MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34
SHA3-384 hash: d008b1bc23a2f1433ed9ce3578e0341a4226fb8dbfdc7dfdc0bdf5e2e32d0d2aed9d351eea9d886322b9ccfa7ab89ed5
SHA1 hash: f3ac02099a0619d17c5a51797727517b03b17a55
MD5 hash: 50e671ffe182a6063fb4dd4ef25cee71
humanhash: nineteen-coffee-lamp-edward
File name:50E671FFE182A6063FB4DD4EF25CEE71.exe
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:6'929'136 bytes
First seen:2021-07-18 06:50:25 UTC
Last seen:2021-07-27 09:14:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 98304:MSi+jqKoe4F0ALnZuIsE5zYytrEl9fKAdb95BnMx4GANs7Lp2OgGxyYTh5V5W:/GLZuU5M8gl9V9mAsHZNUQ0
Threatray 2'667 similar samples on MalwareBazaar
TLSH T15E66223BB258A13EC9AE07724673C250997BBA75E81E8C0E57F0050DCFB66711E3B616
Reporter abuse_ch
Tags:51.195.57.229 DYNAMX BUSINESS GROUP LTD exe ParallaxRAT


Avatar
abuse_ch
ParallaxRAT C2:
51.195.57.229:5555

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
51.195.57.229:5555 https://threatfox.abuse.ch/ioc/160927/

Intelligence

File Origin
# of uploads :
3
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
50E671FFE182A6063FB4DD4EF25CEE71.exe
Verdict:
Malicious activity
Analysis date:
2021-07-18 06:52:53 UTC
Tags:
installer trojan parallax
Link:
https://app.any.run/tasks/46c4bfb4-dabd-4069-87e6-ccc381744990

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172384/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee30b3a2-c57a-4499-a564-028c0c3dd1dd
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
81 / 100
Link:
https://www.joesandbox.com/analysis/817898
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Regsvr32 Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 450309 Sample: HUCGOYy2oO.exe Startdate: 18/07/2021 Architecture: WINDOWS Score: 81 38 maniaurubarprlxspm.nl 2->38 40 ipv4.imgur.map.fastly.net 2->40 42 i.imgur.com 2->42 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->58 60 3 other signatures 2->60 10 HUCGOYy2oO.exe 2 2->10         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\HUCGOYy2oO.tmp, PE32 10->28 dropped 13 HUCGOYy2oO.tmp 3 39 10->13         started        process6 file7 30 C:\Users\user\AppData\Local\cmdl32.exe, PE32 13->30 dropped 32 C:\Users\user\AppData\Local\vclimg220.bpl, PE32 13->32 dropped 34 C:\Users\user\AppData\Local\vcl220.bpl, PE32 13->34 dropped 36 24 other files (none is malicious) 13->36 dropped 16 cmdl32.exe 13->16         started        process8 signatures9 46 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->46 48 Hijacks the control flow in another process 16->48 50 Writes to foreign memory regions 16->50 52 Allocates memory in foreign processes 16->52 19 dllhost.exe 16->19         started        process10 signatures11 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->62 64 Hijacks the control flow in another process 19->64 66 Writes to foreign memory regions 19->66 68 Maps a DLL or memory area into another process 19->68 22 cmd.exe 2 19->22         started        26 cmd.exe 19->26         started        process12 dnsIp13 44 maniaurubarprlxspm.nl 51.195.57.229, 49741, 49744, 49751 OVHFR France 22->44 70 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->70 72 Tries to detect virtualization through RDTSC time measurements 26->72 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34/
Threat name:
Win32.Downloader.Penguish
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 21:04:27 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3462xubrdbfwpovxaq52vlqxayocde45ojphkhakn5vxqz6qz42a._file
Verdict:
malicious
Similar samples:
0e79effa0348929c10e8aa39b07b38ba50872d4fe132fd7c131e4ac9892ed046
ParallaxRAT
3b8dd3bc950e31064f5fe058ed3e8c25f082bef1f42e1426760cc6f8fef14821
ParallaxRAT
446fdd51f5eb4359191e189e54a209bd96295c5495cabc1b0b07c8f11d1eb748
ParallaxRAT
525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c
ParallaxRAT
6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725
ParallaxRAT
8ef0ab64ef4a050f29808379fa8e9448bca73be60e4944f9d13a9a6880ba33f2
ParallaxRAT
9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3
ParallaxRAT
a40c51565228f1fef2028b90fd49051372828871d8eeb5df19e5d8049c977ed2
ParallaxRAT
c5f1d96b75d6ed0846fac4d2ddfada97927dbcebc6fbd015cc08ac78387b28fd
ParallaxRAT
e431d81e245dd47b376162b55b07a341789498cbc19dba9271b98cd048002e01
ParallaxRAT
+ 2'657 additional samples on MalwareBazaar
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
family:parallax rat
Link:
https://tria.ge/reports/210718-qngcg59kqn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
ParallaxRat
ParallaxRat payload
Unpacked files
SH256 hash:
4daf3a4d3d7a213e86e667f66ec57fd81d0a833ee161be5db63ce5af48e4a5b7
MD5 hash:
448a6f10fc2629c90d3004cdf9a66615
SHA1 hash:
eec69ae3ddc6af27de19eebf1aca98ef5070dc62
Link:
https://www.unpac.me/results/11af28b6-0593-4086-ae1b-70d81c28f349/
SH256 hash:
da22d9666b81d5843366417289053c6d01cb84d8d05d3d3f1210cc579635bc80
MD5 hash:
4705417457a473736d619332b232af15
SHA1 hash:
00dffb971de4564489fe4eea52ca73cb61762561
Link:
https://www.unpac.me/results/11af28b6-0593-4086-ae1b-70d81c28f349/
SH256 hash:
32d0d45764dd141a1ba259025bcddfb37d1631d8246e3559b37dcd4ffa52dd03
MD5 hash:
4a68fa22f7f889ac17f399873f7cddc3
SHA1 hash:
a0677b3a04e98e6bee70387cfed5955c66539972
Link:
https://www.unpac.me/results/11af28b6-0593-4086-ae1b-70d81c28f349/
SH256 hash:
20c23dd840b61960b78ebf8eb602a3ff8c1317df591df45b14c3655221b3f65e
MD5 hash:
2a65de0343fc864c77f6b2be78597cf5
SHA1 hash:
b982676a0846a3fea7a4f3341c4036c5d22abb14
Link:
https://www.unpac.me/results/11af28b6-0593-4086-ae1b-70d81c28f349/
SH256 hash:
315b2fcd6e7c3116187229b0a9e2abb1690ac5b7790409ff386df68b91e17be9
MD5 hash:
95fd6e9384a95ebf228ace60a3e4db67
SHA1 hash:
b3b13a993f35b2a61c4529fa0b069dc81781b9e3
Detections:
win_houdini_auto
Create hunting rule
Link:
https://www.unpac.me/results/11af28b6-0593-4086-ae1b-70d81c28f349/
SH256 hash:
30c18e2737d7aea5fda6c6ec2c5fc44823cec9d8dfff3958c98174040cb496f0
MD5 hash:
9e4deb6ad506770e52529af551baf732
SHA1 hash:
94c8fc96f1dcec3d818396ea8b69f45c37eb178e
Link:
https://www.unpac.me/results/11af28b6-0593-4086-ae1b-70d81c28f349/
SH256 hash:
1a9e7684805dc783787f187a8d1562108da472296638cfe54319f57cd8963e45
MD5 hash:
ef7214193bf7c3016de0f4f700719863
SHA1 hash:
777f56e613d36610ea9fe63e0d9883c146b605ee
Link:
https://www.unpac.me/results/11af28b6-0593-4086-ae1b-70d81c28f349/
SH256 hash:
8c06e9349fb8693e24331f66536a15757a69ced672fdb7262a1552461619ee7f
MD5 hash:
3fc6b932e829d5553c93e05d7bfccbbe
SHA1 hash:
41e3d72eb32cf80be43a14406d0c3e3d5ef1cd85
Link:
https://www.unpac.me/results/11af28b6-0593-4086-ae1b-70d81c28f349/
SH256 hash:
3f8cc6e6efb02f164e791ef6ab05360f5ada2ce844b16f4650b794e8fc0d9144
MD5 hash:
3540af7f668648a6875a1c25e33bd326
SHA1 hash:
025ae8274eb352e84be809190f73e2ffb6eb478e
Link:
https://www.unpac.me/results/11af28b6-0593-4086-ae1b-70d81c28f349/
SH256 hash:
df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34
MD5 hash:
50e671ffe182a6063fb4dd4ef25cee71
SHA1 hash:
f3ac02099a0619d17c5a51797727517b03b17a55
Link:
https://www.unpac.me/results/11af28b6-0593-4086-ae1b-70d81c28f349/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.59
Link:
https://yomi.yoroi.company/submissions/df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_rat_parralax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MAL_crime_win32_rat_parallax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172384/

Comments