MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f9d53981687f9cb6b3e49f03565cdda8e4ca9ccce56122f435f8851d7425f2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ParallaxRAT

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	8f9d53981687f9cb6b3e49f03565cdda8e4ca9ccce56122f435f8851d7425f2b
SHA3-384 hash:	6c75afa6b7d8721aa3b301d32b59bb6b30c78d4eb061b689dbd7ddcde7915baa8fc618c55d87c13341ff1297f75dc778
SHA1 hash:	ac7107d3dcf366fa39107dd71a1809a4989fa9c6
MD5 hash:	045f5240d8c78f8b71a4c8adb12de6b3
humanhash:	lion-papa-alanine-ceiling
File name:	8f9d53981687f9cb6b3e49f03565cdda8e4ca9ccce56122f435f8851d7425f2b.bin
Download:	download sample
Signature	ParallaxRAT Create hunting rule
File size:	3'394'880 bytes
First seen:	2020-12-23 12:48:23 UTC
Last seen:	2020-12-23 14:41:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cba4d2b52b38640afd02a60070bee181 (1 x ParallaxRAT)
ssdeep	98304:g9iNy9O4C+LCvNU0LZCH97PVBIM2jPv1/Tp:g9iNzd67PVBIM0t
Threatray	6 similar samples on MalwareBazaar
TLSH	CAF58DB17A81407EC2331332CD5BFF78B1EDE1610A36F287EA5C97AD2E31582591856B
Reporter	JAMESWT_WT
Tags:	Cifromatika LLC ParallaxRAT signed

Code Signing Certificate

Organisation:	GlobalSign Timestamping CA - SHA256 - G2
Issuer:	GlobalSign
Algorithm:	sha256WithRSAEncryption
Valid from:	Aug 2 10:00:00 2011 GMT
Valid to:	Mar 29 10:00:00 2029 GMT
Serial number:	0400000000013189C65004
Intelligence:	8 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	9BF9496777D14425ED0086C1BB2C0707B62A61C194C5162E4F07637AFF166B76
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

639

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8f9d53981687f9cb6b3e49f03565cdda8e4ca9ccce56122f435f8851d7425f2b.bin

Verdict:

Malicious activity

Analysis date:

2020-12-23 12:52:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8f0f661e-b0d8-430a-a35c-e475f5b2af98

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Parallax

Link:

https://www.capesandbox.com/analysis/109171/

Detection(s):

SecuriteInfo.com.BackDoor.Rat.312.29474.29684.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Transferring files using the Background Intelligent Transfer Service (BITS)

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Moving a file to the %AppData% directory

Deleting a recently created file

Creating a file in the %temp% directory

Launching a process

Creating a window

DNS request

Forced shutdown of a system process

Unauthorized injection to a system process

Sending a TCP request to an infection source

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/569170

Signature

Allocates memory in foreign processes

Antivirus detection for dropped file

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Suspicious Svchost Process

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f9d53981687f9cb6b3e49f03565cdda8e4ca9ccce56122f435f8851d7425f2b/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-12-22 09:58:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r6ovhgawq744w2z6jhydkzon3khezkomzzlbel2dl6efdv2cl4vq._file

Verdict:

suspicious

ParallaxRAT

6cf91b93dd7a3a6aca9878a5cf252af90000628486161243a086d6477d5d1f04

ParallaxRAT

766ae308afb49c217831d41fed49685601ceea7ac7a16ccfd23fb33c0fae7cc2

ParallaxRAT

812ffdf59994608aafb5feabac1aa96c81a9af8de5f197d57c06b8f28b83aadc

ParallaxRAT

d71ea69b5e2fa547ef05778e28b35398077e08f5a65aa2c38b46f1eddc78b373

ParallaxRAT

f7bab5e7e4487b86dd052dc4e9b9fd27f53d1a33852f6e5ce9ae91c302c33bcf

ParallaxRAT

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201223-vehmhf226j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

8f9d53981687f9cb6b3e49f03565cdda8e4ca9ccce56122f435f8851d7425f2b

MD5 hash:

045f5240d8c78f8b71a4c8adb12de6b3

SHA1 hash:

ac7107d3dcf366fa39107dd71a1809a4989fa9c6

Link:

https://www.unpac.me/results/ee35a7b7-11b9-4cd4-ba54-023c8ebeeede/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Backdoor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8f9d53981687f9cb6b3e49f03565cdda8e4ca9ccce56122f435f8851d7425f2b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/109171/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample