parallax | 725b94d66ecd5e1238401746bc89b063f4ffa5767995119d7bc23ab2ed827c03

General

Target

SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
Size

2.3MB
MD5

e9f6a165d0e416dc8b7bd49465a3fa5c
SHA1

d06732939d2084d6db38d820079e840e00a6b4e6
SHA256

725b94d66ecd5e1238401746bc89b063f4ffa5767995119d7bc23ab2ed827c03
SHA512

8baa456ed97889252493663db848ea65f2cf956c81cf69096bfb0c2e76526afda0b73920e2794ad541f9f44773e4a339874b91f59a5dfc34eaa9bd2d1c7b93dd
SSDEEP

49152:8q3QscuJsVPCYc80pixEXY2QpvH8naf9Gion08x2sChdI:80nJsVPBcexz2QpvHqu9GioJ2sChdI

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 27 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/1444-4-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-5-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-6-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-7-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-8-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-10-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-9-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-11-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-12-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-13-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-14-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-15-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-16-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-17-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-18-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-20-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-19-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-22-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-24-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-25-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-26-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-27-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-29-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-31-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-32-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-33-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat
behavioral1/memory/1444-34-0x0000000000F30000-0x0000000000F5C000-memory.dmp	parallax_rat

Deletes itself 1 IoCs

pid	Process
2496	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webDAV.exe.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2496	1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe	31
PID 1444 wrote to memory of 2496	1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe	31
PID 1444 wrote to memory of 2496	1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe	31
PID 1444 wrote to memory of 2496	1444	SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe	31

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.Rat.457.10085.3095.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UN.vbs"
  2⤵
  - Deletes itself
  PID:2496

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UN.vbs

Filesize
712B

MD5
874e27fd5740ccc22ec5076992d494c8

SHA1
7074d868a459a0d18256f7871c075bab043a9279

SHA256
81a6ffefb7f04f9562329124eb8ec50e8bc7a2ce46e9aeebcda20a1bf48dea42

SHA512
65fe9495902e8ea0787beb533be71899a5cf3baf4aecac1cfbc75ee30fa95a00746a66e264ac560c15a68d9c2a1d22469fd630240dab09a066b949739aef142d

Download Submit
memory/1444-16-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-24-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-5-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-6-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-7-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-8-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-10-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-9-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-11-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-12-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-13-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-14-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-15-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-0-0x0000000000980000-0x0000000000A00000-memory.dmp

Filesize
512KB

Download
memory/1444-4-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-17-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-26-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-19-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-21-0x0000000000980000-0x0000000000A00000-memory.dmp

Filesize
512KB

Download
memory/1444-22-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-18-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-25-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-20-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-27-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-29-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-31-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-32-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-33-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-34-0x0000000000F30000-0x0000000000F5C000-memory.dmp

Filesize
176KB

Download
memory/1444-1-0x000000007738F000-0x0000000077390000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing