parallax | b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26

General

Target

b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe
Size

19.5MB
MD5

2710feba607afde5c935bb5183333bbb
SHA1

c22be1aaeb64338a1ca5c26df721a57b2f5909df
SHA256

b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26
SHA512

3f7bf63e50be3be96f5f658fc8132011700da1dde62c7a63281d44d94f24647eecb0c3da0e6694f2e3f9b42a233f01e67a9d5fe06350f0e27defd63179c24b2f

Score

10^/10

parallax rat spyware stealer suricata

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

Processes:

resource	yara_rule
behavioral2/memory/2960-204-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

suricata: ET MALWARE Parallax CnC Response Activity M14
suricata: ET MALWARE Parallax CnC Response Activity M14
suricata
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

29 2960 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmpopera.exe

pid process

3152 b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
3100 opera.exe
Loads dropped DLL 1 IoCs

Processes:

opera.exe

pid process

3100 opera.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

mountvol.exe

description ioc process

File opened (read-only) \??\P: mountvol.exe
Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\opera.job cmd.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

opera.execmd.exe

pid process

3100 opera.exe
1640 cmd.exe
1640 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

cmd.exe

pid process

1640 cmd.exe
1640 cmd.exe

flow	pid	process
29	2960	cmd.exe

pid	process
3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
3100	opera.exe

pid	process
3100	opera.exe

description	ioc	process
File opened (read-only)	\??\P:	mountvol.exe

description	ioc	process
File created	C:\Windows\Tasks\opera.job	cmd.exe

pid	process
3100	opera.exe
1640	cmd.exe
1640	cmd.exe

pid	process
1640	cmd.exe
1640	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exeb182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmpcmd.execmd.exeopera.exe

description	pid	process	target process
PID 1840 wrote to memory of 3152	1840	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
PID 1840 wrote to memory of 3152	1840	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
PID 1840 wrote to memory of 3152	1840	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
PID 3152 wrote to memory of 1756	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 1756	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 1756	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 3608	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 3608	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 3608	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 1264	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 1264	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 1264	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 1756 wrote to memory of 1400	1756	cmd.exe	mountvol.exe
PID 1756 wrote to memory of 1400	1756	cmd.exe	mountvol.exe
PID 1756 wrote to memory of 1400	1756	cmd.exe	mountvol.exe
PID 1264 wrote to memory of 2216	1264	cmd.exe	setx.exe
PID 1264 wrote to memory of 2216	1264	cmd.exe	setx.exe
PID 1264 wrote to memory of 2216	1264	cmd.exe	setx.exe
PID 3152 wrote to memory of 3760	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 3760	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 3760	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 512	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 512	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 512	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 812	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 812	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 812	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 1676	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 1676	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 1676	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	cmd.exe
PID 3152 wrote to memory of 3100	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	opera.exe
PID 3152 wrote to memory of 3100	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	opera.exe
PID 3152 wrote to memory of 3100	3152	b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp	opera.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe
PID 3100 wrote to memory of 1640	3100	opera.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe
"C:\Users\Admin\AppData\Local\Temp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\is-M7NQR.tmp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M7NQR.tmp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp" /SL5="$901CC,19610817,831488,C:\Users\Admin\AppData\Local\Temp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mountvol P: /D
3⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\mountvol.exe
mountvol P: /D
4⤵
- Enumerates connected drives
PID:1400

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
3⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-A6LO5.tmp"
3⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\setx.exe
setx /m PATH "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;C:\Users\Admin\AppData\Local\Temp\is-A6LO5.tmp"
4⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-A6LO5.tmp\devcon.exe" remove "ROOT\bareflank""
3⤵
PID:3760

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-A6LO5.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-A6LO5.tmp\bareflank.inf" "ROOT\bareflank""
3⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-A6LO5.tmp\devcon.exe" remove "ROOT\bfbuilder""
3⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-A6LO5.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-A6LO5.tmp\bfbuilder.inf" "ROOT\bfbuilder""
3⤵
PID:1676

C:\Users\Admin\AppData\Roaming\opera.exe
"C:\Users\Admin\AppData\Roaming\opera.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
- Blocklisted process makes network request
- Drops file in Windows directory
PID:2960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-M7NQR.tmp\b182e256d8ad049c8387e015c6afa78212afa934691feef178d25b07f40e6c26.tmp
MD5
266673b16ab08a498deb528139dc7213

SHA1
f4f91f8056dbedc155b3965f19eeac7d185f1c9c

SHA256
c6fa242b88805720daf185db905717ff44f23086bb89f3409f100d4f80d95d3f

SHA512
c7fce8e4144f3b484726b6e0202cf4c911091ab04d5ea90ae445e9b5adba56f0e7f4f76f6f01917fccb8a566ddb6b3c4440fee5cf81fd56dee17f7bec984f908

Download Submit
C:\Users\Admin\AppData\Roaming\DUI70.dll
MD5
b28030547470704a3a16c5407bfb28bb

SHA1
0f5bff72f324bae9e693c06d00180e9da52e7689

SHA256
0e6be3a2873bba8a71da4158785b5b249863d4c1bc469ab7da0d43c8c06e2922

SHA512
751b46c31d38e3c5040a25d5a21db16c633a69919daee78b48ae102f35bc60146ceec4b46e568824a0f1c72df065f369645be67dbf035aa0bd28892fee210064

Download Submit
C:\Users\Admin\AppData\Roaming\opera.exe
MD5
8c545f6f1ba83c15b8b02ee4aa62ff11

SHA1
61bc86addcc641dc79cf84072fc04fa738d0596d

SHA256
4ea90ef6db17221b9e74f9bd390f65e9877eac59a39fccd900dccad7d986a1ad

SHA512
6b89da909ab6c392cee096a1479071f2a623363ade53b1c1f8e35af3e3004793c092123c8d4d0109b52d067f09262c330426646444aefaaa19da9ed9354af0a0

Download Submit
C:\Users\Admin\AppData\Roaming\opera.exe
MD5
8c545f6f1ba83c15b8b02ee4aa62ff11

SHA1
61bc86addcc641dc79cf84072fc04fa738d0596d

SHA256
4ea90ef6db17221b9e74f9bd390f65e9877eac59a39fccd900dccad7d986a1ad

SHA512
6b89da909ab6c392cee096a1479071f2a623363ade53b1c1f8e35af3e3004793c092123c8d4d0109b52d067f09262c330426646444aefaaa19da9ed9354af0a0

Download Submit
C:\Users\Admin\AppData\Roaming\u.txt
MD5
a357bfa782c0384a4f69fb0d329b364b

SHA1
bbf5251b3bf1974c6850cb47fa6feb4c59e0141d

SHA256
5686e45ed19be9357b84d53e4b129733efbfeeecf7306823a739127993cc487e

SHA512
6a40384feafb7288667831c3a54fb7d04c9cf235fb087737d02eba712576d942bd7fbba07e819909e34d5359a6d8bc1f5824442483047ab5f3ef6ddb1b47b155

Download Submit
C:\Users\Admin\AppData\Roaming\user.bin
MD5
0cccbe67a89513ec9072ae43ccf0ca36

SHA1
f32eba60b3f60388c38f819fd47a6b4327f98592

SHA256
0160889c87cb5bef893a2d0fd1a1ae22ee09610cf05e1f488e9ed390660ec9d5

SHA512
4f3cf7b5b5c87ad74db0381b9bc1a90d67235cf7d85ba82acc2d032ea5995351414c961268502a5518baf37e0ae2a14af4e5f2ef493caa8ef0a06e0811a7d62e

Download Submit
\Users\Admin\AppData\Roaming\dui70.dll
MD5
b28030547470704a3a16c5407bfb28bb

SHA1
0f5bff72f324bae9e693c06d00180e9da52e7689

SHA256
0e6be3a2873bba8a71da4158785b5b249863d4c1bc469ab7da0d43c8c06e2922

SHA512
751b46c31d38e3c5040a25d5a21db16c633a69919daee78b48ae102f35bc60146ceec4b46e568824a0f1c72df065f369645be67dbf035aa0bd28892fee210064

Download Submit
memory/512-127-0x0000000000000000-mapping.dmp

Download
memory/812-128-0x0000000000000000-mapping.dmp

Download
memory/1264-123-0x0000000000000000-mapping.dmp

Download
memory/1400-124-0x0000000000000000-mapping.dmp

Download
memory/1640-138-0x0000000000000000-mapping.dmp

Download
memory/1640-161-0x00007FFB91EA0000-0x00007FFB9207B000-memory.dmp

Filesize
1.9MB

Download
memory/1640-160-0x0000000003200000-0x0000000003208000-memory.dmp

Filesize
32KB

Download
memory/1640-143-0x0000000002DB0000-0x0000000002DB2000-memory.dmp

Filesize
8KB

Download
memory/1640-139-0x0000000077569000-0x000000007756A000-memory.dmp

Filesize
4KB

Download
memory/1676-129-0x0000000000000000-mapping.dmp

Download
memory/1756-121-0x0000000000000000-mapping.dmp

Download
memory/1840-117-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2216-125-0x0000000000000000-mapping.dmp

Download
memory/2960-173-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2960-171-0x0000000000000000-mapping.dmp

Download
memory/2960-175-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2960-178-0x00007FFB91EA0000-0x00007FFB9207B000-memory.dmp

Filesize
1.9MB

Download
memory/2960-182-0x0000000002EA0000-0x0000000002EA9000-memory.dmp

Filesize
36KB

Download
memory/2960-204-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3100-130-0x0000000000000000-mapping.dmp

Download
memory/3152-118-0x0000000000000000-mapping.dmp

Download
memory/3152-120-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3608-122-0x0000000000000000-mapping.dmp

Download
memory/3760-126-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing