parallax | eb6b949f2cbb2e1a822a29fb7ef1f65c10a1fa0c70542aa581b3a5f3c6c9be8e

General

Target

NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
Size

2.3MB
MD5

674582d117bb8e4e58b8121dd7b12bd0
SHA1

1be1f3d6e375d26997546ba58b3bcb38de6b541d
SHA256

eb6b949f2cbb2e1a822a29fb7ef1f65c10a1fa0c70542aa581b3a5f3c6c9be8e
SHA512

7d4dd3ee28d8089dbe6fcb9f08e093bcc3932be356058000f6657f25dbc88c679715ccc88ab49a748794623e5c1ea9bec2071f5af6618e0875dc081bde14c3cc
SSDEEP

49152:rq3QscuJsVPCYc80pixEXY2QpvH8n4f9Gion08Li:r0nJsVPBcexz2QpvHqM9GioDi

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 18 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral2/memory/1668-7-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-8-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-9-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-10-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-11-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-13-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-12-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-14-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-16-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-15-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-17-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-18-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-20-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-19-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-22-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-21-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-23-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat
behavioral2/memory/1668-25-0x0000000003DA0000-0x0000000003DCC000-memory.dmp	parallax_rat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webDAV.exe.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\webDAV.exe.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1668	NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.674582d117bb8e4e58b8121dd7b12bd0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-0-0x0000000003040000-0x00000000030C0000-memory.dmp

Filesize
512KB

Download
memory/1668-1-0x0000000077902000-0x0000000077903000-memory.dmp

Filesize
4KB

Download
memory/1668-2-0x0000000003370000-0x0000000003460000-memory.dmp

Filesize
960KB

Download
memory/1668-3-0x0000000003040000-0x00000000030C0000-memory.dmp

Filesize
512KB

Download
memory/1668-7-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-8-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-9-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-10-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-11-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-13-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-12-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-14-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-16-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-15-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-17-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-18-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-20-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-19-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-22-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-21-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-23-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download
memory/1668-25-0x0000000003DA0000-0x0000000003DCC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing