MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296
SHA3-384 hash: 338dc671023ec1d1d3121e757cf4ee209afbe5e51fa8a3317508722d5825201facda7f97ab30e1e98b1eedaf04838d16
SHA1 hash: 3739e8d38d5598a0ac67bc06cbef408ba6e3aa8f
MD5 hash: c8808d17e4ce35534a702f4b318684ef
humanhash: neptune-beer-muppet-north
File name:d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296.bin
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:6'852'072 bytes
First seen:2021-07-27 09:13:57 UTC
Last seen:2021-10-21 10:19:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef55257d8e5414c1ada866422d7543c5 (2 x ParallaxRAT)
ssdeep 98304:OO5VI/yA/FFrWw//NtM/SmfGnp3b0o5O:/I/D/M/SmenP5O
Threatray 2'970 similar samples on MalwareBazaar
TLSH T13D667C22F244963ED49F0A39442BA664993F7B313923CD5B97F4588C8F365817E3A387
dhash icon e9d5f0d5ddd5dde9 (3 x ParallaxRAT, 3 x Rhadamanthys, 1 x CoinMiner)
Reporter JAMESWT_WT
Tags:51.195.57.229 exe Key 4 Solutions s. r. o. ParallaxRAT signed

Code Signing Certificate

Organisation:Key 4 Solutions, s. r. o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-05-19T00:00:00Z
Valid to:2022-05-19T23:59:59Z
Serial number: f112993ca9f2b1956adbb0c86fb42292
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 764f2b9e4c7f92cc3b3a9fbfd289946cfdb7df501d21f57846517828ad08a8f1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296.bin
Verdict:
Suspicious activity
Analysis date:
2021-07-27 09:16:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ecec8680-ba99-47bf-8b08-de717a26343a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174308/
Detection(s):
PUA.Win.Packer.BorlandCpp-9
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc1c7120-14ca-41c4-b811-91c552b79975
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/822240
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 454648 Sample: NpWJUHd5iI.bin Startdate: 27/07/2021 Architecture: WINDOWS Score: 96 21 bragaporcts.nl 2->21 23 ipv4.imgur.map.fastly.net 2->23 25 i.imgur.com 2->25 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Parallax RAT 2->39 8 NpWJUHd5iI.exe 2->8         started        signatures3 process4 signatures5 41 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->41 43 Hijacks the control flow in another process 8->43 45 Writes to foreign memory regions 8->45 47 Allocates memory in foreign processes 8->47 11 notepad.exe 8->11         started        process6 signatures7 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->49 51 Hijacks the control flow in another process 11->51 53 Writes to foreign memory regions 11->53 55 Maps a DLL or memory area into another process 11->55 14 cmd.exe 2 11->14         started        process8 dnsIp9 27 bragaporcts.nl 51.195.57.236, 2340, 49775, 49776 OVHFR France 14->27 19 C:\Users\user\AppData\Roaming\...\srs.exe, PE32 14->19 dropped 29 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->29 31 Tries to detect virtualization through RDTSC time measurements 14->31 file10 signatures11
Gathering data
Threat name:
Win32.Downloader.Penguish
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 22:44:52 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
20 of 46 (43.48%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3dvvpewznhbbynsnu2pmuezcvnpwhyfdtmhfik5nj3uvx2dtykla._file
Verdict:
malicious
Similar samples:
3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821
ParallaxRAT
446fdd51f5eb4359191e189e54a209bd96295c5495cabc1b0b07c8f11d1eb748
ParallaxRAT
525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c
ParallaxRAT
6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725
ParallaxRAT
93f79e179e242b4b2cb0edfc4499597b0ba9ba7f0f8c7126100ff82fc58175d2
ParallaxRAT
9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3
ParallaxRAT
c5f1d96b75d6ed0846fac4d2ddfada97927dbcebc6fbd015cc08ac78387b28fd
ParallaxRAT
df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34
ParallaxRAT
+ 2'960 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210727-3bw7t7b2a6/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
c9d350e4955d025410cd8dfb426060794c426cc732bcb26c1730ef7b564d7dfd
MD5 hash:
53b1e783cffdb0683b4d52a49f963685
SHA1 hash:
8250dbe4dabfd29e40d3851a6a5f3dfc0ceda10f
Link:
https://www.unpac.me/results/0dfe1fcc-d138-404c-bc8f-216b80380b48/
SH256 hash:
d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296
MD5 hash:
c8808d17e4ce35534a702f4b318684ef
SHA1 hash:
3739e8d38d5598a0ac67bc06cbef408ba6e3aa8f
Link:
https://www.unpac.me/results/0dfe1fcc-d138-404c-bc8f-216b80380b48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174308/

Comments