MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc2d39c8020a92de04d4a0749449595c2317d76dc607c56d2c26edf5fa3ef004. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc2d39c8020a92de04d4a0749449595c2317d76dc607c56d2c26edf5fa3ef004
SHA3-384 hash: af44ed4f0d5a4dd6f4c64a3cc928c628004ea61267793a0fa02fe23ef44e00d142743ab515c5d5c73a3b43a86e8e16e6
SHA1 hash: 4c07d69e84935842ac2ce9a8ded577f1fc17280c
MD5 hash: 2e309f6569ad98bc9dda1178dbcf6296
humanhash: ceiling-tennis-uniform-carpet
File name:FireFoxExtension.exe
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:20'462'368 bytes
First seen:2021-09-28 09:44:44 UTC
Last seen:2021-10-21 09:36:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 393216:2ttPibs2v6P70EPlVQ6+SKdHyEGDRZ4TU4KVbNaZ6efxHcr:2thgYQEPTQ6xEBTBRZHi
TLSH T18327333BF218A03ED55A1B3215B39710997B7A51B50A8C1E47FC390DCF275211E3FAAA
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter JAMESWT_WT
Tags:51.195.57.233 arostetelemacca exe ParallaxRAT SAN MARINO INVESTMENTS PTY LTD

Intelligence

File Origin
# of uploads :
3
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FireFoxExtension.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 09:56:56 UTC
Tags:
installer trojan parallax
Link:
https://app.any.run/tasks/6fef4bac-01ec-4e27-b923-8a7565c63ac2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/859696
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Uses bcdedit to modify the Windows boot settings
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492127 Sample: FireFoxExtension.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 78 66 trostryprllspmret.co 2->66 68 ipv4.imgur.map.fastly.net 2->68 70 3 other IPs or domains 2->70 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 2 other signatures 2->92 10 FireFoxExtension.exe 2 2->10         started        signatures3 process4 file5 52 C:\Users\user\...\FireFoxExtension.tmp, PE32 10->52 dropped 13 FireFoxExtension.tmp 3 22 10->13         started        process6 file7 54 C:\Users\user\AppData\Roaming\opera.exe, PE32 13->54 dropped 56 C:\Users\user\AppData\Roaming\dui70.dll, PE32 13->56 dropped 58 C:\Users\user\AppData\...\googlesystem.exe, PE32 13->58 dropped 60 2 other files (none is malicious) 13->60 dropped 100 Uses bcdedit to modify the Windows boot settings 13->100 17 opera.exe 13->17         started        20 cmd.exe 1 13->20         started        22 cmd.exe 1 13->22         started        24 5 other processes 13->24 signatures8 process9 signatures10 76 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->76 78 Hijacks the control flow in another process 17->78 80 Writes to foreign memory regions 17->80 82 Allocates memory in foreign processes 17->82 26 cmd.exe 1 17->26         started        84 Tries to detect virtualization through RDTSC time measurements 20->84 29 conhost.exe 20->29         started        31 mountvol.exe 1 20->31         started        33 conhost.exe 22->33         started        35 setx.exe 1 22->35         started        37 conhost.exe 24->37         started        39 conhost.exe 24->39         started        41 conhost.exe 24->41         started        43 2 other processes 24->43 process11 signatures12 94 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->94 96 Hijacks the control flow in another process 26->96 98 Maps a DLL or memory area into another process 26->98 45 cmd.exe 4 26->45         started        50 conhost.exe 26->50         started        process13 dnsIp14 72 trostryprllspmret.co 51.195.57.233, 49769, 49771, 49774 OVHFR France 45->72 74 192.168.2.1 unknown unknown 45->74 62 C:\Users\user\AppData\Local\...\time.exe, PE32 45->62 dropped 64 C:\Users\user\AppData\Local\...\dui70.dll, PE32 45->64 dropped 102 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 45->102 file15 signatures16
Gathering data
Threat name:
Win32.Downloader.Penguish
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 19:38:57 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  3/5
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
family:parallax rat spyware stealer
Link:
https://tria.ge/reports/210928-lq26sabdh2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
ParallaxRat
ParallaxRat payload
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bc2d39c8020a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc2d39c8020a92de04d4a0749449595c2317d76dc607c56d2c26edf5fa3ef004

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ParallaxRAT

Executable exe bc2d39c8020a92de04d4a0749449595c2317d76dc607c56d2c26edf5fa3ef004

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1646532/
  
Delivery method
Distributed via web download

Comments