MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7764deac5e57af30b369e616b5904163147abbbd960c420b1f2b2eec055238fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7764deac5e57af30b369e616b5904163147abbbd960c420b1f2b2eec055238fb
SHA3-384 hash: 9fb9c034456746aeb1708ef84c75beb30f4a1a3b727d490b0843dbd7f6b4cf8c5c2bde8a679a97f89bd1bbcc2a4fcf18
SHA1 hash: 9f6dee05370cef6fbc668d07fb20d10c1b04b664
MD5 hash: f4d05a53240ba7e2bbe5cc842d2b814c
humanhash: winter-crazy-robin-illinois
File name:7764deac5e57af30b369e616b5904163147abbbd960c420b1f2b2eec055238fb
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:2'016'698 bytes
First seen:2021-05-17 17:10:33 UTC
Last seen:2021-06-11 09:43:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1694a5ba33cf6c0c1112f62087671cf9 (4 x ParallaxRAT)
ssdeep 49152:3EWzRJhI9v5cQ52BEcZ17xatMGOG9pg4AFOkkO6xVzd:3prhInT52BRZ1xatWG9pg4AEkkO6xVzd
Threatray 1'348 similar samples on MalwareBazaar
TLSH E8957E7136446877C1230F30B90CFB7AF16F66FC0FA661C75294AAB8293D142961DE7A
Reporter JAMESWT_WT
Tags:5.2.68.82 MPO STORITVE d.o.o. ParallaxRAT signed

Code Signing Certificate

Organisation:MPO STORITVE d.o.o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-04-30T00:00:00Z
Valid to:2022-04-30T23:59:59Z
Serial number: df45b36c9d0bd248c3f9494e7ca822
Thumbprint Algorithm:SHA256
Thumbprint: 781818b4f702f43108fe085b9440d2c13c3af41627340b98fcd77d627e2617ec
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7764deac5e57af30b369e616b5904163147abbbd960c420b1f2b2eec055238fb
Verdict:
No threats detected
Analysis date:
2021-05-17 17:16:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4e17e070-487d-4b81-9dd0-00e6ebad7afd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/157930/
Detection(s):
SecuriteInfo.com.BackDoor.Rat.355.28196.11397.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/783671
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Copying Sensitive Files with Credential Data
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 416067 Sample: nc5lyh9TTf Startdate: 17/05/2021 Architecture: WINDOWS Score: 100 52 strattonprlxmaespm.com 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 3 other signatures 2->60 8 nc5lyh9TTf.exe 2->8         started        11 nc5lyh9TTf.exe 2->11         started        signatures3 process4 signatures5 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->62 64 Writes to foreign memory regions 8->64 66 Allocates memory in foreign processes 8->66 68 Maps a DLL or memory area into another process 8->68 13 cmd.exe 1 8->13         started        16 sxstrace.exe 8->16         started        19 cmd.exe 1 8->19         started        70 Antivirus detection for dropped file 11->70 72 Multi AV Scanner detection for dropped file 11->72 74 Machine Learning detection for dropped file 11->74 21 sxstrace.exe 11->21         started        23 cmd.exe 1 11->23         started        25 cmd.exe 1 11->25         started        process6 dnsIp7 76 Uses schtasks.exe or at.exe to add and modify task schedules 13->76 27 xcopy.exe 4 13->27         started        30 conhost.exe 13->30         started        48 strattonprlxmaespm.com 5.2.68.82, 49733, 49744, 8090 LITESERVERNL Netherlands 16->48 78 Tries to detect virtualization through RDTSC time measurements 16->78 32 conhost.exe 19->32         started        34 schtasks.exe 1 19->34         started        50 192.168.2.1 unknown unknown 21->50 36 conhost.exe 23->36         started        38 xcopy.exe 1 23->38         started        40 conhost.exe 25->40         started        42 schtasks.exe 1 25->42         started        signatures8 process9 file10 44 C:\Users\user\AppData\...\nc5lyh9TTf.exe, PE32 27->44 dropped 46 C:\Users\...\nc5lyh9TTf.exe:Zone.Identifier, ASCII 27->46 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7764deac5e57af30b369e616b5904163147abbbd960c420b1f2b2eec055238fb/
Threat name:
Win32.Backdoor.ParallaxRat
Create hunting rule
Status:
Malicious
First seen:
2021-05-17 06:01:51 UTC
File Type:
PE (Exe)
Extracted files:
60
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5sn5lc6k6xtbm3j4ylllecbmmkhvo55sygeecy7fmxoybkshd5q._file
Verdict:
unknown
Similar samples:
0444d0bab0ffad641edae84a28cdf4070dfeada30c51d8b204dec98c40154b5b
ParallaxRAT
0cfa9021ddabb0a9f3306397234f3f19ce70da1082b4291bfe9477c974aebbec
ParallaxRAT
222c327eef40050baf9e05f80d39f53bf7955bd84bf212887405a665060c369f
ParallaxRAT
385eb4274de2282360a7010b5739769fb6dd69a889626c0fddc6a3a6d4c1251f
ParallaxRAT
43fd77d5c17fe83426f69d80761716b61759744c2f23a5efeffac6c07e97372b
ParallaxRAT
6a28f7fb457fb484c1fbcceb41b10637345b18950b62df89c0a7689dd4f20d68
ParallaxRAT
6f522cc6adbe791575df40a518ba10c89cb54af0d849be0841b036b05d441fa9
ParallaxRAT
83afabd3bf44ba07ad9b09ffc85db8ea7ff0a32d888bd829e8733dcd2cd2779e
ParallaxRAT
ccc04dc8264252deee19e690583b72d4c056b93bcdb492665877cc60973ac18a
ParallaxRAT
ebf0083ad227764b7963171f0c2d156f56ad5a5835ce1a74e3c85b4902b04695
ParallaxRAT
+ 1'338 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210517-81w3evfhw2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157930/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-17 18:25:07 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.012] Anti-Behavioral Analysis::Human User Check
2) [F0002.002] Collection::Polling
3) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
4) [C0028.002] Cryptography Micro-objective::RC4 KSA::Encryption Key
5) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0030.005] Data Micro-objective::FNV::Non-Cryptographic Hash
8) [C0045] File System Micro-objective::Copy File
9) [C0047] File System Micro-objective::Delete File
10) [C0049] File System Micro-objective::Get File Attributes
11) [C0051] File System Micro-objective::Read File
12) [C0052] File System Micro-objective::Writes File
13) [C0007] Memory Micro-objective::Allocate Memory
14) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0040] Process Micro-objective::Allocate Thread Local Storage
23) [C0017] Process Micro-objective::Create Process
24) [C0038] Process Micro-objective::Create Thread
25) [C0054] Process Micro-objective::Resume Thread
26) [C0041] Process Micro-objective::Set Thread Local Storage Value
27) [C0018] Process Micro-objective::Terminate Process