purplefox | 97ef5b337525f141296c156e7bed821a3752166ab09decaa1d4b7802238cbfa4

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-10-2022 05:26

Target

远赴缅甸打击电信诈骗抓捕现场.exe
Size

533KB
MD5

ac610ad3802c015f9c13710e8302b0aa
SHA1

dab8c7124fe3d99fb375fa81c39f409d0db68436
SHA256

fdfbfc6b003ff682a9b364ff852618c0c6af35e20abd357fb3b875f96581e50c
SHA512

eb80ab03e8c8a5157ef3ade6bfd7ee41d5d71268f72288dc49cbf44aafe284c089a107e3cd63da3ec52b7c4e36dbc07b10f977b0d1ae75903bd51cf89ec34ed2
SSDEEP

12288:0kWXuTQ8OKvpmdFzW9f0OnRwCvTXByFNY:DWXkzJJRwWjB

Score

10^/10

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

Processes:

resource	yara_rule
behavioral1/memory/2012-57-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2012-58-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2012-59-0x0000000010000000-0x00000000101B9000-memory.dmp	purplefox_rootkit

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/2012-55-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral1/memory/2012-57-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral1/memory/2012-58-0x0000000010000000-0x00000000101B9000-memory.dmp	upx
behavioral1/memory/2012-59-0x0000000010000000-0x00000000101B9000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

远赴缅甸打击电信诈骗抓捕现场.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Wofwo.exe 远赴缅甸打击电信诈骗抓捕现场.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Wofwo.exe	远赴缅甸打击电信诈骗抓捕现场.exe

C:\Users\Admin\AppData\Local\Temp\远赴缅甸打击电信诈骗抓捕现场.exe
"C:\Users\Admin\AppData\Local\Temp\远赴缅甸打击电信诈骗抓捕现场.exe"
1⤵
- Drops file in System32 directory
PID:2012

memory/2012-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2012-55-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/2012-57-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/2012-58-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download
memory/2012-59-0x0000000010000000-0x00000000101B9000-memory.dmp

Filesize
1.7MB

Download