MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abba8d0990bb52ecc9c282ca8e98e83076fbd5d86afe2efecdbc236a5c610de8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abba8d0990bb52ecc9c282ca8e98e83076fbd5d86afe2efecdbc236a5c610de8
SHA3-384 hash: feafc1245fb716e4a0af8b66445fd17defc9fd3f8acf139787e07f47d721ae64c9974978fe53ae00e542b77ce77fc34e
SHA1 hash: 289e0615617087c425997f4da60c6ffb08d08e51
MD5 hash: a3d23470de672761f9ad85ce334f80d0
humanhash: ack-mississippi-shade-timing
File name:Trade Hunters s. r. o
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:2'374'640 bytes
First seen:2021-06-11 08:41:34 UTC
Last seen:2021-06-11 09:57:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8107a2273696d2718d6def74d27d0c73 (1 x ParallaxRAT)
ssdeep 49152:eardP/fj3aBlgjeyXgEHQyTejqPqGs3FFZ3y1zzITXx9u193Z1oN08:Xtfj3sl+7XgEwyTejqShVFZ3y1HITXxX
Threatray 1'843 similar samples on MalwareBazaar
TLSH 5EB58C29367840BED0232331994CF339B1BDAD740A3A45DF7290BE18FA355929B195EF
Reporter JAMESWT_WT
Tags:5.2.68.82 exe ParallaxRAT parallspmcachire.nl signed Trade Hunters s. r. o.

Code Signing Certificate

Organisation:Trade Hunters, s. r. o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-05-03T00:00:00Z
Valid to:2022-05-03T23:59:59Z
Serial number: fbb1198bd8bddb0d693eb72a8613fe3f
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 726c935cd0f81968ba8fbb7ab5548392bdbc4c9ea40e28f2ee44420a3b06d98a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Trade Hunters s. r. o
Verdict:
No threats detected
Analysis date:
2021-06-11 08:42:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/020ac4d0-1d8b-4e34-835a-39e923198ec1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166054/
Detection(s):
SecuriteInfo.com.LresultFromObject.3129.6384.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Foxit Software Inc.
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/73d3a224-049f-454b-8f21-74b4191a89b4
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
69 / 100
Link:
https://www.joesandbox.com/analysis/800722
Signature
Allocates memory in foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433118 Sample: Trade Hunters s. r. o Startdate: 11/06/2021 Architecture: WINDOWS Score: 69 48 parallspmcachire.nl 2->48 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Yara detected Parallax RAT 2->54 56 Sigma detected: Copying Sensitive Files with Credential Data 2->56 8 Trade Hunters s. r.exe 2->8         started        11 Trade Hunters s. r.exe 2->11         started        signatures3 process4 signatures5 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->58 60 Writes to foreign memory regions 8->60 62 Allocates memory in foreign processes 8->62 64 Maps a DLL or memory area into another process 8->64 13 cmd.exe 1 8->13         started        16 sxstrace.exe 8->16         started        19 cmd.exe 1 8->19         started        21 cmd.exe 1 11->21         started        23 cmd.exe 1 11->23         started        25 sxstrace.exe 11->25         started        process6 dnsIp7 66 Uses schtasks.exe or at.exe to add and modify task schedules 13->66 27 xcopy.exe 4 13->27         started        30 conhost.exe 13->30         started        46 parallspmcachire.nl 5.2.68.82, 49737, 49756, 5555 LITESERVERNL Netherlands 16->46 68 Tries to detect virtualization through RDTSC time measurements 16->68 32 conhost.exe 19->32         started        34 schtasks.exe 1 19->34         started        36 conhost.exe 21->36         started        38 xcopy.exe 1 21->38         started        40 conhost.exe 23->40         started        42 schtasks.exe 1 23->42         started        signatures8 process9 file10 44 C:\Users\user\...\Trade Hunters s. r.exe, PE32 27->44 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abba8d0990bb52ecc9c282ca8e98e83076fbd5d86afe2efecdbc236a5c610de8/
Verdict:
unknown
Similar samples:
0444d0bab0ffad641edae84a28cdf4070dfeada30c51d8b204dec98c40154b5b
ParallaxRAT
222c327eef40050baf9e05f80d39f53bf7955bd84bf212887405a665060c369f
ParallaxRAT
385eb4274de2282360a7010b5739769fb6dd69a889626c0fddc6a3a6d4c1251f
ParallaxRAT
43fd77d5c17fe83426f69d80761716b61759744c2f23a5efeffac6c07e97372b
ParallaxRAT
6f522cc6adbe791575df40a518ba10c89cb54af0d849be0841b036b05d441fa9
ParallaxRAT
7764deac5e57af30b369e616b5904163147abbbd960c420b1f2b2eec055238fb
ParallaxRAT
83afabd3bf44ba07ad9b09ffc85db8ea7ff0a32d888bd829e8733dcd2cd2779e
ParallaxRAT
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
ParallaxRAT
a88998b7b275d866ea3aec24b45488299384a2d8e0f2db60447f26bd550856ce
ParallaxRAT
ccc04dc8264252deee19e690583b72d4c056b93bcdb492665877cc60973ac18a
ParallaxRAT
+ 1'833 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210611-j26h6e4ftn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
abba8d0990bb52ecc9c282ca8e98e83076fbd5d86afe2efecdbc236a5c610de8
MD5 hash:
a3d23470de672761f9ad85ce334f80d0
SHA1 hash:
289e0615617087c425997f4da60c6ffb08d08e51
Link:
https://www.unpac.me/results/8a987dc5-05b7-4de9-a4d3-91f8638ac3eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abba8d0990bb52ecc9c282ca8e98e83076fbd5d86afe2efecdbc236a5c610de8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/JAMESWT_MHT/status/1403265651620421632?s=20
Cape
Cape
https://www.capesandbox.com/analysis/166054/

Comments