parallax | bda3868320633ed3af8b26997af76d2a5853b3c8d4e2951efec4510809b1011b

General

Target

SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
Size

3.4MB
MD5

cdf6a63fd74ea83f310a796a9c21c659
SHA1

6637b6960b46f412a15e3a6eadaeda147a27a49b
SHA256

bda3868320633ed3af8b26997af76d2a5853b3c8d4e2951efec4510809b1011b
SHA512

90b8c0b0ea11daa42bd28e4b086161ca79dcb100cd727ecc041671d568178d4ae01e20c24187ce7366ec7855058ca28c1a1582ffded78a214420862f9b1f0c27

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/2688-120-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	2688	rundll32.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2764	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2764	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2688	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	76
PID 3156 wrote to memory of 2764	3156	SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe	24

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:2764
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46749217.11128.26597.exe"
    3⤵
    - Blocklisted process makes network request
    PID:2688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2688-119-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download
memory/2688-120-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2764-124-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3156-114-0x0000000002540000-0x00000000025BB000-memory.dmp

Filesize
492KB

Download
memory/3156-118-0x00000000025C0000-0x000000000274E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-122-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3156-123-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/3156-121-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing