Analysis
-
max time kernel
165s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-03-2022 20:29
Static task
static1
Behavioral task
behavioral1
Sample
5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe
Resource
win7-20220311-en
windows7_x64
0 signatures
0 seconds
General
-
Target
5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe
-
Size
4.9MB
-
MD5
20895e7661c07d7668e22bf5865a75be
-
SHA1
f1783b80c5f2cd2ca1771a238015f8b2846610c6
-
SHA256
5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c
-
SHA512
ff06ee5df939b6b03d8ea8509cff28d103b2c8e1bf804b4e17942b29302b80d695cdb6e51b91d1991c6c7654e3c96c59b2b012fc4d8088dbed847510973dad18
Malware Config
Signatures
-
ParallaxRat payload 1 IoCs
Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.
resource yara_rule behavioral2/memory/4372-135-0x0000000000400000-0x0000000000424000-memory.dmp parallax_rat -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87 PID 2380 wrote to memory of 4372 2380 5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe"C:\Users\Admin\AppData\Local\Temp\5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\calc.exe"C:\Users\Admin\AppData\Local\Temp\5fb4e62ccca93a45b7c8ec2734d3388b94698e0ce04d72b1fa2e8c162618d15c.exe"2⤵PID:4372
-