Resubmissions

28-01-2022 12:16

220128-pflylaccar 10

22-01-2022 08:05

220122-jyv2bsaddr 10

General

  • Target

    3ec149660a6808f711ca6cb6b20c1dda.exe

  • Size

    658KB

  • Sample

    220122-jyv2bsaddr

  • MD5

    3ec149660a6808f711ca6cb6b20c1dda

  • SHA1

    45c3d1d8dd512c01fd6c897c67b35c13c49828cb

  • SHA256

    2d288f2cd6752a01360f2669959e2c61f676f8156d5cc40d4b415245ae04cf6d

  • SHA512

    3a15e7bfbabeb296001086453320a133dc242ef170ccf45d459d2a7f402fadfe3329099d79b368416d565ba0c16eb051b64fe7b756c21f822ab49ec483b5649d

Malware Config

Extracted

Family

purplefox

C2

http://107.151.94.70:4397/77

Extracted

Family

purplefox

Botnet

Sainbox

C2

193.218.38.93

Extracted

Family

purplefox

Targets

    • Target

      3ec149660a6808f711ca6cb6b20c1dda.exe

    • Size

      658KB

    • MD5

      3ec149660a6808f711ca6cb6b20c1dda

    • SHA1

      45c3d1d8dd512c01fd6c897c67b35c13c49828cb

    • SHA256

      2d288f2cd6752a01360f2669959e2c61f676f8156d5cc40d4b415245ae04cf6d

    • SHA512

      3a15e7bfbabeb296001086453320a133dc242ef170ccf45d459d2a7f402fadfe3329099d79b368416d565ba0c16eb051b64fe7b756c21f822ab49ec483b5649d

    • Detect PurpleFox Dropper

      Detect PurpleFox Dropper.

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

      suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P

    • suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

      suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download

    • suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1

      suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1

    • suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1

      suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks