parallax | cad77abbfbf7a3e5e51c3663496519b82b48ca4bba75d3dd2343010e174942f3

General

Target

b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
Size

491KB
MD5

0b8b808ee70becf682a94715f091e8f7
SHA1

f9a73fee90079338f2ef10a3c1513f3e13ace777
SHA256

b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638
SHA512

7bbad7be37f871e04dd454b14b5fc09921bc59e6e17da8c79e5beb2bc33760fefff9d1ba37d43b8aafd5522c9dd38f89bb558c4b4eb304d33bfb0f92de0edefc

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/3672-123-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 3324	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	76
PID 3996 wrote to memory of 3324	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	76
PID 3996 wrote to memory of 3324	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	76
PID 3996 wrote to memory of 3664	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	77
PID 3996 wrote to memory of 3664	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	77
PID 3996 wrote to memory of 3664	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	77
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78
PID 3996 wrote to memory of 3672	3996	b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe	78

C:\Users\Admin\AppData\Local\Temp\b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe
"C:\Users\Admin\AppData\Local\Temp\b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe"
  2⤵
  PID:3324
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe"
  2⤵
  PID:3664
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\b4010bf318221741f9b99ce7b4cc297c865bba0462f5b6a207b3b6c545658638.exe"
  2⤵
  PID:3672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3672-123-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3672-122-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/3996-121-0x0000000001FE0000-0x000000000216E000-memory.dmp

Filesize
1.6MB

Download
memory/3996-120-0x0000000001E60000-0x0000000001EDB000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing