MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb55e00c2fc38e06759379f12f6ab27310d6b61f27a3c510549f326afb17d0e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ParallaxRAT

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 2 File information Comments

SHA256 hash:	cb55e00c2fc38e06759379f12f6ab27310d6b61f27a3c510549f326afb17d0e9
SHA3-384 hash:	501c3161fe16e38c631e6adaed6aba7aa84163da3e0f1f460799f2e1b483196890cb92fc43f99a8ddb4e391ecae3bea0
SHA1 hash:	a6b5fc116b667ca4c1c33f4a636d5d678c1fc270
MD5 hash:	135abdbf6c27453815906380cb4b568a
humanhash:	black-vegan-emma-fish
File name:	cb55e00c2fc38e06759379f12f6ab27310d6b61f27a3c510549f326afb17d0e9
Download:	download sample
Signature	ParallaxRAT Create hunting rule
File size:	2'266'600 bytes
First seen:	2021-11-10 10:16:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ece80f8890f51929fd5908b2e33dff4a (3 x ParallaxRAT)
ssdeep	49152:Ga8YTtb9aDOXH23rKrKQLvfuAt8WBedQJnjOta7l1mfEA:Gw59aDCH27KrKCfuAt8ZQJnjOt0kJ
Threatray	36 similar samples on MalwareBazaar
TLSH	T123A57D25FA587477DD630E31BB0CF23DF1ADA570073551973296A73C29361C28A2AE2B
File icon (PE):
dhash icon	74f2d0c4c4c6c6e6 (1 x ParallaxRAT)
Reporter	JAMESWT_WT
Tags:	51.195.57.232 A. Jensen FLY Fishing ApS exe ParallaxRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
51.195.57.236:2340	https://threatfox.abuse.ch/ioc/246406/

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

MARKETSGIANTSNewAgreement.pif

Verdict:

Malicious activity

Analysis date:

2021-03-22 14:04:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7c99d45e-a874-474e-a58e-78bbae21b16b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/204676/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.9424.5329.17159.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware keylogger overlay packed

Link:

https://www.filescan.io/uploads/618b9c20dec3347825a11ec6/reports/884fa11d-585f-4730-8381-8542af61c508/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8cd1fd9c-4f89-40a2-9d81-0ba5ab4a4af6

Result

Threat name:

Parallax RAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/886626

Signature

Allocates memory in foreign processes

Antivirus detection for dropped file

Found hidden mapped module (file has been removed from disk)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Parallax RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb55e00c2fc38e06759379f12f6ab27310d6b61f27a3c510549f326afb17d0e9/

Threat name:

Win32.Backdoor.ParallaxRat

Status:

Malicious

First seen:

2021-03-23 01:01:26 UTC

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=znk6adbpyoham5mtphys62vsominnnq7e6r4kecut4zgv6yx2duq._file

Verdict:

malicious

ParallaxRAT

0cfa9021ddabb0a9f3306397234f3f19ce70da1082b4291bfe9477c974aebbec

ParallaxRAT

26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb

ParallaxRAT

6f522cc6adbe791575df40a518ba10c89cb54af0d849be0841b036b05d441fa9

ParallaxRAT

7764deac5e57af30b369e616b5904163147abbbd960c420b1f2b2eec055238fb

ParallaxRAT

a7fab8c1fc7ffc5002452f5a783f7a43b263ad302fab8d9fdd412610122f77ce

ParallaxRAT

a88998b7b275d866ea3aec24b45488299384a2d8e0f2db60447f26bd550856ce

ParallaxRAT

ccc04dc8264252deee19e690583b72d4c056b93bcdb492665877cc60973ac18a

ParallaxRAT

d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b

ParallaxRAT

d8a0ad3d3b54d49dea84a6ac1d38082c5ba246d13c9060543cff213fc3dc5260

ParallaxRAT

+ 26 additional samples on MalwareBazaar

Result

Malware family:

parallax

Score:

10/10

Tags:

family:parallax rat suricata upx

Link:

https://tria.ge/reports/211110-mbc4sadhfq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

UPX packed file

ParallaxRat

ParallaxRat payload

suricata: ET MALWARE Parallax CnC Response Activity M14

Unpacked files

SH256 hash:

cb55e00c2fc38e06759379f12f6ab27310d6b61f27a3c510549f326afb17d0e9

MD5 hash:

135abdbf6c27453815906380cb4b568a

SHA1 hash:

a6b5fc116b667ca4c1c33f4a636d5d678c1fc270

Link:

https://www.unpac.me/results/26f0e95d-57ad-415e-8b3d-209bf1dc8338/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Parallax RAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cb55e00c2fc38e06759379f12f6ab27310d6b61f27a3c510549f326afb17d0e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/204676/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample