MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ParallaxRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725
SHA3-384 hash:	dad7275be22f15f63865c36a6dbe7e46a36606d30e09138112510bbe46d69fd18b03a58dcd704500637a77cac7c9ba0e
SHA1 hash:	021341b0025363363982cd57afe27451eb9774e3
MD5 hash:	e1104876ebb32f85d47d8b477eea655b
humanhash:	floor-california-georgia-snake
File name:	6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725
Download:	download sample
Signature	ParallaxRAT Create hunting rule
File size:	5'503'976 bytes
First seen:	2021-02-22 11:30:16 UTC
Last seen:	2021-02-22 14:18:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	37f91e7c54284580851455235c88af6f (1 x ParallaxRAT)
ssdeep	49152:EMCjldY2S7LVEl0myvU9WrPC+X8zybKjS5fyu9KkmqEj/wf779WkXHqXWXP:AjqSV7WrPC08uPKkSwf7DHqXWf
Threatray	111 similar samples on MalwareBazaar
TLSH	CC467D12B285653BD1730E3B092B9788693BF9202F198D573BB81E4C0F79781AD3975B
Reporter	JAMESWT_WT
Tags:	OOO Apladis ParallaxRAT RAT signed

Code Signing Certificate

Organisation:	OOO Apladis
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-02-11T00:00:00Z
Valid to:	2022-02-11T23:59:59Z
Serial number:	6a568f85de2061f67ded98707d4988df
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	75f76c3664efc10058a602a2cdb1f35c9ee09d0b96d2f690fe0e26cfdd875922
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Parallax

Link:

https://www.capesandbox.com/analysis/118303/

Detection(s):

PUA.Win.Malware.Speedingupmypc-6718419-0

PUA.Win.Packer.Exe-6

PUA.Win.Malware.Dealply-6622837-0

PUA.Win.Malware.Gamemodding-6726308-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Parallax RAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/614007

Signature

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Yara detected Parallax RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-02-18 23:09:54 UTC

File Type:

PE (Exe)

Extracted files:

168

AV detection:

19 of 48 (39.58%)

Threat level:

5/5

Verdict:

malicious

ParallaxRAT

1ec5aeccf89c5d7a378e443e742e37f05a2aa7cb71150ee0ca4876c6b37d7b4d

ParallaxRAT

36dabaa854dac855255b08b096a1fb6cee39f910dfbd2101812a0c5d33b1a983

ParallaxRAT

525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c

ParallaxRAT

5bd30da7b2957d66a10056315368bcdc5dbc2e2b2245d8487011a173024ab84d

ParallaxRAT

6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e

ParallaxRAT

878780dd4a45cd2ac3266e865c987933f7f6539fe93f6bc6b314188b2e5d2a45

ParallaxRAT

bbfe5eaa0138f51710292488a384e4f6dcb65a6cba2a4c63387c714cec753d6e

ParallaxRAT

d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e

ParallaxRAT

f564f410274ccf48d4513984d1da95edefa874a555f5e7d95fae7f9cc1f46b6b

ParallaxRAT

+ 101 additional samples on MalwareBazaar

Result

Malware family:

parallax

Score:

10/10

Tags:

family:parallax rat

Link:

https://tria.ge/reports/210222-wd89qse42e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops startup file

Blocklisted process makes network request

ParallaxRat

ParallaxRat payload

Unpacked files

SH256 hash:

6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725

MD5 hash:

e1104876ebb32f85d47d8b477eea655b

SHA1 hash:

021341b0025363363982cd57afe27451eb9774e3

Link:

https://www.unpac.me/results/d9be8933-aa8a-4217-a01f-4e2cbcc72cd2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Backdoor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/118303/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample