MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a88998b7b275d866ea3aec24b45488299384a2d8e0f2db60447f26bd550856ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a88998b7b275d866ea3aec24b45488299384a2d8e0f2db60447f26bd550856ce
SHA3-384 hash: b8107ac734684f250ba750b333929b71f00194236025384bd59442a2292c5263348d017811023e193be9c03a86dc543f
SHA1 hash: e5fb210fab9cceb1a3c674de2aaefbd951ba4e92
MD5 hash: a67f4fad7dd342600c8ff5e5ede970bb
humanhash: lemon-happy-shade-ink
File name:a67f4fad7dd342600c8ff5e5ede970bb.exe
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:2'106'298 bytes
First seen:2021-06-01 06:01:22 UTC
Last seen:2021-06-11 09:47:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1694a5ba33cf6c0c1112f62087671cf9 (4 x ParallaxRAT)
ssdeep 49152:KEWzRJhI9v5cQ52BEcZ17xatMGOG9pg4AFOkkO6xVzM:KprhInT52BRZ1xatWG9pg4AEkkO6xVzM
Threatray 1'656 similar samples on MalwareBazaar
TLSH 01A58E7136406876C1230F30B90DFB7AF16F69FC0FB661C75294AAB8293D142961DE7A
Reporter abuse_ch
Tags:5.2.68.82 exe ParallaxRAT


Avatar
abuse_ch
ParallaxRAT C2:
10.0.7.41:49757

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
10.0.7.41:49757 https://threatfox.abuse.ch/ioc/68302/

Intelligence

File Origin
# of uploads :
3
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a67f4fad7dd342600c8ff5e5ede970bb.exe
Verdict:
No threats detected
Analysis date:
2021-06-01 06:02:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f2e70347-2a85-45d8-95e7-cdd53e5b3f2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163633/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36997983.26823.2657.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794986
Signature
Allocates memory in foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 427382 Sample: 2s90sdzgFd.exe Startdate: 01/06/2021 Architecture: WINDOWS Score: 100 50 strattonprlxmaespm.com 2->50 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 3 other signatures 2->58 8 2s90sdzgFd.exe 2->8         started        11 2s90sdzgFd.exe 2->11         started        signatures3 process4 signatures5 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->60 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 13 cmd.exe 1 8->13         started        16 sxstrace.exe 8->16         started        19 cmd.exe 1 8->19         started        66 Multi AV Scanner detection for dropped file 11->66 68 Machine Learning detection for dropped file 11->68 70 Maps a DLL or memory area into another process 11->70 21 sxstrace.exe 11->21         started        23 cmd.exe 1 11->23         started        25 cmd.exe 1 11->25         started        process6 dnsIp7 72 Uses schtasks.exe or at.exe to add and modify task schedules 13->72 27 xcopy.exe 4 13->27         started        30 conhost.exe 13->30         started        48 strattonprlxmaespm.com 5.2.68.82, 49729, 49736, 49750 LITESERVERNL Netherlands 16->48 74 Tries to detect virtualization through RDTSC time measurements 16->74 32 conhost.exe 19->32         started        34 schtasks.exe 1 19->34         started        36 conhost.exe 23->36         started        38 xcopy.exe 1 23->38         started        40 conhost.exe 25->40         started        42 schtasks.exe 1 25->42         started        signatures8 process9 file10 44 C:\Users\user\AppData\...\2s90sdzgFd.exe, PE32 27->44 dropped 46 C:\Users\...\2s90sdzgFd.exe:Zone.Identifier, ASCII 27->46 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a88998b7b275d866ea3aec24b45488299384a2d8e0f2db60447f26bd550856ce/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-27 10:11:48 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vcezrn5soxmgn2r25qsliveifgjyjiwy4dznwycep4tl2viik3ha._file
Verdict:
unknown
Similar samples:
0444d0bab0ffad641edae84a28cdf4070dfeada30c51d8b204dec98c40154b5b
ParallaxRAT
0cfa9021ddabb0a9f3306397234f3f19ce70da1082b4291bfe9477c974aebbec
ParallaxRAT
222c327eef40050baf9e05f80d39f53bf7955bd84bf212887405a665060c369f
ParallaxRAT
385eb4274de2282360a7010b5739769fb6dd69a889626c0fddc6a3a6d4c1251f
ParallaxRAT
43fd77d5c17fe83426f69d80761716b61759744c2f23a5efeffac6c07e97372b
ParallaxRAT
6a28f7fb457fb484c1fbcceb41b10637345b18950b62df89c0a7689dd4f20d68
ParallaxRAT
6f522cc6adbe791575df40a518ba10c89cb54af0d849be0841b036b05d441fa9
ParallaxRAT
7764deac5e57af30b369e616b5904163147abbbd960c420b1f2b2eec055238fb
ParallaxRAT
83afabd3bf44ba07ad9b09ffc85db8ea7ff0a32d888bd829e8733dcd2cd2779e
ParallaxRAT
ccc04dc8264252deee19e690583b72d4c056b93bcdb492665877cc60973ac18a
ParallaxRAT
+ 1'646 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210601-fcrs79qxqx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a88998b7b275d866ea3aec24b45488299384a2d8e0f2db60447f26bd550856ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_parralax_load_1
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax loader sequence
Reference:https://twitter.com/VK_Intel/status/1240676463126380545
Rule name:MALWARE_Win_ParallaxRAT
Create hunting rule
Author:ditekSHen
Description:Detects ParallaxRAT
Rule name:Parallax
Create hunting rule
Author:@bartblaze
Description:Identifies Parallax RAT.
Rule name:parallax_rat_2020
Create hunting rule
Author:jeFF0Falltrades
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_parallax_w0
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163633/

Comments