parallax | ac0b822cda0401c0177e31bf6450de6eccf7295e0862fd1fe1cd864a39316362

General

Target

vpn_software_x86.exe
Size

2.1MB
MD5

9a82d1499ef3649d2603780fe30db0b5
SHA1

4cb9c67a5c905c93fa1fc01bcbfc166b6ef3c45f
SHA256

ac0b822cda0401c0177e31bf6450de6eccf7295e0862fd1fe1cd864a39316362
SHA512

f2fcd74babdb15a17f917b87ed2d7ee2d8e6bcc0a89182314e9a7401144eb4801be697bb23fd339b5dbbe7e3dfeb220ca4d00c1ffcac65e9ccd84834ce451e51
SSDEEP

49152:UXsGREfMYgHug4kAjZ1/y8HQzz2xrvrdQeCVUrJnCWPbj1gXjR21pkON:UXorx6tQn1gcR

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 18 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/228-4-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-5-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-6-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-7-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-8-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-10-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-9-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-11-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-12-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-13-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-14-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-15-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-16-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-17-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-18-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-19-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-20-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat
behavioral2/memory/228-24-0x0000000003130000-0x000000000315C000-memory.dmp	parallax_rat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webdav.exe.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webdav.exe.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe
228	vpn_software_x86.exe

C:\Users\Admin\AppData\Local\Temp\vpn_software_x86.exe
"C:\Users\Admin\AppData\Local\Temp\vpn_software_x86.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/228-0-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/228-1-0x00000000770B2000-0x00000000770B3000-memory.dmp

Filesize
4KB

Download
memory/228-4-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-5-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-6-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-7-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-8-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-10-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-9-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-11-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-12-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-13-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-14-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-15-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-16-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-17-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-18-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-19-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-20-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download
memory/228-21-0x0000000002750000-0x0000000002840000-memory.dmp

Filesize
960KB

Download
memory/228-22-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/228-24-0x0000000003130000-0x000000000315C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing