parallax | 26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb

General

Target

26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe
Size

2.1MB
MD5

e65c43ae67da3e8767d7e029ead0a531
SHA1

a206528979d3aba8dfdd19c456d6efc62a44c005
SHA256

26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb
SHA512

fc4b16f6c8573f81f2b0eb2422b179b6b3b78a5ebbac19bc82971726d7bb80716713de7d48c984214392c024fb697372d720bb6e5b0d9995d8aa00edb9ccde89

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 1 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/1364-61-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe
1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1364	1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe	28
PID 1668 wrote to memory of 1364	1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe	28
PID 1668 wrote to memory of 1364	1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe	28
PID 1668 wrote to memory of 1364	1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe	28
PID 1668 wrote to memory of 1364	1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe	28
PID 1668 wrote to memory of 1364	1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe	28
PID 1668 wrote to memory of 1364	1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe	28
PID 1668 wrote to memory of 1364	1668	26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe	28

C:\Users\Admin\AppData\Local\Temp\26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe
"C:\Users\Admin\AppData\Local\Temp\26ba40a83c4dd2e31ae8d1cd1595cc9723cad21a4ee2f7c54d422350bce7effb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1364-57-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/1364-60-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/1364-61-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1668-55-0x0000000075901000-0x0000000075903000-memory.dmp

Filesize
8KB

Download
memory/1668-56-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing