MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7fab8c1fc7ffc5002452f5a783f7a43b263ad302fab8d9fdd412610122f77ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7fab8c1fc7ffc5002452f5a783f7a43b263ad302fab8d9fdd412610122f77ce
SHA3-384 hash: e76960650ac847dc7b3403604fcc17660b0ef2cc0058c10f5c3282f1b601e11f0a01e6326568222dde641dbeb24657cb
SHA1 hash: 96c339a1d4f63b4440563f398e5d49f935a9e8e8
MD5 hash: e92ac2a61e4bf3c3da68dfc9ac3fd984
humanhash: asparagus-four-ten-cup
File name:a7fab8c1fc7ffc5002452f5a783f7a43b263ad302fab8d9fdd412610122f77ce
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:2'164'672 bytes
First seen:2021-06-11 09:44:11 UTC
Last seen:2021-06-11 10:53:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5abfdc8b79e40a46a6a568a331f4e162 (1 x ParallaxRAT)
ssdeep 49152:c8sCjX/UftsomEnDASTcGKwmghyBtTNVvfr/SAQXRKb7luc2nvK9OMy0:cijssoJnsSTSwThyBtTNRfr/SAQXRKbx
Threatray 26 similar samples on MalwareBazaar
TLSH E1A56B23F69058F2C1530E33B958F378F2AFE5B02A2D43C752949E1D2935592962DE2F
Reporter JAMESWT_WT
Tags:5.2.68.82 ART BOOK PHOTO s.r.o. exe ParallaxRAT signed

Code Signing Certificate

Organisation:ART BOOK PHOTO s.r.o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-04-30T00:00:00Z
Valid to:2022-04-30T23:59:59Z
Serial number: 5b37ac3479283b6f9d75ddf0f8742d06
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 474242b6dd818a43ed5a19ce7c83271497137c8b5b6e9489b7cd808cac15db9d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
10.0.7.16:50161 https://threatfox.abuse.ch/ioc/90387/

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a7fab8c1fc7ffc5002452f5a783f7a43b263ad302fab8d9fdd412610122f77ce
Verdict:
No threats detected
Analysis date:
2021-06-11 09:45:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c82663a9-e60e-4d83-a614-0eb390597f6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166071/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.11938.23566.23055.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c82dfc51-3de9-4a97-b43b-9731ef771ad7
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/800751
Signature
Allocates memory in foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433147 Sample: 8762vHYyR4 Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 50 pigghiamlnwwe.nl 2->50 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 2 other signatures 2->58 8 8762vHYyR4.exe 2->8         started        11 8762vHYyR4.exe 2->11         started        signatures3 process4 signatures5 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->60 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 13 cmd.exe 1 8->13         started        16 sxstrace.exe 8->16         started        19 cmd.exe 1 8->19         started        66 Multi AV Scanner detection for dropped file 11->66 68 Maps a DLL or memory area into another process 11->68 21 sxstrace.exe 11->21         started        23 cmd.exe 1 11->23         started        25 cmd.exe 1 11->25         started        process6 dnsIp7 70 Uses schtasks.exe or at.exe to add and modify task schedules 13->70 27 xcopy.exe 4 13->27         started        30 conhost.exe 13->30         started        48 pigghiamlnwwe.nl 5.2.68.82, 49725, 49733, 49746 LITESERVERNL Netherlands 16->48 72 Tries to detect virtualization through RDTSC time measurements 16->72 32 conhost.exe 19->32         started        34 schtasks.exe 1 19->34         started        36 conhost.exe 23->36         started        38 xcopy.exe 1 23->38         started        40 conhost.exe 25->40         started        42 schtasks.exe 1 25->42         started        signatures8 process9 file10 44 C:\Users\user\AppData\...\8762vHYyR4.exe, PE32 27->44 dropped 46 C:\Users\...\8762vHYyR4.exe:Zone.Identifier, ASCII 27->46 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7fab8c1fc7ffc5002452f5a783f7a43b263ad302fab8d9fdd412610122f77ce/
Threat name:
Win32.Backdoor.ParallaxRat
Create hunting rule
Status:
Malicious
First seen:
2021-05-17 15:58:35 UTC
File Type:
PE (Exe)
Extracted files:
60
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u75lrqp4p76faasff5nhqp32iozghljqf6vy3h65ietbaerpo7ha._file
Verdict:
unknown
Similar samples:
0444d0bab0ffad641edae84a28cdf4070dfeada30c51d8b204dec98c40154b5b
ParallaxRAT
0cfa9021ddabb0a9f3306397234f3f19ce70da1082b4291bfe9477c974aebbec
ParallaxRAT
385eb4274de2282360a7010b5739769fb6dd69a889626c0fddc6a3a6d4c1251f
ParallaxRAT
43fd77d5c17fe83426f69d80761716b61759744c2f23a5efeffac6c07e97372b
ParallaxRAT
6f522cc6adbe791575df40a518ba10c89cb54af0d849be0841b036b05d441fa9
ParallaxRAT
7764deac5e57af30b369e616b5904163147abbbd960c420b1f2b2eec055238fb
ParallaxRAT
83afabd3bf44ba07ad9b09ffc85db8ea7ff0a32d888bd829e8733dcd2cd2779e
ParallaxRAT
a88998b7b275d866ea3aec24b45488299384a2d8e0f2db60447f26bd550856ce
ParallaxRAT
abba8d0990bb52ecc9c282ca8e98e83076fbd5d86afe2efecdbc236a5c610de8
ParallaxRAT
ccc04dc8264252deee19e690583b72d4c056b93bcdb492665877cc60973ac18a
ParallaxRAT
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210611-epns6tw59s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
a7fab8c1fc7ffc5002452f5a783f7a43b263ad302fab8d9fdd412610122f77ce
MD5 hash:
e92ac2a61e4bf3c3da68dfc9ac3fd984
SHA1 hash:
96c339a1d4f63b4440563f398e5d49f935a9e8e8
Link:
https://www.unpac.me/results/7bfe4df7-b504-432b-821b-915cf58fa32d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7fab8c1fc7ffc5002452f5a783f7a43b263ad302fab8d9fdd412610122f77ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166071/

Comments