MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb
SHA3-384 hash: 62512049bd46ab6ded4bf72871316fc46c185fee4d260ca9a410199cb12c721098bd56a0fb7b017e6058217afe8e892a
SHA1 hash: 65979c3b01a41b7b5939d7808d3791350b65e6fa
MD5 hash: 1b890e13edc227f3605e8725fa62c4c3
humanhash: enemy-tango-solar-potato
File name:dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:6'112'720 bytes
First seen:2021-07-27 09:14:10 UTC
Last seen:2021-07-27 10:03:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 98304:BSi+jqKoeBzszaBCpadb95BnMxySiwuF8G5L9zQuxe5UYF/e/Bgmv+/qnyYTh5Vq:wfqCCpm9mNiwuFHJGaW8Bg9CyQq
Threatray 121 similar samples on MalwareBazaar
TLSH T1C456123BB254A53EC9AF077246738250697BBA79E90A8C1E17F0050DCFB65710E3BB16
dhash icon f2909696969ef66e (42 x AgentTesla, 42 x SnakeKeylogger, 13 x Formbook)
Reporter JAMESWT_WT
Tags:51.195.57.229 exe ParallaxRAT signed ZOMI INVEST d.o.o.

Code Signing Certificate

Organisation:ZOMI INVEST, d.o.o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-05-27T00:00:00Z
Valid to:2022-05-27T23:59:59Z
Serial number: 30318fc997744b5dc5ec9480bf80ad0c
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 159f2c1c1cff165ca4a90db12da08937cd38b9e79cca3848403ec779fd8d7cd1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb.bin
Verdict:
Suspicious activity
Analysis date:
2021-07-27 09:18:56 UTC
Tags:
installer
Link:
https://app.any.run/tasks/c5e67a21-4dc8-492a-9d21-d48ae0ced6c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174309/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a file in the %AppData% directory
Deleting a recently created file
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d04085e-d79c-4ae7-a18e-3301356b4dbd
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/822239
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 454647 Sample: Xh6xP34KWr.bin Startdate: 27/07/2021 Architecture: WINDOWS Score: 78 38 imagizer.imageshack.com 2->38 40 h9i4k4c8.stackpathcdn.com 2->40 42 butbuydayfulti.nl 2->42 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->54 56 2 other signatures 2->56 10 Xh6xP34KWr.exe 2 2->10         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\Xh6xP34KWr.tmp, PE32 10->28 dropped 13 Xh6xP34KWr.tmp 3 23 10->13         started        process6 file7 30 C:\Users\user\AppData\...\UtorrentV4.exe, PE32 13->30 dropped 32 C:\Users\user\AppData\...\UtorrentV4.exe, PE32 13->32 dropped 34 C:\Users\user\AppData\Roaming\rtl220.bpl, PE32 13->34 dropped 36 8 other files (none is malicious) 13->36 dropped 16 UtorrentV4.exe 1 13->16         started        process8 signatures9 46 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->46 48 Hijacks the control flow in another process 16->48 19 notepad.exe 16->19         started        process10 signatures11 58 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->58 60 Hijacks the control flow in another process 19->60 62 Writes to foreign memory regions 19->62 64 2 other signatures 19->64 22 cmd.exe 2 19->22         started        26 cmd.exe 19->26         started        process12 dnsIp13 44 butbuydayfulti.nl 51.195.57.229, 2340, 49747, 49748 OVHFR France 22->44 66 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->66 68 Tries to detect virtualization through RDTSC time measurements 26->68 signatures14
Gathering data
Threat name:
Win32.Backdoor.ParallaxRat
Create hunting rule
Status:
Malicious
First seen:
2021-07-26 21:37:47 UTC
File Type:
PE (Exe)
Extracted files:
334
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2ab38fdbe562dd5a6be9651562e1523dbf7f3fd7d720d57bc9a25b0e2b665640
ParallaxRAT
3f299a38f6196d2df259cd0b626e204fb81f5d33de5ec78d4bd7bae131ccb9d4
ParallaxRAT
458a03ecc28d7f704b5059263cfcad7cb94e51d5f5f2e0ad85e4e5b25da1e253
ParallaxRAT
66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c
ParallaxRAT
923e1d37bb37118bd66462b153d9fa0d4518898ed56f0252690a6d9eb111a0d7
ParallaxRAT
da58d100900745d6a15113e8b8cb5c2a3252a3c4a063ccc64fd09cc75cfb21ff
ParallaxRAT
df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34
ParallaxRAT
f5a558eba4843612e1b2e7bbfb431932a94bdc86f9411c0529f4216bcfe0ef02
ParallaxRAT
+ 111 additional samples on MalwareBazaar
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
family:parallax rat suricata upx
Link:
https://tria.ge/reports/210727-wqmnl4xf3n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
ParallaxRat
ParallaxRat payload
suricata: ET MALWARE Parallax CnC Response Activity M14
Unpacked files
SH256 hash:
fcf5f6ec4de5b314f53e4ad79afa31a8461428459060ac5e17ef132b54a7aa10
MD5 hash:
a1a17d158af58d4a2ff724fdb6231bf1
SHA1 hash:
38345deb7968ca59615c2e9a0677ba2f468d0f72
Link:
https://www.unpac.me/results/d7ff8396-4132-4e84-befb-4d9c90142331/
SH256 hash:
bd1ef6b8ea78fb275b2f0bf5cd1dff428ac5051a97be0f7e64055ac9f525fa48
MD5 hash:
d227860c11ab2a28e5af5f3106df4c93
SHA1 hash:
ea8a0dd193436c866e9defd1eac2c525cc454f61
Link:
https://www.unpac.me/results/d7ff8396-4132-4e84-befb-4d9c90142331/
SH256 hash:
155724a94475a9c1260d7e12e0c99f083b7193a988c72592db28b0511be07ded
MD5 hash:
b5bb3aa435c3b59dd7134e6fa95f53e8
SHA1 hash:
8de2b6302641325ff1d755fbd72f8fdf4ea9cc13
Detections:
win_houdini_auto
Create hunting rule
Link:
https://www.unpac.me/results/d7ff8396-4132-4e84-befb-4d9c90142331/
SH256 hash:
04a9566c80431c7d1563c029c419f63da04bf16df6da397591757b7650b8eed6
MD5 hash:
259c67283bb26d92e197a784733cb30a
SHA1 hash:
208f90038789fd434327ccb970bba120865d6976
Link:
https://www.unpac.me/results/d7ff8396-4132-4e84-befb-4d9c90142331/
SH256 hash:
dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb
MD5 hash:
1b890e13edc227f3605e8725fa62c4c3
SHA1 hash:
65979c3b01a41b7b5939d7808d3791350b65e6fa
Link:
https://www.unpac.me/results/d7ff8396-4132-4e84-befb-4d9c90142331/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.09
Link:
https://yomi.yoroi.company/submissions/dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174309/

Comments