MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3
SHA3-384 hash: b24b153ffeb81c4ddb95342893cef47c57291eb8a297c4252ba9c41af102666adcd6849751b8bca1a471bd291dc4c270
SHA1 hash: 6c644f1ca1226feaec45935e890504ac154d183c
MD5 hash: e7955b7487f9be142b49b64aa511bc7a
humanhash: william-uncle-romeo-washington
File name:9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:6'990'336 bytes
First seen:2021-03-01 18:40:02 UTC
Last seen:2021-03-01 20:36:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b2975681d575219fd6cd38c387372a9 (1 x ParallaxRAT)
ssdeep 49152:ZRRr7jJdy5g8NN+SHL2jFJ0MOXHwehHqy6L87dnwb2c8+9JKIEri72zCgTX7P:ZRRPv8N1BMO5xnwb2c8G1mCgH
Threatray 231 similar samples on MalwareBazaar
TLSH 7B66AE683D45E096C9B293F0642BD1CA903F8E274F0C18ABB25DF6D50FB5D46A267F24
Reporter c3rb3ru5d3d53c2
Tags:ParallaxRAT


Avatar
c3rb3ru5d3d53c
@c3rb3ru5d3d53c Live Hunt

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://tmobile-register.com
Verdict:
Malicious activity
Analysis date:
2021-03-01 16:04:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/acce4722-d8ea-42b4-8888-bbd619e96c78

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Parallax
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120369/
Detection(s):
SecuriteInfo.com.PoetRat_Python.11356.28930.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/622711
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-01 18:40:11 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
14 of 48 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t2nnfi6ws3zde7lqfnmml4bstsw5zykxdwcc5te4uaxt6i3hplrq._file
Verdict:
malicious
Similar samples:
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
ParallaxRAT
1a859f18a203b53f7c893f9e3d3cbfeb6bd9c0d479f1ddd5626ba4c9eb34e670
ParallaxRAT
291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca
ParallaxRAT
4dd51b22d5ee046670f8b082ff67450740dd0825f0f544e243313fe07f8400bd
ParallaxRAT
525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c
ParallaxRAT
6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725
ParallaxRAT
7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9
ParallaxRAT
8086d2b05316a9b44f55971a6c90da8ecb069d075973654f5f914229dc3070f6
ParallaxRAT
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
ParallaxRAT
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
ParallaxRAT
+ 221 additional samples on MalwareBazaar
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
family:parallax rat
Link:
https://tria.ge/reports/210301-cl1d49h29n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Blocklisted process makes network request
ParallaxRat
ParallaxRat payload
Unpacked files
SH256 hash:
9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3
MD5 hash:
e7955b7487f9be142b49b64aa511bc7a
SHA1 hash:
6c644f1ca1226feaec45935e890504ac154d183c
Link:
https://www.unpac.me/results/518c82a2-13bd-4525-b854-98ca0184b206/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:crime_win32_parralax_load_1
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax loader sequence
Reference:https://twitter.com/VK_Intel/status/1240676463126380545
Rule name:MALWARE_Win_ParallaxRAT
Create hunting rule
Author:ditekSHen
Description:Detects ParallaxRAT
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:parallax_rat_2020
Create hunting rule
Author:jeFF0Falltrades
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_parallax_w0
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3/details
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120369/

Comments