MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f37f40245387cf924b4692267251875273ef75ad03fa9f92d73ab021f5c9e307. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f37f40245387cf924b4692267251875273ef75ad03fa9f92d73ab021f5c9e307
SHA3-384 hash: 97e19e7c0d237336820ec04212b767f5ebe242e1dad7780b36b4115fcb892dcdb8090db43ffeb526eca28a8e63ef2c31
SHA1 hash: bab2316f721d23b3607ee888be673ef76311b184
MD5 hash: 0789465bc17bc4852eb45209aab31f7c
humanhash: idaho-freddie-pizza-one
File name:SOYKAL MID YEAR REQUEST 202090404885554540000009004954.exe
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:1'544'872 bytes
First seen:2020-07-10 09:23:56 UTC
Last seen:2020-07-10 10:14:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 67b246f5bc27b6a1b537c01e50aff789 (3 x RemcosRAT, 3 x AveMariaRAT, 1 x ParallaxRAT)
ssdeep 12288:edNBlWS3MVbDQmQQSzZEjBcoIdGmYbLxjfjj:GbvcbDQmQzGjz2Gnbl
Threatray 277 similar samples on MalwareBazaar
TLSH 91657E22F2E18537F16A1A78CC4B97A55839BDD33D24EC463BE83D0C5F39681782A197
Reporter abuse_ch
Tags:exe nVpn ParallaxRAT RAT


Avatar
abuse_ch
Malspam distributing ParallaxRAT:

HELO: mix0.aubry-gaspard.org
Sending IP: 139.28.220.74
From: Burak Kocamaz <trade-dept@aubry-gaspard.org>
Reply-To: <import@soykal.org>
Subject: Attn: New MID YEAR Request Order Jul2020 TT 76HGT
Attachment: SOYKAL MID YEAR REQUEST 2020.rar (contains "SOYKAL MID YEAR REQUEST 202090404885554540000009004954.exe")

ParallaxRAT C2:
plunder.nsupdate.info:8888 (79.134.225.111)

Pointing to nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24332/
Detection(s):
SecuriteInfo.com.BScope.Trojan.Downloader.32704.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f37f40245387cf924b4692267251875273ef75ad03fa9f92d73ab021f5c9e307/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 09:25:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6n7uajctq7hzes2gsitheumhkjz665nnap5j7ewxhkycd5oj4mdq._file
Verdict:
malicious
Similar samples:
2ae1c7a5828344b803f6c5085ff52866be49fc5ec3c3e868d850283a6e8fce59
ParallaxRAT
4723ab5ed01fb642eb602ff59309d4d698e6011145ca1b757bb223b5a67fe159
ParallaxRAT
505aa5b6bf77290ec7ccdd2b24b8ff8ef779f01d57ad690f632d8b2736f2a8dd
ParallaxRAT
509f5caf90d71205d4e67c01307ac35bffe286e08a3e544f05a38eb72f149a1f
ParallaxRAT
67bd0297c3cec70aff4d67aef73ca59618baceef4ee5801cefe7682fa2725ca7
ParallaxRAT
76c2929d5ccb9232c3e3b9825bbde0f7fb135a1cdc035297322212b48f1b91c3
ParallaxRAT
8f981c2c2a5ec61765f189e952dd76f4e3d375aec7b8bd941d563b01519769e1
ParallaxRAT
a0ed7d0e67e9e7ccddf7e41cd11a81effd829ff27421471d7d303ac0776d6571
ParallaxRAT
b3550779f1211365321210344de50d32f4e0477c2817919474d0bf49574fcd01
ParallaxRAT
b51e81e44593c2c42ae412b692c46be3c6b1e4ac46c951e708618da5919403d3
ParallaxRAT
+ 267 additional samples on MalwareBazaar
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
persistence rat family:parallax
Link:
https://tria.ge/reports/200710-1hac6mxkva/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Executes dropped EXE
ParallaxRat
ParallaxRat payload
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_parallax_w0
Create hunting rule
Author:jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ParallaxRAT

rar 860d73c3ab1f493aa2712d4d84e79139b99af1fd89764f1b61dc3cb604ce2e3c

ParallaxRAT

Executable exe f37f40245387cf924b4692267251875273ef75ad03fa9f92d73ab021f5c9e307

(this sample)

  
Dropped by
MD5 08e8d3180f98a859fc0d05efe47f5b08
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24332/
  
Dropped by
SHA256 860d73c3ab1f493aa2712d4d84e79139b99af1fd89764f1b61dc3cb604ce2e3c

Comments