parallax | fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e

General

Target

fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
Size

1.6MB
MD5

18462ea23f4eb50b95c5c3c30674f26c
SHA1

052ff2ecd199f4fae7965edc8a5ae0fe45583a10
SHA256

fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e
SHA512

9c4f21d07afc1f4a6b7064765ee21401d914699ea3db008cd3337c86c206e110638366273f285e09823717151c0e5af394fb813e5216c16d322f3f7fdf8f2a05
SSDEEP

12288:QNVVsrGvaRlb2nZS1dUpSp3fHdwBhT3eTcS5x:8VTPnZSXUpShfWBhT3ewS5

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 18 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/3940-129-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-134-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-133-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-132-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-131-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-130-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-135-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-136-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-139-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-138-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-137-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-140-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-143-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-145-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-144-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-142-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-141-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat
behavioral1/memory/3940-151-0x0000000003630000-0x000000000365C000-memory.dmp	parallax_rat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reter.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reter.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3084	Explorer.EXE

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 3084	3940	fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe	46

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3084
- C:\Users\Admin\AppData\Local\Temp\fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe
  "C:\Users\Admin\AppData\Local\Temp\fbf003e40568ccf053e2abd44541c8a2da441970e6e59231612de39ee0d0273e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3940

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3084-127-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/3940-139-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-148-0x0000000003660000-0x000000000370E000-memory.dmp

Filesize
696KB

Download
memory/3940-125-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/3940-128-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3940-122-0x0000000076EF2000-0x0000000076EF3000-memory.dmp

Filesize
4KB

Download
memory/3940-129-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-134-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-133-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-132-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-131-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-130-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-135-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-151-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-126-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/3940-145-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-137-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-140-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-143-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-138-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-144-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-142-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-141-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download
memory/3940-146-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/3940-147-0x0000000002CC0000-0x0000000002D90000-memory.dmp

Filesize
832KB

Download
memory/3940-149-0x0000000003750000-0x0000000003999000-memory.dmp

Filesize
2.3MB

Download
memory/3940-121-0x0000000000F50000-0x0000000000FD0000-memory.dmp

Filesize
512KB

Download
memory/3940-150-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/3940-136-0x0000000003630000-0x000000000365C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing