MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
SHA3-384 hash: 343dd2213ba296dbc4eed7c5f990abbbef86ed556c41b6b9efaec6e788f0e928ee4bb892bb520d2ac42c1a8fd5529b06
SHA1 hash: 0937bbe1199fdca67cad8836e0b3b109aead8fb6
MD5 hash: a65903fca5089fb8959cd9ea6c96da3b
humanhash: nevada-ten-hot-edward
File name:efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:10'552'448 bytes
First seen:2021-10-21 10:20:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 196608:0U2iUnlrh80qwSzzlmxSMTy4HFia21iLbC6Rd4AebYVp/Xe1l+n:q5nlrhcQxSMT5il1iLf4Aeb4Xi+n
Threatray 202 similar samples on MalwareBazaar
TLSH T15AB6233FF268A53FD46E1B3245739260887B7A61781A8C2B47FC794CCF365600E3A656
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter JAMESWT_WT
Tags:51.195.57.233 exe matricianebpk2mas.pw ParallaxRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
Verdict:
Malicious activity
Analysis date:
2021-10-21 10:15:04 UTC
Tags:
installer trojan parallax
Link:
https://app.any.run/tasks/e1fee7bc-8a72-481d-9f66-9d7065c5a767

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199049/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61713f11db358dd15ecd4ed7/reports/9b77180c-6d4f-4dfa-a5d0-830ddf6c8a0d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DirtyMoe
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ada879d2-6de1-485c-af9d-81d6f78405da
Result
Threat name:
Parallax RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874482
Signature
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Parallax RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 506913 Sample: ewl3VqMnhX Startdate: 21/10/2021 Architecture: WINDOWS Score: 100 36 matricianebpk2mas.pw 2->36 38 imagizer.imageshack.com 2->38 40 h9i4k4c8.stackpathcdn.com 2->40 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 2 other signatures 2->56 10 ewl3VqMnhX.exe 2 2->10         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\ewl3VqMnhX.tmp, PE32 10->26 dropped 13 ewl3VqMnhX.tmp 3 22 10->13         started        process6 file7 28 C:\Users\user\AppData\Roaming\winhlp.exe, PE32 13->28 dropped 30 C:\Users\user\AppData\Roaming\MSIMG32.dll, PE32 13->30 dropped 32 C:\Users\user\AppData\Local\...\winhlp.exe, PE32 13->32 dropped 34 8 other files (1 malicious) 13->34 dropped 16 winhlp.exe 13->16         started        process8 signatures9 46 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->46 48 Hijacks the control flow in another process 16->48 19 dllhost.exe 15 16->19         started        process10 dnsIp11 42 h9i4k4c8.stackpathcdn.com 151.139.128.11, 443, 49817, 49818 HIGHWINDS3US United States 19->42 44 imagizer.imageshack.com 19->44 58 System process connects to network (likely due to code injection or exploit) 19->58 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->60 62 Hijacks the control flow in another process 19->62 64 2 other signatures 19->64 23 cmd.exe 1 19->23         started        signatures12 process13 signatures14 66 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->66
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1/
Threat name:
Win32.Downloader.Penguish
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 19:44:12 UTC
AV detection:
17 of 43 (39.53%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a
ParallaxRAT
3dc57b8c1b003726285ee72400d7d0f841d42d0457febe98eb67215fbc9e2654
ParallaxRAT
66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c
ParallaxRAT
7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5
ParallaxRAT
88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5
ParallaxRAT
dd2b6e5b02de97b7888bb22135c2c9771c6a2477a59e96463141c36d30e80fbb
ParallaxRAT
df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34
ParallaxRAT
+ 192 additional samples on MalwareBazaar
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
family:parallax rat suricata upx
Link:
https://tria.ge/reports/211021-mdnnasbabn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
ParallaxRat
ParallaxRat payload
suricata: ET MALWARE Parallax CnC Response Activity M14
Unpacked files
SH256 hash:
4daf3a4d3d7a213e86e667f66ec57fd81d0a833ee161be5db63ce5af48e4a5b7
MD5 hash:
448a6f10fc2629c90d3004cdf9a66615
SHA1 hash:
eec69ae3ddc6af27de19eebf1aca98ef5070dc62
Link:
https://www.unpac.me/results/374fb062-681e-405c-979e-d97d66a725f2/
SH256 hash:
ab209544ea6f87e294a705e8e370f015141b53cdf61d3f82779cb8ea3782018c
MD5 hash:
9fce40e0a36054ca80855baa1e57b8b7
SHA1 hash:
fbbed301eb77b2bda312c528df46574ed2af9fb0
Link:
https://www.unpac.me/results/374fb062-681e-405c-979e-d97d66a725f2/
SH256 hash:
c234a9221bfffc0e117ebbf8c440ac7ba389750167e694a5517921f8641935a9
MD5 hash:
f93ecaa44932c55338dd5282106c1df3
SHA1 hash:
9f444fea5dfd0ca3814121ac59958dd7ec68e677
Link:
https://www.unpac.me/results/374fb062-681e-405c-979e-d97d66a725f2/
SH256 hash:
b8949083e13c347c7c8b3385bcd9cd9bd23ad836ad4fa45ac5f176ff2477f101
MD5 hash:
ddfcdae7448eb73c69e88f1627018119
SHA1 hash:
92e93e81900a57eb2412914e720b12ecc53f88f0
Link:
https://www.unpac.me/results/374fb062-681e-405c-979e-d97d66a725f2/
SH256 hash:
f9da1dd8f086e5baf900ae2d9f64a408c7a2e97ff18ff0c9ce2d367088663cae
MD5 hash:
96fad8da2c6f71cccebe8f1325e28609
SHA1 hash:
863de78fb4ab87ee87a3635229a6d8aee3b0d058
Detections:
win_houdini_auto
Create hunting rule
Link:
https://www.unpac.me/results/374fb062-681e-405c-979e-d97d66a725f2/
Parent samples :
88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5
3dc57b8c1b003726285ee72400d7d0f841d42d0457febe98eb67215fbc9e2654
7cac5beac0a313ef0a69af7c694c87692deb59d7d90839f79c4a20213d7f03e5
efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
SH256 hash:
e39190ad1cec84c22a38b1119c95ce33cf3adf0d4672de6fd50646aa8a0110b1
MD5 hash:
4c90d39082b3f71687f8a49f0d0b6fdd
SHA1 hash:
441167cfe9d5e1f098dc739d62ae50d595b17f27
Link:
https://www.unpac.me/results/374fb062-681e-405c-979e-d97d66a725f2/
SH256 hash:
d4eb8f8f03146518a7d6c008f9c761270fb4b2e232bc339919a4b8c933873131
MD5 hash:
dd0edfde096c5acb72a52588d55a5617
SHA1 hash:
56ccbba8010cdbea9c5d195c5c5ad232a18f840b
Link:
https://www.unpac.me/results/374fb062-681e-405c-979e-d97d66a725f2/
SH256 hash:
efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
MD5 hash:
a65903fca5089fb8959cd9ea6c96da3b
SHA1 hash:
0937bbe1199fdca67cad8836e0b3b109aead8fb6
Link:
https://www.unpac.me/results/374fb062-681e-405c-979e-d97d66a725f2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/efeae42fa3e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199049/

Comments