parallax | 4ceab10c2d3cdb9ae245f25c67fe95e5349d3c632d3b9140112e7d77720b5252

General

Target

defense.exe
Size

1.6MB
MD5

eb11d76f4db6786d48ef7ae3f6c3ad9a
SHA1

294482263073bfcc916e0ef6112031e6a195c28d
SHA256

4ceab10c2d3cdb9ae245f25c67fe95e5349d3c632d3b9140112e7d77720b5252
SHA512

9df543053e17f321c7880db66822d875c45b08f061c550daebaaff9214259039d7bb0cbcee4dc44053439df3b10c144a16762f73ee153eeed6d84d9935cc2c8c
SSDEEP

12288:8NVVyrGvaRlb2nZS1dUpSp3fHdSF9e+dy0p1i3v7fjAu1X:IVNPnZSXUpShf2c+dF1BuR

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 18 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/1056-141-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-142-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-144-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-143-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-145-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-147-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-146-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-148-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-149-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-150-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-151-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-152-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-153-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-154-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-155-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-156-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-157-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat
behavioral2/memory/1056-163-0x00000000034C0000-0x00000000034EC000-memory.dmp	parallax_rat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\loreen.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\loreen.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe
1056	defense.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1276	1056	defense.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1276
- C:\Users\Admin\AppData\Local\Temp\defense.exe
  "C:\Users\Admin\AppData\Local\Temp\defense.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1056

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-149-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-138-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1056-133-0x0000000000D70000-0x0000000000DF0000-memory.dmp

Filesize
512KB

Download
memory/1056-163-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-150-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-140-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1056-141-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-142-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-144-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-143-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-145-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-151-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-146-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-148-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-137-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/1056-134-0x00000000775F2000-0x00000000775F3000-memory.dmp

Filesize
4KB

Download
memory/1056-147-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-152-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-153-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-154-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-155-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-156-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-157-0x00000000034C0000-0x00000000034EC000-memory.dmp

Filesize
176KB

Download
memory/1056-158-0x0000000000D70000-0x0000000000DF0000-memory.dmp

Filesize
512KB

Download
memory/1056-159-0x0000000002A90000-0x0000000002B80000-memory.dmp

Filesize
960KB

Download
memory/1056-160-0x0000000003510000-0x00000000035CE000-memory.dmp

Filesize
760KB

Download
memory/1056-161-0x00000000035D0000-0x0000000003899000-memory.dmp

Filesize
2.8MB

Download
memory/1056-162-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/1276-139-0x0000000001520000-0x0000000001521000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing