MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5
SHA3-384 hash: a60d9ed09fa0b8aa46d4337c8bac0ae2c5cad0f5ffcd4296aa091c225a53533f97e4ee4be326b6937f1ac41d05ac74bc
SHA1 hash: a8c2b3b618c51afa15425cdc6f9e5f7befa68e6a
MD5 hash: 0956923f0ae4416c739e14fc03e8c866
humanhash: zebra-lithium-grey-kitten
File name:7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:7'458'128 bytes
First seen:2021-10-21 09:50:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 196608:9Nyz8XyEa/wMwEuTusb9LxBEcAV3wAS0kO+0:9NyzZwMCusb9AciAAxh+0
Threatray 6'810 similar samples on MalwareBazaar
TLSH T14276223FF228653FC46E173205B39260997B7A65B81A8C1B07FC785DCF361601E3A65A
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter JAMESWT_WT
Tags:51.195.57.233 exe ParallaxRAT Rose Holm International ApS

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5
Verdict:
Malicious activity
Analysis date:
2021-10-21 09:50:53 UTC
Tags:
installer trojan parallax
Link:
https://app.any.run/tasks/9b7205f8-c43d-455f-a801-991b90263f0c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Parallax
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199033/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/617138079a5a1e91c5cb030f/reports/1d28f036-fe75-4959-8754-af1b55a5cfea/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e525a86d-769a-43ce-9768-2cb708a13a64
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/874455
Signature
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 506887 Sample: Fi4QFmsB1v Startdate: 21/10/2021 Architecture: WINDOWS Score: 78 35 trostryprllspmret.co 2->35 37 imagizer.imageshack.com 2->37 39 h9i4k4c8.stackpathcdn.com 2->39 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 2 other signatures 2->57 10 Fi4QFmsB1v.exe 2 2->10         started        signatures3 process4 file5 25 C:\Users\user\AppData\...\Fi4QFmsB1v.tmp, PE32 10->25 dropped 13 Fi4QFmsB1v.tmp 3 22 10->13         started        process6 file7 27 C:\Users\user\AppData\Roaming\winhlp.exe, PE32 13->27 dropped 29 C:\Users\user\AppData\Roaming\MSIMG32.dll, PE32 13->29 dropped 31 C:\Users\user\AppData\Local\...\winhlp.exe, PE32 13->31 dropped 33 8 other files (1 malicious) 13->33 dropped 16 winhlp.exe 13->16         started        process8 signatures9 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->47 49 Hijacks the control flow in another process 16->49 19 dllhost.exe 14 16->19         started        process10 dnsIp11 41 h9i4k4c8.stackpathcdn.com 151.139.128.11, 443, 49697, 49698 HIGHWINDS3US United States 19->41 43 192.168.2.1 unknown unknown 19->43 45 imagizer.imageshack.com 19->45 59 System process connects to network (likely due to code injection or exploit) 19->59 61 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->61 63 Hijacks the control flow in another process 19->63 65 2 other signatures 19->65 23 cmd.exe 19->23         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5/
Threat name:
Win32.Downloader.Penguish
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 18:09:41 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a
ParallaxRAT
3dc57b8c1b003726285ee72400d7d0f841d42d0457febe98eb67215fbc9e2654
ParallaxRAT
66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c
ParallaxRAT
88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5
ParallaxRAT
dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb
ParallaxRAT
df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34
ParallaxRAT
+ 6'800 additional samples on MalwareBazaar
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
family:parallax rat upx
Link:
https://tria.ge/reports/211021-lvgqmsabc2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
ParallaxRat
ParallaxRat payload
Unpacked files
SH256 hash:
4daf3a4d3d7a213e86e667f66ec57fd81d0a833ee161be5db63ce5af48e4a5b7
MD5 hash:
448a6f10fc2629c90d3004cdf9a66615
SHA1 hash:
eec69ae3ddc6af27de19eebf1aca98ef5070dc62
Link:
https://www.unpac.me/results/6d42e4af-0043-4ea4-9bbc-d35838d047c6/
SH256 hash:
ab209544ea6f87e294a705e8e370f015141b53cdf61d3f82779cb8ea3782018c
MD5 hash:
9fce40e0a36054ca80855baa1e57b8b7
SHA1 hash:
fbbed301eb77b2bda312c528df46574ed2af9fb0
Link:
https://www.unpac.me/results/6d42e4af-0043-4ea4-9bbc-d35838d047c6/
SH256 hash:
5d27d088b0348b8d22dd1529659961348d6dcaba0297a7f36f9a94dd6e949e29
MD5 hash:
7580554c47f472677e1056bbdfab2340
SHA1 hash:
e663fe5b6c0e478dd89c67b6d4a27267d0f7cee5
Link:
https://www.unpac.me/results/6d42e4af-0043-4ea4-9bbc-d35838d047c6/
SH256 hash:
f9da1dd8f086e5baf900ae2d9f64a408c7a2e97ff18ff0c9ce2d367088663cae
MD5 hash:
96fad8da2c6f71cccebe8f1325e28609
SHA1 hash:
863de78fb4ab87ee87a3635229a6d8aee3b0d058
Detections:
win_houdini_auto
Create hunting rule
Link:
https://www.unpac.me/results/6d42e4af-0043-4ea4-9bbc-d35838d047c6/
Parent samples :
88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5
3dc57b8c1b003726285ee72400d7d0f841d42d0457febe98eb67215fbc9e2654
7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5
efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
SH256 hash:
30098bbeac856f031f26c3fbcc43e579cde33bbde476b798f060987782cd21f3
MD5 hash:
7fc45182667dfce2ae187002f7f6cf90
SHA1 hash:
214e2672ae1082dd699244f68999761c07ed906c
Link:
https://www.unpac.me/results/6d42e4af-0043-4ea4-9bbc-d35838d047c6/
SH256 hash:
7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5
MD5 hash:
0956923f0ae4416c739e14fc03e8c866
SHA1 hash:
a8c2b3b618c51afa15425cdc6f9e5f7befa68e6a
Link:
https://www.unpac.me/results/6d42e4af-0043-4ea4-9bbc-d35838d047c6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7cac5beac0a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199033/

Comments