parallax | 500670f00b1e99426a3f5a49634475b69e3bca76442f7ad6db3b082fd094aecb

General

Target

337e300721c80ee6c114cc38b2ed786a.exe
Size

1.8MB
MD5

337e300721c80ee6c114cc38b2ed786a
SHA1

c6403b50de536acd4b7b90a4173ebe86bb86a001
SHA256

500670f00b1e99426a3f5a49634475b69e3bca76442f7ad6db3b082fd094aecb
SHA512

bdec678edfcdd29d0c8fb585cedd628ee6629410e79cfae3f8747066f9264c2f4ad92a35a31df4a48ab8e4682b47aca49fbff3ce22c9e80f6ccad5796f6530b4
SSDEEP

24576:DTEk3Xn9SWNNjE6zdAiYVs6hkBWa514UeWgzSULrGlK3Tacr+bZ47x:3nN4AAU6AoPQULrGlK3TcZ47

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 18 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

Processes:

resource	yara_rule
behavioral1/memory/2912-11-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-12-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-14-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-15-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-24-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-25-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-27-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-26-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-23-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-22-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-21-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-20-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-19-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-18-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-17-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-16-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-13-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat
behavioral1/memory/2912-32-0x0000000003950000-0x000000000397C000-memory.dmp	parallax_rat

Drops startup file 1 IoCs

Processes:

DllHost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reun.exe DllHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reun.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

337e300721c80ee6c114cc38b2ed786a.exe

pid	process
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe
2912	337e300721c80ee6c114cc38b2ed786a.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE
Suspicious use of WriteProcessMemory 1 IoCs

Processes:

337e300721c80ee6c114cc38b2ed786a.exe

description pid process target process

PID 2912 wrote to memory of 1260 2912 337e300721c80ee6c114cc38b2ed786a.exe Explorer.EXE

pid	process
1260	Explorer.EXE
1260	Explorer.EXE

pid	process
1260	Explorer.EXE
1260	Explorer.EXE

description	pid	process	target process
PID 2912 wrote to memory of 1260	2912	337e300721c80ee6c114cc38b2ed786a.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1260

C:\Users\Admin\AppData\Local\Temp\337e300721c80ee6c114cc38b2ed786a.exe
"C:\Users\Admin\AppData\Local\Temp\337e300721c80ee6c114cc38b2ed786a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1260-5-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/1260-7-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/2912-25-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-32-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2912-1-0x0000000000360000-0x00000000003E0000-memory.dmp

Filesize
512KB

Download
memory/2912-10-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2912-11-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-8-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2912-9-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2912-12-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-14-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-15-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-24-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-6-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2912-2-0x000000007795F000-0x0000000077960000-memory.dmp

Filesize
4KB

Download
memory/2912-17-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-23-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-22-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-21-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-20-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-19-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-18-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-26-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-16-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-13-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download
memory/2912-28-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2912-29-0x0000000000360000-0x00000000003E0000-memory.dmp

Filesize
512KB

Download
memory/2912-27-0x0000000003950000-0x000000000397C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing