MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2382986d2bacaacd5399abca6ba33ee39fec2e9f331b8493a7511bc23578adc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2382986d2bacaacd5399abca6ba33ee39fec2e9f331b8493a7511bc23578adc
SHA3-384 hash: c54e2e3f8910d3ec639ba9ea2a07e2330708e60b7a9e86394276d214c4d4568889d0b2eb7a173db0aa27c0e2afbfaf34
SHA1 hash: d8cfcee78f6cebf896f57f1791166bb5247fbdf8
MD5 hash: 84db618ff4b489fe09429ee18becb8e5
humanhash: hawaii-asparagus-three-saturn
File name:c2382986d2bacaacd5399abca6ba33ee39fec2e9f331b8493a7511bc23578adc
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:3'422'496 bytes
First seen:2020-09-14 06:39:28 UTC
Last seen:2020-09-14 07:38:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 47b157537f98fb2416875b8f2144215b (1 x ParallaxRAT)
ssdeep 49152:akNIBqkYw/fllpR/VKSSx2akv0Ob7URti:ZNiqEfRm2YObIRo
Threatray 407 similar samples on MalwareBazaar
TLSH 31F57D63B281583ED85B0B39053FB6A4963FBB713512C99F57F04C8C8F76181693A29B
Reporter JAMESWT_WT
Tags:MEHANIKUM OOO Parallax RAT signed

Code Signing Certificate

Organisation:GlobalSign Timestamping CA - SHA256 - G2
Issuer:GlobalSign
Algorithm:sha256WithRSAEncryption
Valid from:Aug 2 10:00:00 2011 GMT
Valid to:Mar 29 10:00:00 2029 GMT
Serial number: 0400000000013189C65004
Intelligence: 8 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 9BF9496777D14425ED0086C1BB2C0707B62A61C194C5162E4F07637AFF166B76
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58958/
Detection(s):
PUA.Win.Packer.BorlandCpp-9
Create hunting rule

PUA.Win.Adware.Dealply-6619250-0
Create hunting rule

PUA.Win.Adware.Dealply-6840263-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a UDP request
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Launching cmd.exe command interpreter
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Moving a file to the %AppData% subdirectory
Creating a file
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/465051
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Hijacks the control flow in another process
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: NetWire
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 284934 Sample: Yx9bjnQEEl Startdate: 14/09/2020 Architecture: WINDOWS Score: 100 23 ipv4.imgur.map.fastly.net 2->23 25 i.imgur.com 2->25 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected NetWire RAT 2->37 39 2 other signatures 2->39 8 Yx9bjnQEEl.exe 2->8         started        signatures3 process4 signatures5 41 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->41 43 Hijacks the control flow in another process 8->43 45 Writes to foreign memory regions 8->45 47 Allocates memory in foreign processes 8->47 11 ipconfig.exe 16 8->11         started        process6 dnsIp7 29 ipv4.imgur.map.fastly.net 151.101.12.193, 443, 49718, 49720 FASTLYUS United States 11->29 31 i.imgur.com 11->31 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->49 51 Hijacks the control flow in another process 11->51 53 Writes to foreign memory regions 11->53 55 Maps a DLL or memory area into another process 11->55 15 cmd.exe 11->15         started        18 cmd.exe 2 1 11->18         started        21 conhost.exe 11->21         started        signatures8 process9 dnsIp10 57 Contains functionality to log keystrokes 15->57 59 Contains functionality to steal Internet Explorer form passwords 15->59 61 Contains functionality to steal Chrome passwords or cookies 15->61 27 risptinshoppedtales193.ga 154.16.168.6, 49721, 8910 TIER-NETUS South Africa 18->27 63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->63 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2382986d2bacaacd5399abca6ba33ee39fec2e9f331b8493a7511bc23578adc/
Threat name:
Win32.Trojan.NetWired
Create hunting rule
Status:
Malicious
First seen:
2020-09-05 03:30:00 UTC
File Type:
PE (Exe)
Extracted files:
79
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
netwirerc
Create hunting rule
Similar samples:
1c1035301c27d73a161ca96f9732f5024eb924798ce95d76d274b751ff87aa2f
ParallaxRAT
3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
ParallaxRAT
40d8ba1b4ae578829ce958a356395307e27eda0512bc78021ccb93e4b26134f7
ParallaxRAT
480e69a305098701404ab144ae64f297e342ca265309dfb7105bbc944aa31cae
ParallaxRAT
9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
ParallaxRAT
d1d7d8270c7e5545ef984255a425c14f01379aec8cac34f74ebf4e01caf047ff
ParallaxRAT
e5b32b4bb73f9bf50a9e4e3236ea3bf54577675b46d98deb142d668e7ea1653a
ParallaxRAT
f6262c14a5f6c845a95cab29a6e1e2a662d5df47499935c1f050d908ee01db90
ParallaxRAT
f83198c03626e0cd56156ebe79ac221f9a875aa32a3a1aa783aba69f1df1e604
ParallaxRAT
ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d
ParallaxRAT
+ 397 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200914-q1s2cw33en/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
netwire
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c2382986d2bacaacd5399abca6ba33ee39fec2e9f331b8493a7511bc23578adc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/58958/

Comments