MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d327f4e4f6c73e96c204d77355171ca6fd7b29c54b234f0bdf97398e04179edc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ParallaxRAT

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	d327f4e4f6c73e96c204d77355171ca6fd7b29c54b234f0bdf97398e04179edc
SHA3-384 hash:	6362ae8b03ed652a6b942966197226b5d1ece6ec0e27553fe56f46e3730ea57b413a86d9ca569e0cfa22f546e95d8466
SHA1 hash:	8f036b44bf4e93abc1b4691f7f663b2a0b782c09
MD5 hash:	e50d6088d72b8b7bde335e1522517479
humanhash:	louisiana-nevada-fish-pennsylvania
File name:	d327f4e4f6c73e96c204d77355171ca6fd7b29c54b234f0bdf97398e04179edc
Download:	download sample
Signature	ParallaxRAT Create hunting rule
File size:	2'337'768 bytes
First seen:	2021-11-10 10:16:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ece80f8890f51929fd5908b2e33dff4a (3 x ParallaxRAT)
ssdeep	49152:Za8YTtb9aDOXH23rKrKQLvfuAt8WBedQJnjOtRbAmfEN:Zw59aDCH27KrKCfuAt8ZQJnjOtRb/4
Threatray	37 similar samples on MalwareBazaar
TLSH	T135B58D25FA587476CC631E31BB4CF23DF1ADB470073551873296AB3C29361C68A1AE6B
File icon (PE):
dhash icon	b2b6e871d4d496b2 (2 x ParallaxRAT)
Reporter	JAMESWT_WT
Tags:	51.195.57.232 A. Jensen FLY Fishing ApS exe ParallaxRAT

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Parallax

Link:

https://www.capesandbox.com/analysis/204677/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.9424.27138.13703.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger overlay packed

Link:

https://www.filescan.io/uploads/618b9c21a00afa9663a2dbea/reports/d6ce238d-b0ac-4737-9366-caa4039bc1c8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d0d7fbf5-b661-4f95-9194-13b22e6d58e7

Result

Threat name:

Parallax RAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/886625

Signature

Allocates memory in foreign processes

Antivirus detection for dropped file

Found hidden mapped module (file has been removed from disk)

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Svchost Process

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Yara detected Parallax RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d327f4e4f6c73e96c204d77355171ca6fd7b29c54b234f0bdf97398e04179edc/

Threat name:

Win32.Backdoor.ParallaxRat

Status:

Malicious

First seen:

2021-03-22 15:45:31 UTC

AV detection:

20 of 45 (44.44%)

Threat level:

5/5

Verdict:

malicious

ParallaxRAT

26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb

ParallaxRAT

6f522cc6adbe791575df40a518ba10c89cb54af0d849be0841b036b05d441fa9

ParallaxRAT

7764deac5e57af30b369e616b5904163147abbbd960c420b1f2b2eec055238fb

ParallaxRAT

a7fab8c1fc7ffc5002452f5a783f7a43b263ad302fab8d9fdd412610122f77ce

ParallaxRAT

a88998b7b275d866ea3aec24b45488299384a2d8e0f2db60447f26bd550856ce

ParallaxRAT

cb55e00c2fc38e06759379f12f6ab27310d6b61f27a3c510549f326afb17d0e9

ParallaxRAT

ccc04dc8264252deee19e690583b72d4c056b93bcdb492665877cc60973ac18a

ParallaxRAT

d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b

ParallaxRAT

d8a0ad3d3b54d49dea84a6ac1d38082c5ba246d13c9060543cff213fc3dc5260

ParallaxRAT

+ 27 additional samples on MalwareBazaar

Result

Malware family:

parallax

Score:

10/10

Tags:

family:parallax rat

Link:

https://tria.ge/reports/211110-mbc4saggb5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

ParallaxRat

ParallaxRat payload

Unpacked files

SH256 hash:

d327f4e4f6c73e96c204d77355171ca6fd7b29c54b234f0bdf97398e04179edc

MD5 hash:

e50d6088d72b8b7bde335e1522517479

SHA1 hash:

8f036b44bf4e93abc1b4691f7f663b2a0b782c09

Link:

https://www.unpac.me/results/6532f4d8-1ace-4102-922f-7346f2d3b73d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Parallax RAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d327f4e4f6c73e96c204d77355171ca6fd7b29c54b234f0bdf97398e04179edc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/204677/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample