MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ParallaxRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c
SHA3-384 hash:	9fe717cae915a51f69a039884e1929ec227b8ea57b936c968ebfa871e2b061712e145cfe79f05a8e7abc8df5b8b18795
SHA1 hash:	a9cdf9ea04391ad06fdf686fba432dc093593f67
MD5 hash:	e5dca24997147b550e3b4bcaa9ce804b
humanhash:	west-lake-chicken-moon
File name:	fix.exe
Download:	download sample
Signature	ParallaxRAT Create hunting rule
File size:	2'169'856 bytes
First seen:	2021-02-22 11:31:26 UTC
Last seen:	2021-02-22 14:18:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d56cf2043ca9d6dbcea4a702f58216df (1 x ParallaxRAT)
ssdeep	24576:Y27VAFQVwzhF5qWSmJkb0YH99B0SvrAmanQgSyj9b4mJTVGkn9MUBl856IS4g+Mv:Y6wzrSFmSEmzCNJTVGApvPv
Threatray	104 similar samples on MalwareBazaar
TLSH	9EA56B13A281343BD436273949A797E4EC3BBD102AE65D5F6FF4AE4C0E356412C3A64B
Reporter	JAMESWT_WT
Tags:	OOO Fudl ParallaxRAT RAT signed

Code Signing Certificate

Organisation:	OOO Fudl
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-02-09T00:00:00Z
Valid to:	2022-02-09T23:59:59Z
Serial number:	d609b6c95428954a999a8a99d4f198af
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	26cc728b34c4804df53fa73e78ba196f00a5fb771a30f10c1ae1667590f94aa1
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fix.exe

Verdict:

Malicious activity

Analysis date:

2021-02-22 11:28:05 UTC

Tags:

installer

Link:

https://app.any.run/tasks/d80b3f62-8542-4524-991c-6f6a497113b9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Parallax

Link:

https://www.capesandbox.com/analysis/118304/

Detection(s):

PUA.Win.Malware.Speedingupmypc-6718419-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Parallax RAT

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/614013

Signature

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected Parallax RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c/

Threat name:

Win32.Trojan.GenCBL

Status:

Malicious

First seen:

2021-02-22 11:32:09 UTC

File Type:

PE (Exe)

Extracted files:

143

AV detection:

12 of 28 (42.86%)

Threat level:

5/5

Verdict:

malicious

ParallaxRAT

593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5

ParallaxRAT

6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e

ParallaxRAT

7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9

ParallaxRAT

9237e5cae5f698d5ad9f6c61af8bd866e599abb05f5bc49474d98e269a29a588

ParallaxRAT

a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570

ParallaxRAT

ba52101e664d1ab4110977264bb16ff13c5bf4bdb004ddcacba915006d275b81

ParallaxRAT

c0e6f7a4aa809d2b93ba137245380ada0a44ac5576935e13e165d02b1b937583

ParallaxRAT

c120fd3e62a0ecd299625f3fbf622fb8a56b534828b6788fe766f1bc36ac7a68

ParallaxRAT

d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e

ParallaxRAT

+ 94 additional samples on MalwareBazaar

Result

Malware family:

parallax

Score:

10/10

Tags:

family:parallax rat

Link:

https://tria.ge/reports/210222-vvlzq27fl6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops startup file

Blocklisted process makes network request

ParallaxRat

ParallaxRat payload

Unpacked files

SH256 hash:

525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c

MD5 hash:

e5dca24997147b550e3b4bcaa9ce804b

SHA1 hash:

a9cdf9ea04391ad06fdf686fba432dc093593f67

Link:

https://www.unpac.me/results/9f26b991-89a6-429e-8f86-3264d95a141c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/118304/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample