MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 823cb4b92a1266c880d917c7d6f71da37d524166287b30c0c89b6bb03c2e4b64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 823cb4b92a1266c880d917c7d6f71da37d524166287b30c0c89b6bb03c2e4b64
SHA3-384 hash: c7dff0c32067bb73064eff73b55ad074f95b73c6d37b1c82fdfd19dc923664857f9ff43e6ee3817f6e3117d8bb7a725c
SHA1 hash: 4f037fcc7ce0f5509ee451e4760e21b9ca3ff55f
MD5 hash: 7c4ac7601ff409585e404ce409744918
humanhash: charlie-black-papa-quebec
File name:823cb4b92a1266c880d917c7d6f71da37d524166287b30c0c89b6bb03c2e4b64
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:10'163'696 bytes
First seen:2021-04-01 06:42:56 UTC
Last seen:2021-04-01 08:28:43 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e1e1d85093a0cacbfab765cb75c85f36 (1 x ParallaxRAT)
ssdeep 98304:LMaZJSvOsQRt7puZQbAkfK0/IoAAtTqNEwRV3Q+rML7I5d4mt2BtxjK8uo:jKOs+1puybAylwNEwRV3Q4t5x2Twi
Threatray 89 similar samples on MalwareBazaar
TLSH 54A6D0216250553ED4AB0B3A043BB6659A3FFF613A13C94B67F04C8C8F36691793E25B
Reporter JAMESWT_WT
Tags:Al-Faris group d.o.o. ParallaxRAT signed

Code Signing Certificate

Organisation:Al-Faris group d.o.o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-22T00:00:00Z
Valid to:2022-03-22T23:59:59Z
Serial number: c79f817f082986bef3209f6723c8da97
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 4ff7654904aeccbb8d1feef345194cd318186728f28410795c8844d4fc4201e0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/130474/
Detection(s):
SecuriteInfo.com.BackDoor.Rat.344.11253.1110.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a UDP request
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% directory
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/661743
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379807 Sample: wfmRLjNwNr Startdate: 01/04/2021 Architecture: WINDOWS Score: 72 45 Multi AV Scanner detection for submitted file 2->45 8 loaddll32.exe 1 2->8         started        process3 signatures4 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->57 59 Hijacks the control flow in another process 8->59 11 rundll32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        18 15 other processes 8->18 process5 signatures6 61 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->61 63 Hijacks the control flow in another process 11->63 65 Writes to foreign memory regions 11->65 20 notepad.exe 11->20         started        23 rundll32.exe 14->23         started        67 Allocates memory in foreign processes 16->67 25 notepad.exe 16->25         started        28 notepad.exe 18->28         started        30 notepad.exe 19 18->30         started        32 notepad.exe 15 18->32         started        34 7 other processes 18->34 process7 dnsIp8 47 System process connects to network (likely due to code injection or exploit) 20->47 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->49 51 Hijacks the control flow in another process 23->51 53 Writes to foreign memory regions 23->53 55 Allocates memory in foreign processes 23->55 36 notepad.exe 15 23->36         started        43 192.168.2.1 unknown unknown 25->43 signatures9 process10 dnsIp11 39 151.139.128.11 HIGHWINDS3US United States 36->39 41 8.8.8.8 GOOGLEUS United States 36->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/823cb4b92a1266c880d917c7d6f71da37d524166287b30c0c89b6bb03c2e4b64/
Threat name:
Win32.Downloader.Penguish
Create hunting rule
Status:
Malicious
First seen:
2021-03-29 18:41:53 UTC
File Type:
PE (Dll)
Extracted files:
37
AV detection:
4 of 48 (8.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qi6ljojkcjtmragzc7d5n5y5un6veqlgfb5tbqgitnv3apbojnsa._file
Verdict:
malicious
Similar samples:
015899ba7ca42d54316d63f5ed222f2f6c0ab3c784b855c646df4c89b05c71c8
ParallaxRAT
04ac77106a85dad9f430906c1363969a025b97675671479a0386ce6f6d0f7ece
ParallaxRAT
04c950e9fb1cf6ff2de10fd17f04191f8e938189766482ef856efa2581df8dbb
ParallaxRAT
0e79effa0348929c10e8aa39b07b38ba50872d4fe132fd7c131e4ac9892ed046
ParallaxRAT
32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30
ParallaxRAT
446fdd51f5eb4359191e189e54a209bd96295c5495cabc1b0b07c8f11d1eb748
ParallaxRAT
904adfc207b1c3b3862b16bd1d865967c270cf6de65979b849897f731e540cbb
ParallaxRAT
a3fedff31a0349bc1b17791e2382179f465c870b3abd6b49040b3091be722f51
ParallaxRAT
b401246b1d42e19f1d86ae14b21b2aa82868eb4197c482c8aa78be7f7e28e494
ParallaxRAT
eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298
ParallaxRAT
+ 79 additional samples on MalwareBazaar
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
family:parallax rat
Link:
https://tria.ge/reports/210401-bflxhn3mw2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Blocklisted process makes network request
ParallaxRat
ParallaxRat payload
Unpacked files
SH256 hash:
c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c
MD5 hash:
abf6c724b20844d5b0073988a58faf1e
SHA1 hash:
7a8269d5b2ae623f8148ce9863f48f7e12ce036b
Link:
https://www.unpac.me/results/7f18effd-fef1-44d7-a799-d67d5bbf514c/
SH256 hash:
77e6ca82cf5ad04da5726132bd22a9ccb2d263d45cddd65eb95e10de82b553ba
MD5 hash:
502e14c51703992ae8463b79527c98ff
SHA1 hash:
daf88503208d792f53cf59e0bc636b5c093fc22a
Link:
https://www.unpac.me/results/7f18effd-fef1-44d7-a799-d67d5bbf514c/
SH256 hash:
823cb4b92a1266c880d917c7d6f71da37d524166287b30c0c89b6bb03c2e4b64
MD5 hash:
7c4ac7601ff409585e404ce409744918
SHA1 hash:
4f037fcc7ce0f5509ee451e4760e21b9ca3ff55f
Link:
https://www.unpac.me/results/7f18effd-fef1-44d7-a799-d67d5bbf514c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/823cb4b92a1266c880d917c7d6f71da37d524166287b30c0c89b6bb03c2e4b64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:crime_win32_parallax_payload_1
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax Injected Payload v1.01
Reference:https://twitter.com/VK_Intel/status/1227976106227224578
Rule name:crime_win32_parralax_load_1
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax loader sequence
Reference:https://twitter.com/VK_Intel/status/1240676463126380545
Rule name:crime_win32_rat_parralax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088
Rule name:MALWARE_Win_ParallaxRAT
Create hunting rule
Author:ditekSHen
Description:Detects ParallaxRAT
Rule name:MAL_crime_win32_rat_parallax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:parallax_rat_2020
Create hunting rule
Author:jeFF0Falltrades
Rule name:win_parallax_w0
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1376948661519851524?s=20
Cape
Cape
https://www.capesandbox.com/analysis/130474/

Comments