parallax | b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513

General

Target

b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
Size

2.1MB
MD5

2b199211ed7ddd31f0a5f0c651f44457
SHA1

605ed16934d62e0059ed1df2b95a1409beeb8434
SHA256

b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513
SHA512

cfcd67243eaaaa617a95734a5066b4fd6c28da4cf1419772dba94080ac55bdb4b8263582bffd9029bda0c3944ac4a3253191f7fba5b2d4b646d68e86dcef8800
SSDEEP

49152:nXsGREfMYgHug4kAjZ1/y8HQzz2xrvrdQeCVUrJnCW2bj1gXjRR1rU4:nXorx6tNn1gbb

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 18 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/1864-4-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-5-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-7-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-6-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-8-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-9-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-10-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-11-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-13-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-14-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-15-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-16-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-12-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-17-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-19-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-18-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-20-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat
behavioral1/memory/1864-23-0x0000000003170000-0x000000000319C000-memory.dmp	parallax_rat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webdav.exe.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webdav.exe.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
1864	b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe

C:\Users\Admin\AppData\Local\Temp\b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe
"C:\Users\Admin\AppData\Local\Temp\b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1864-0-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/1864-1-0x0000000077B12000-0x0000000077B13000-memory.dmp

Filesize
4KB

Download
memory/1864-4-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-5-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-7-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-6-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-8-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-9-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-10-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-11-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-13-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-14-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-15-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-16-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-12-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-17-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-19-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-18-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-20-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download
memory/1864-21-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/1864-22-0x00000000026E0000-0x00000000027D0000-memory.dmp

Filesize
960KB

Download
memory/1864-23-0x0000000003170000-0x000000000319C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing