purplefox

Sharing

Copy URL

Twitter E-mail

General

Target

50fa244bace65606484686c0468c38c07cacf8d51dd4be774e231dc94b63371c
Size

191KB
Sample

230710-h2bw7ahb47
MD5

99adfb109eae208947fbe0f912efe8f3
SHA1

00ce583f6b49e0191dc857da42ecc9ee89b58998
SHA256

50fa244bace65606484686c0468c38c07cacf8d51dd4be774e231dc94b63371c
SHA512

ae52ace6ac47dc2dc26b9875b1c14fa7cc30ec03309ec2a50c2965601458542fd4ed88b818a138aad2ca32d4a7a6eeb6743f92f7f056592b15a56c868faa0656
SSDEEP

3072:nF82mrnPNnW0Z3lXCwPhaV58b29Zi+K3OQd+D9+22Cep5og+tnGA+BIUus0bJUxT:nFezlPhCwJaV58b2pIAY22Cep5gtnGAE

Score

10^/10

Malware Config

Targets

- Target
  
  50fa244bace65606484686c0468c38c07cacf8d51dd4be774e231dc94b63371c
- Size
  
  191KB
- MD5
  
  99adfb109eae208947fbe0f912efe8f3
- SHA1
  
  00ce583f6b49e0191dc857da42ecc9ee89b58998
- SHA256
  
  50fa244bace65606484686c0468c38c07cacf8d51dd4be774e231dc94b63371c
- SHA512
  
  ae52ace6ac47dc2dc26b9875b1c14fa7cc30ec03309ec2a50c2965601458542fd4ed88b818a138aad2ca32d4a7a6eeb6743f92f7f056592b15a56c868faa0656
- SSDEEP
  
  3072:nF82mrnPNnW0Z3lXCwPhaV58b29Zi+K3OQd+D9+22Cep5og+tnGA+BIUus0bJUxT:nFezlPhCwJaV58b2pIAY22Cep5gtnGAE
Score

1^/10
behavioral1 behavioral2
- Target
  
  Invoices.lnk
- Size
  
  1KB
- MD5
  
  cbe684367925c53f7a9026f252011724
- SHA1
  
  ec8cf089aa811c009683c8ee4e5183750ef0452e
- SHA256
  
  744abbb0d8d00bc5eb058ce47ffffa971c7dbd03a9b204c67284080e99d982da
- SHA512
  
  7d06394b39ee7b7c9570307fd1f6349fa440ed3d21f8f1ee67ae35c9b3bacabe214b47830e498e56f2fd51f02de44ec2e1625de21abdce5af5fec69f139fdad0
Score

8^/10
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Use of msiexec (install) with remote resource
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  Res/Settings.ini
- Size
  
  1KB
- MD5
  
  cc9251badf7a32db553b5076df3b8198
- SHA1
  
  194ab4fd9fb2212a9ee013735f87171f776ef488
- SHA256
  
  d53285d77084f640f45b05e96fa5329e55e0da11761c7b3d960bb73a9b11dbc6
- SHA512
  
  4ada8e78a75db52f10546ecaccc91bc2f5d20b6f6b3c7612d194c5e926bc4db98e32019210fbba1137f55fca3133390b7ef5870f72f2fade5e07c1064d0ac38f
Score

1^/10
behavioral5 behavioral6
- Target
  
  Res/TVPSkin.dll
- Size
  
  124KB
- MD5
  
  66759c30143666d21dd98351df325c76
- SHA1
  
  9091be6630ad170d15ca6a6722ce53619ac61229
- SHA256
  
  e25b35196098206f4ea3903652eed409207a900863a4d7df5edb1c7ba1d94c93
- SHA512
  
  c27a54bc7565db3776c18900d044925ba7e121cc3ecdf8bac02cf40559e41c280b2b0ee0871803d7c85c5d98e4b0b9ecac3ec7d32ee99b59c61632be64e928d3
- SSDEEP
  
  1536:GPgVjdZ5PzDpe5zgCG1DT8vzsJkRU39PvpqfHvCuv/Aaz4Isxhr2Rejvz:GPg9vdDpemCG1ezZsPvpA6uQ4QTqRw
Score

3^/10
behavioral7 behavioral8
- Target
  
  Res/hskin.dll
- Size
  
  132KB
- MD5
  
  1de37ff829502f5cdeffd86e5ddc5351
- SHA1
  
  355f026d6f8c43956b8d326026038bf809f7350d
- SHA256
  
  3eef905a3c6b0729f2ec13924dbf51af6b5d72d256a0e8959e7bd929b7e85294
- SHA512
  
  78134588efd2003740c3d569d834e9dbfc45df9076bc30d7d8007dd7258f5a6f7db354ce950793e6f93f8a8d90c96cbba938864f759637bb707aa575d6485947
- SSDEEP
  
  1536:giS5zJfm6ifXMBNJSZw4SLM5Eauu2jebBmSCmjoJJCWueh0q:g7zmrfXNZ4mpBjjoJJCJeCq
Score

1^/10
behavioral10 behavioral9
- Target
  
  Res/tvp.exe
- Size
  
  228KB
- MD5
  
  de2052aae5a5915d09d9d1ede714865c
- SHA1
  
  2161a471b598ea002fc2a1cc4b65dbb8da14a88e
- SHA256
  
  1d3f51b33070b5b8f11c891bb160f5f737151f3a36c2e24f96c2844b089a5294
- SHA512
  
  914eb403bc0662266e9b00f52da192463ae782c301be5279579fe88924451fa8b38a9cc9e689499ae7240259e7c03310980f06a5f7cd1b90bda0b3948fb5d1b3
- SSDEEP
  
  3072:0QUurm/I/Pc1fsrHxbGL+9QD2pkIanLqf0bAadkp2guonxKzjMMDE0BB6p2wkLqj:lRrXECWDianeuonmRankL
Score

10^/10

purplefox discovery evasion rootkit trojan
- Detect PurpleFox MSI
  Detect PurpleFox MSI.
  rootkit
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Blocklisted process makes network request
- Stops running service(s)
  evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Use of msiexec (install) with remote resource
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral11 behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Tasks

Sharing

General

Malware Config

Targets

Blocklisted process makes network request

Checks computer location settings

Use of msiexec (install) with remote resource

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Detect PurpleFox MSI

Blocklisted process makes network request

Stops running service(s)

Loads dropped DLL

Modifies file permissions

Use of msiexec (install) with remote resource

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12