MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9f9b147e1f262190e4409693cdc0e472b92ef6d47af97058f27e77a0b74a1a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ParallaxRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9f9b147e1f262190e4409693cdc0e472b92ef6d47af97058f27e77a0b74a1a4
SHA3-384 hash: 575b24632235ccad884393cf45132dd71308560efc973c1970f9450a51286b8a9462ff6f938e2bf8e475c7b4dc4129e7
SHA1 hash: 0343b740682726b0e26ebb12725545a3cd7528fb
MD5 hash: 852646191db6768157a7fddcc13afed2
humanhash: north-march-failed-freddie
File name:adobeupd.exe
Download: download sample
Signature ParallaxRAT
Create hunting rule
File size:1'588'927 bytes
First seen:2020-09-18 18:03:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:IAOcZwXYIyflIMxAvV5k6WWzJHpi2MQ5g/t9Q2KpveI4oWpRb/PHIXfTtr:mQdIMxsVaWzJHpZMQ0tpx9sTB
Threatray 228 similar samples on MalwareBazaar
TLSH 60752311BAC2CC73E47209365938A3156D7E7D201F3A9A7F63D8691EE9395803638B73
Reporter James_inthe_box
Tags:exe ParallaxRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Sending a UDP request
Creating a process from a recently created file
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Threat name:
Tinynuke / Nukebot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/470354
Signature
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to register a low level keyboard hook
Detected Tinynuke / Nukebot malware
Found Tor onion address
Hijacks the control flow in another process
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected TinyNuke
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 287555 Sample: adobeupd.exe Startdate: 18/09/2020 Architecture: WINDOWS Score: 100 41 ipv4.imgur.map.fastly.net 2->41 43 i.imgur.com 2->43 57 Multi AV Scanner detection for domain / URL 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Detected Tinynuke / Nukebot malware 2->61 63 3 other signatures 2->63 10 adobeupd.exe 9 2->10         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\openvpn-gui.exe, PE32 10->29 dropped 31 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 10->31 dropped 13 openvpn-gui.exe 10->13         started        process6 signatures7 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->71 73 Hijacks the control flow in another process 13->73 75 Writes to foreign memory regions 13->75 77 Allocates memory in foreign processes 13->77 16 extrac32.exe 14 13->16         started        process8 dnsIp9 35 ipv4.imgur.map.fastly.net 151.101.12.193, 443, 49719, 49728 FASTLYUS United States 16->35 37 192.168.2.1 unknown unknown 16->37 39 i.imgur.com 16->39 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->49 51 Hijacks the control flow in another process 16->51 53 Writes to foreign memory regions 16->53 55 Maps a DLL or memory area into another process 16->55 20 cmd.exe 16->20         started        23 cmd.exe 14 16->23         started        signatures10 process11 dnsIp12 65 Contains functionality to register a low level keyboard hook 20->65 67 Contains functionality to compare user and computer (likely to detect sandboxes) 20->67 45 128.31.0.39, 49730, 9131 MIT-GATEWAYSUS United States 23->45 47 193.23.244.244, 49729, 80 CHAOS-ASDE Germany 23->47 69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 23->69 26 WerFault.exe 23 9 23->26         started        signatures13 process14 file15 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->33 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9f9b147e1f262190e4409693cdc0e472b92ef6d47af97058f27e77a0b74a1a4/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-09-18 09:21:25 UTC
File Type:
PE (Exe)
Extracted files:
91
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7h43cr7b6jrbsdsebfutzxaoi4vzf33ni6xzobmpe7txuc3uugsa._file
Verdict:
malicious
Similar samples:
076dfc0a55afc36cdfd6dff84cfd0feae23029843e745b7f122980b341f7b710
ParallaxRAT
1678611ad4996f718c0a8998ce194dfe117bf47529c4ccad51a6816ecf4f1bb4
ParallaxRAT
1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923
ParallaxRAT
1bf1041ceb0ca8999ab06220a4d1fd4ae389860ddf8687dab297c9940b40236e
ParallaxRAT
2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279
ParallaxRAT
68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345
ParallaxRAT
6b9fc5c25a2b8fdb0b218dbc96f51d59dbf5c486d2bfc39eed32660f3c238bc8
ParallaxRAT
c4b40854b0d96e0967c64ee0f80d41222d57029ec9e3e4b72f4232291879caad
ParallaxRAT
e34ce3660cbabe945aadb571016cbd7e73ca4a7baa6e9cd64a3615b6474ccdc8
ParallaxRAT
f9e386914a47b738dcfe89fadf3021be00c2dfe8824d8326ea79fcd79d3673cc
ParallaxRAT
+ 218 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200918-xynnfct43a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in Windows directory
Loads dropped DLL
Reads user/profile data of web browsers
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Executes dropped EXE
Blacklisted process makes network request
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9f9b147e1f262190e4409693cdc0e472b92ef6d47af97058f27e77a0b74a1a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_rat_parralax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088
Rule name:MAL_crime_win32_rat_parallax_shell_bin
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax injected code
Reference:https://twitter.com/VK_Intel/status/1257714191902937088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/63498/

Comments