MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5
SHA3-384 hash: 19de59867cddb9c6434e4e001184ffe730e48fd0f27c1ab11db0ec726c4b17df8bbad16436295c57869b5364d554cadb
SHA1 hash: 6988b2e332875d33524fdb2b7c63001f8a064fe7
MD5 hash: 5869105d4b319a612a5e25fa265fd85d
humanhash: fifteen-april-finch-jersey
File name:88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5.bin
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:10'552'384 bytes
First seen:2021-09-06 09:46:21 UTC
Last seen:2021-10-21 09:39:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 196608:0U2iUnlrh80qwSzzlmxSMTy4HFia21iLbC6Rd4AebYVp/Xe1l+V:q5nlrhcQxSMT5il1iLf4Aeb4Xi+V
TLSH T182B6233FF268A53FD46E1B3245739260887B7A61781A8C2B47FC794CCF365600E3A656
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter JAMESWT_WT
Tags:51.195.57.233 exe ParallaxRAT signed WATER s.r.o.

Code Signing Certificate

Organisation:WATER, s.r.o.
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-06-03T00:00:00Z
Valid to:2022-06-03T23:59:59Z
Serial number: 28c57df09ce7cc3fde2243beb4d00101
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 52aff2b104a0adea835d0f4765ea4cf5f20c794bf859e4c9c1481122365ac20b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hhhuu.pif
Verdict:
Suspicious activity
Analysis date:
2021-09-04 12:51:49 UTC
Tags:
installer
Link:
https://app.any.run/tasks/2229c524-3ccd-49c9-85d0-b5ccf5b635ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185627/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% directory
Deleting a recently created file
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Sending a UDP request
Enabling the 'hidden' option for files in the %temp% directory
Moving a recently created file
Unauthorized injection to a system process
Forced shutdown of a system process
Malware family:
Parallax RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8e2c43b-a0f7-4bec-8f0c-c52432cb067f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
57 / 100
Link:
https://www.joesandbox.com/analysis/845909
Signature
Hijacks the control flow in another process
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 478337 Sample: awpIrFBvM7.bin Startdate: 06/09/2021 Architecture: WINDOWS Score: 57 41 ipv4.imgur.map.fastly.net 2->41 43 imagizer.imageshack.com 2->43 45 2 other IPs or domains 2->45 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 10 awpIrFBvM7.exe 2 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\awpIrFBvM7.tmp, PE32 10->31 dropped 13 awpIrFBvM7.tmp 3 22 10->13         started        process6 file7 33 C:\Users\user\AppData\Roaming\winhlp.exe, PE32 13->33 dropped 35 C:\Users\user\AppData\Local\...\twain_32.dll, PE32 13->35 dropped 37 C:\Users\user\AppData\Roaming\rtl220.bpl, PE32 13->37 dropped 39 8 other files (none is malicious) 13->39 dropped 16 winhlp.exe 13->16         started        process8 signatures9 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->49 51 Hijacks the control flow in another process 16->51 19 dllhost.exe 16->19         started        process10 signatures11 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->57 59 Hijacks the control flow in another process 19->59 61 Writes to foreign memory regions 19->61 63 Maps a DLL or memory area into another process 19->63 22 cmd.exe 5 19->22         started        process12 dnsIp13 47 matricianebpk2mas.pw 5.2.68.81, 20190 LITESERVERNL Netherlands 22->47 27 C:\Users\user\AppData\Local\Adobe\...\slc.dll, PE32 22->27 dropped 29 C:\Users\user\AppData\...\DisplaySwitch.exe, PE32 22->29 dropped 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->65 67 Tries to detect virtualization through RDTSC time measurements 22->67 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5/
Threat name:
Win32.Downloader.Penguish
Create hunting rule
Status:
Malicious
First seen:
2021-09-04 03:37:15 UTC
File Type:
PE (Exe)
AV detection:
14 of 43 (32.56%)
Threat level:
  3/5
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
family:parallax rat upx
Link:
https://tria.ge/reports/210906-lr7snaeafp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
ParallaxRat
ParallaxRat payload
Unpacked files
SH256 hash:
4daf3a4d3d7a213e86e667f66ec57fd81d0a833ee161be5db63ce5af48e4a5b7
MD5 hash:
448a6f10fc2629c90d3004cdf9a66615
SHA1 hash:
eec69ae3ddc6af27de19eebf1aca98ef5070dc62
Link:
https://www.unpac.me/results/326783ca-a9cc-436d-b499-a05421c9afa7/
SH256 hash:
ab209544ea6f87e294a705e8e370f015141b53cdf61d3f82779cb8ea3782018c
MD5 hash:
9fce40e0a36054ca80855baa1e57b8b7
SHA1 hash:
fbbed301eb77b2bda312c528df46574ed2af9fb0
Link:
https://www.unpac.me/results/326783ca-a9cc-436d-b499-a05421c9afa7/
SH256 hash:
c234a9221bfffc0e117ebbf8c440ac7ba389750167e694a5517921f8641935a9
MD5 hash:
f93ecaa44932c55338dd5282106c1df3
SHA1 hash:
9f444fea5dfd0ca3814121ac59958dd7ec68e677
Link:
https://www.unpac.me/results/326783ca-a9cc-436d-b499-a05421c9afa7/
SH256 hash:
b8949083e13c347c7c8b3385bcd9cd9bd23ad836ad4fa45ac5f176ff2477f101
MD5 hash:
ddfcdae7448eb73c69e88f1627018119
SHA1 hash:
92e93e81900a57eb2412914e720b12ecc53f88f0
Link:
https://www.unpac.me/results/326783ca-a9cc-436d-b499-a05421c9afa7/
SH256 hash:
f9da1dd8f086e5baf900ae2d9f64a408c7a2e97ff18ff0c9ce2d367088663cae
MD5 hash:
96fad8da2c6f71cccebe8f1325e28609
SHA1 hash:
863de78fb4ab87ee87a3635229a6d8aee3b0d058
Detections:
win_houdini_auto
Create hunting rule
Link:
https://www.unpac.me/results/326783ca-a9cc-436d-b499-a05421c9afa7/
Parent samples :
88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5
3dc57b8c1b003726285ee72400d7d0f841d42d0457febe98eb67215fbc9e2654
7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5
efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
SH256 hash:
e39190ad1cec84c22a38b1119c95ce33cf3adf0d4672de6fd50646aa8a0110b1
MD5 hash:
4c90d39082b3f71687f8a49f0d0b6fdd
SHA1 hash:
441167cfe9d5e1f098dc739d62ae50d595b17f27
Link:
https://www.unpac.me/results/326783ca-a9cc-436d-b499-a05421c9afa7/
SH256 hash:
d4eb8f8f03146518a7d6c008f9c761270fb4b2e232bc339919a4b8c933873131
MD5 hash:
dd0edfde096c5acb72a52588d55a5617
SHA1 hash:
56ccbba8010cdbea9c5d195c5c5ad232a18f840b
Link:
https://www.unpac.me/results/326783ca-a9cc-436d-b499-a05421c9afa7/
SH256 hash:
88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5
MD5 hash:
5869105d4b319a612a5e25fa265fd85d
SHA1 hash:
6988b2e332875d33524fdb2b7c63001f8a064fe7
Link:
https://www.unpac.me/results/326783ca-a9cc-436d-b499-a05421c9afa7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/88c109e8bca8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.09
Link:
https://yomi.yoroi.company/submissions/88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185627/

Comments