parallax | d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175

General

Target

d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
Size

503KB
MD5

a90b8dc903e0f6c26f6f82f7147cb736
SHA1

251c2a7aa54c9d593e9f3dc8dc62bfbdf4ad6063
SHA256

d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175
SHA512

22684313ff858f93d49f1c54d20647c918277422e908d8bc724974f3eaa2e27acaf354e04afb1389fdd043c39b3c9b1bbfd3054d178c88df79ac7ab21bf0212a

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/1772-7-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29
PID 1656 wrote to memory of 1772	1656	d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe	29

C:\Users\Admin\AppData\Local\Temp\d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe
"C:\Users\Admin\AppData\Local\Temp\d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\d9ace2d97010316fdb0f416920232e8d4c59b01614633c4d5def79abb15d0175.exe"
  2⤵
  PID:1772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-2-0x0000000001BC0000-0x0000000001C3B000-memory.dmp

Filesize
492KB

Download
memory/1656-5-0x0000000001C90000-0x0000000001E10000-memory.dmp

Filesize
1.5MB

Download
memory/1772-4-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/1772-6-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1772-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing