MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8
SHA3-384 hash: 6c6a3ed6ac2a9254bb9114e0ade24ab3fd0fcb2ce73eadd465695772d9f5ad765c009b330d2aaa77eb194bc250c4cbfb
SHA1 hash: 5f7c6637088b8e1a64c5f0e1ff0695c3e050616d
MD5 hash: 9f4649ff692011615d5cf3c5d410b95e
humanhash: cup-johnny-freddie-freddie
File name:Information Civilized System Oy
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:3'306'464 bytes
First seen:2020-10-14 08:02:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep 49152:TdriCUQHoN4zzTEsqWvjrKELEjriLFGP6s8fnZORiVqWA2fXuHbPQPvFE:TpjbHo0z4sqWrvuPP3GMRoBAvH2vq
Threatray 87 similar samples on MalwareBazaar
TLSH B6E5330ABF95457AF3281130FFEBAF59A25474340E3CD48AE7525A023E86513D63B72B
Reporter JAMESWT_WT
Tags:Information Civilized System Oy ParallaxRAT

Code Signing Certificate

Organisation:Information Civilized System Oy
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Jan 13 00:00:00 2020 GMT
Valid to:Jan 12 23:59:59 2021 GMT
Serial number: 97DF46ACB26B7C81A13CC467B47688C8
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 54C4929195FAFDDFD333871471A015FA68092F44E2F262F2BBF4EE980B41B809
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70694/
Detection(s):
SecuriteInfo.com.FakeAV.AOMC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file in the %temp% directory
Delayed reading of the file
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Running batch commands
Enabling autorun by creating a file
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
46 / 100
Link:
https://www.joesandbox.com/analysis/490699
Signature
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 297800 Sample: Information Civilized System Oy Startdate: 14/10/2020 Architecture: WINDOWS Score: 46 82 asianmedics.today 2->82 88 Malicious sample detected (through community Yara rule) 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected Parallax RAT 2->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 2->94 12 Pollard.exe 2 2->12         started        16 Beltran.exe 2->16         started        18 Information Civilized System Oy.exe 16 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 66 C:\Users\user\AppData\Local\Temp\hlVrJ.exe, PE32 12->66 dropped 96 Multi AV Scanner detection for dropped file 12->96 98 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->98 100 Hijacks the control flow in another process 12->100 68 C:\Users\user\AppData\Local\Temp\HjxbR.exe, PE32 16->68 dropped 102 Tries to detect virtualization through RDTSC time measurements 16->102 104 Injects a PE file into a foreign processes 16->104 70 C:\Users\user\AppData\Local\Temp\Wilcox.exe, PE32 18->70 dropped 72 C:\Users\user\AppData\Local\Temp\Sexton.exe, PE32 18->72 dropped 74 C:\Users\user\AppData\Local\...\Pollard.exe, PE32 18->74 dropped 80 2 other files (1 malicious) 18->80 dropped 22 Nevaeh.exe 18->22         started        76 C:\Users\user\AppData\Local\Temp\UWQai.exe, PE32 20->76 dropped 78 C:\Users\user\AppData\Local\Temp\TXJjL.exe, PE32 20->78 dropped signatures6 process7 process8 24 cscript.exe 2 22->24         started        process9 26 cmd.exe 3 2 24->26         started        28 cmd.exe 1 24->28         started        30 cmd.exe 1 24->30         started        32 6 other processes 24->32 process10 34 AcroRd32.exe 39 26->34         started        37 conhost.exe 26->37         started        39 conhost.exe 28->39         started        41 schtasks.exe 1 28->41         started        43 conhost.exe 30->43         started        45 schtasks.exe 1 30->45         started        47 conhost.exe 32->47         started        49 conhost.exe 32->49         started        51 8 other processes 32->51 dnsIp11 84 192.168.2.1 unknown unknown 34->84 53 RdrCEF.exe 34->53         started        55 AcroRd32.exe 34->55         started        process12 process13 57 RdrCEF.exe 53->57         started        60 RdrCEF.exe 53->60         started        62 RdrCEF.exe 53->62         started        64 2 other processes 53->64 dnsIp14 86 80.0.0.0 NTLGB United Kingdom 57->86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 00:55:16 UTC
File Type:
PE (Exe)
Extracted files:
219
AV detection:
20 of 48 (41.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6hengqfr6inttf6banq3jdq2myuvjgngt4rnbs7bqfu7iuovtma._file
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
17a9fa26f553c56d5b03921045d684a49177b8620eb3313dfcf13d269789c4ae
ParallaxRAT
5ee970db11a1dbfeff58b1f1206045d141022d6d396d50ba571910522a2c106d
ParallaxRAT
5ff6476c5eb3587ac1d7b02a7e04ec40ec0c0696b8bd7c3a34b0d5f89d2caa67
ParallaxRAT
6960d585698d0353194d53afa7c6db5a68386fa8855cefefe9a2f4ce1292b5da
ParallaxRAT
702221e0753dc7bdae96ab782721c0e3a58d5d51d15f74af56c662f92f120125
ParallaxRAT
87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71
ParallaxRAT
a3c44389aac31e62cd3267525d4cfebbd65c32fbaec918500b606d67b0ea62d8
ParallaxRAT
a6bf564665f281e7226d137f8da8692436c44edb6ab7881cab31282ffd6649ad
ParallaxRAT
c015de0626ba91b194a47d0c8d76594e1bddadae9d9a6891b26ff7c2bc0fade3
ParallaxRAT
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
ParallaxRAT
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/201014-rw9p7mrtjj/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
JavaScript code in executable
Loads dropped DLL
Executes dropped EXE
Modifies system executable filetype association
Unpacked files
SH256 hash:
bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8
MD5 hash:
9f4649ff692011615d5cf3c5d410b95e
SHA1 hash:
5f7c6637088b8e1a64c5f0e1ff0695c3e050616d
Link:
https://www.unpac.me/results/d18262a3-bdba-4181-aeda-4ea6ae3e0653/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Upatre
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70694/

Comments