parallax | bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d

General

Target

bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
Size

2.3MB
MD5

2c5aa603c83f1b64b043fade5a7f4d5d
SHA1

e29f92e7a1e09fc887ffa07e0787e8a6b40a34fa
SHA256

bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d
SHA512

5812d1634c5f3510302d3304b5a67f2b6c05b441ecdbe6f9379b82c47fcf0f8f1829ebed8c0876e50dfae5e6397eb8da47765855cd86c0237080a22050d7f083
SSDEEP

49152:Oq3QscuJsVPCYc80pixEXY2QpvH8nsf9Gion08onIy89kTcuC0:O0nJsVPBcexz2QpvHqg9GiokIy89NH0

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 18 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/4100-4-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-5-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-6-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-8-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-9-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-7-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-10-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-12-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-11-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-13-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-14-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-15-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-17-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-18-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-16-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-19-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-20-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat
behavioral1/memory/4100-23-0x0000000003870000-0x000000000389C000-memory.dmp	parallax_rat

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webDAV.exe.exe	DllHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webDAV.exe.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4100	bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe

C:\Users\Admin\AppData\Local\Temp\bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe
"C:\Users\Admin\AppData\Local\Temp\bc1a655a9485bda2733da9d1a15d8536245ceb52833b7f3d73c43b2f06e0b29d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4100

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4100-0-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/4100-1-0x0000000077DF2000-0x0000000077DF3000-memory.dmp

Filesize
4KB

Download
memory/4100-4-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-5-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-6-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-8-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-9-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-7-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-10-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-12-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-11-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-13-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-14-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-15-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-17-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-18-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-16-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-19-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-20-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download
memory/4100-21-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/4100-22-0x0000000002B90000-0x0000000002C80000-memory.dmp

Filesize
960KB

Download
memory/4100-23-0x0000000003870000-0x000000000389C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing