware family:

parallax

Score:

10/10

Tags:

family:parallax rat

Link:

https://tria.ge/reports/220506-jw4wfshfa3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops startup file

ParallaxRat

ParallaxRat payload

Unpacked files

SH256 hash:

5190e1a71856cab812f3ae7fca561216355fb65740106f8467486ded57c5e30c

MD5 hash:

c20752230ee0772a5ceba41aad6130e5

SHA1 hash:

040e6bcc3332eb297878cf5eb5f6f71436958d11

Link:

https://www.unpac.me/results/24306e8d-545e-475a-aa70-3ee76018b434/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5190e1a71856/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5190e1a71856cab812f3ae7fca561216355fb65740106f8467486ded57c5e30c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/269014/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample