MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b9eef2199515e5bf4cd00a176b35747f8bc9984183213fec864aca2c1918a70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b9eef2199515e5bf4cd00a176b35747f8bc9984183213fec864aca2c1918a70
SHA3-384 hash: a06a4fd048f6639f0ffe58469556002919c64b5660ccccf41199edcd017d7716159bcedd6d7f6e07379eb76978d5f4fe
SHA1 hash: e9d7952470032a19cdd79e01cdcf6e6762c8ffa7
MD5 hash: c8fef9f26f288684e1dd99e495dbf775
humanhash: single-fourteen-north-arizona
File name:5b9eef2199515e5bf4cd00a176b35747f8bc9984183213fec864aca2c1918a70.bin
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:6'852'072 bytes
First seen:2021-07-27 09:13:33 UTC
Last seen:2021-10-21 10:19:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef55257d8e5414c1ada866422d7543c5 (2 x ParallaxRAT)
ssdeep 98304:pO5VI/yA/FFrWw//NtM/SmfGnp3b0o5O:eI/D/M/SmenP5O
Threatray 2'972 similar samples on MalwareBazaar
TLSH T10F667C22F244963ED49F0A39442BA664993F7B313923CD5B97F4588C8F365817E3A387
dhash icon e9d5f0d5ddd5dde9 (3 x ParallaxRAT, 3 x Rhadamanthys, 1 x CoinMiner)
Reporter JAMESWT_WT
Tags:51.195.57.229 exe Key 4 Solutions s. r. o. ParallaxRAT signed

Code Signing Certificate

Organisation:Key 4 Solutions, s. r. o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-05-19T00:00:00Z
Valid to:2022-05-19T23:59:59Z
Serial number: f112993ca9f2b1956adbb0c86fb42292
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 764f2b9e4c7f92cc3b3a9fbfd289946cfdb7df501d21f57846517828ad08a8f1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5b9eef2199515e5bf4cd00a176b35747f8bc9984183213fec864aca2c1918a70.bin
Verdict:
Suspicious activity
Analysis date:
2021-07-27 09:16:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/77cd4007-8cfe-4c25-85ed-b4a665789b9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174305/
Detection(s):
PUA.Win.Packer.BorlandCpp-9
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c9d8198-6bde-4ced-b3b2-fb4c5e64a47b
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/822252
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Downloader.Penguish
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 00:37:36 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
24 of 46 (52.17%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lopo6imzkfpfx5gnacqxnm2xi74lzgmedazbh7wimswkfqmrrjya._file
Verdict:
malicious
Similar samples:
525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c
ParallaxRAT
6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725
ParallaxRAT
93f79e179e242b4b2cb0edfc4499597b0ba9ba7f0f8c7126100ff82fc58175d2
ParallaxRAT
9ccce653cb66833e9396151f5bc65f6c2744d955a9eaedad81eccd3da252803e
ParallaxRAT
9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3
ParallaxRAT
c5f1d96b75d6ed0846fac4d2ddfada97927dbcebc6fbd015cc08ac78387b28fd
ParallaxRAT
d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296
ParallaxRAT
df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34
ParallaxRAT
+ 2'962 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210727-xxkyzjyyy2/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
c9d350e4955d025410cd8dfb426060794c426cc732bcb26c1730ef7b564d7dfd
MD5 hash:
53b1e783cffdb0683b4d52a49f963685
SHA1 hash:
8250dbe4dabfd29e40d3851a6a5f3dfc0ceda10f
Link:
https://www.unpac.me/results/551b5ea2-40e0-4e4f-b6d5-da070fa3fa69/
SH256 hash:
5b9eef2199515e5bf4cd00a176b35747f8bc9984183213fec864aca2c1918a70
MD5 hash:
c8fef9f26f288684e1dd99e495dbf775
SHA1 hash:
e9d7952470032a19cdd79e01cdcf6e6762c8ffa7
Link:
https://www.unpac.me/results/551b5ea2-40e0-4e4f-b6d5-da070fa3fa69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Parallax RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b9eef2199515e5bf4cd00a176b35747f8bc9984183213fec864aca2c1918a70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174305/

Comments