parallax | 4ab16b326be00b6647ab0253f498dc286d6881b993cb5f95284c2db101b92c75

General

Target

fd1cef5cc1c58376c44c193b72163ec4.exe
Size

3.4MB
MD5

fd1cef5cc1c58376c44c193b72163ec4
SHA1

a0d0a16dc003b101667e643a9958a8d71e71ac18
SHA256

4ab16b326be00b6647ab0253f498dc286d6881b993cb5f95284c2db101b92c75
SHA512

c5092a433e1681172757cfc387efa22bb9a54be6da1bd75deeb47ace0d147c020aa98d6400b6bf7ad5a99638a7f9638787b5b262ee31423a3d2a58c9559e958c
SSDEEP

24576:wqoti2coq8PhxEY/Syhf9wv8eWrkDVJpL3ynmsSCLlBwSSMJ13t7uWVOT44Iw4Ml:Ct7PBn9Nl2SSZWQ4Mk5+3KTUhn

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 19 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

resource	yara_rule
behavioral1/memory/2736-18-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-25-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-24-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-23-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-22-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-21-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-20-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-19-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-17-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-16-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-15-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-14-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-13-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-12-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-11-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-10-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-9-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-4-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat
behavioral1/memory/2736-35-0x0000000000400000-0x0000000000424000-memory.dmp	parallax_rat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CricketHelp.exe	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe
2296	fd1cef5cc1c58376c44c193b72163ec4.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2296	fd1cef5cc1c58376c44c193b72163ec4.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 2736	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	29
PID 2296 wrote to memory of 1196	2296	fd1cef5cc1c58376c44c193b72163ec4.exe	20

C:\Users\Admin\AppData\Local\Temp\fd1cef5cc1c58376c44c193b72163ec4.exe
"C:\Users\Admin\AppData\Local\Temp\fd1cef5cc1c58376c44c193b72163ec4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\fd1cef5cc1c58376c44c193b72163ec4.exe
  "C:\Users\Admin\AppData\Local\Temp\fd1cef5cc1c58376c44c193b72163ec4.exe"
  2⤵
  PID:2736

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-26-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1196-28-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2296-5-0x0000000002130000-0x00000000022B0000-memory.dmp

Filesize
1.5MB

Download
memory/2296-1-0x000000007729F000-0x00000000772A0000-memory.dmp

Filesize
4KB

Download
memory/2296-30-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2296-31-0x0000000000220000-0x000000000029B000-memory.dmp

Filesize
492KB

Download
memory/2296-32-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/2296-0-0x0000000000220000-0x000000000029B000-memory.dmp

Filesize
492KB

Download
memory/2296-29-0x0000000000400000-0x0000000000776000-memory.dmp

Filesize
3.5MB

Download
memory/2736-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-7-0x000000007729F000-0x00000000772A0000-memory.dmp

Filesize
4KB

Download
memory/2736-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-8-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2736-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-35-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing