parallax | f6c901d8959b26428c5fbb9b0c4a18be2057bb4d22e85bfe2442c0a8744a9ff6

General

Target

sew1.exe
Size

1.9MB
MD5

6c5843a7b8b23ce49dbd3d89a54b56bf
SHA1

afc9a7160ad753b2fedc385f2544d1d98cebf0be
SHA256

f6c901d8959b26428c5fbb9b0c4a18be2057bb4d22e85bfe2442c0a8744a9ff6
SHA512

5322db20006ce6a0ef58470f05b091a10147a57c467ae38eec813b37740decd01c18fe906262146b21e5703b5c902ebf64a0c035487120ce30863fb438d89c08
SSDEEP

24576:syc92Stiatqme6qnvKEOQmSgcetFtABdSCSuWyLZ6gpEVKAlYE1W1:B5jJvHgJtALSCSuZVsTlM

Score

10^/10

parallax rat

Malware Config

Signatures

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 18 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

Processes:

resource	yara_rule
behavioral1/memory/1688-5-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-6-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-7-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-8-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-9-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-10-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-11-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-12-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-13-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-14-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-15-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-16-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-17-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-18-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-19-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-20-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-21-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat
behavioral1/memory/1688-26-0x0000000003980000-0x00000000039AC000-memory.dmp	parallax_rat

Drops startup file 1 IoCs

Processes:

DllHost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FilesDR3.exe DllHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FilesDR3.exe	DllHost.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

sew1.exe

pid	process
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe
1688	sew1.exe

C:\Users\Admin\AppData\Local\Temp\sew1.exe
"C:\Users\Admin\AppData\Local\Temp\sew1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1688-1-0x0000000002080000-0x0000000002100000-memory.dmp

Filesize
512KB

Download
memory/1688-2-0x0000000077AAF000-0x0000000077AB0000-memory.dmp

Filesize
4KB

Download
memory/1688-5-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-6-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-7-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-8-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-9-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-10-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-11-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-12-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-13-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-14-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-15-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-16-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-17-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-18-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-19-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-20-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-21-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download
memory/1688-22-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1688-23-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1688-25-0x0000000002080000-0x0000000002100000-memory.dmp

Filesize
512KB

Download
memory/1688-26-0x0000000003980000-0x00000000039AC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing