purplefox | 2971aa6c623ae9f42fd06a7dcf166598857ff63548937ff663ca972bc40fd7c7 | Triage

Submit
Reports

Overview

overview

Static

static

1

file.lnk

windows7-x64

file.lnk

windows10-2004-x64

Sharing

General

Target

file.lnk
Size

2KB
Sample

230919-tddlnacb87
MD5

b9c5bbb9e1c14a7d34087b9dab239a8c
SHA1

c71c5c794d76c252c77eae881685108a0a01f5ee
SHA256

2971aa6c623ae9f42fd06a7dcf166598857ff63548937ff663ca972bc40fd7c7
SHA512

7c0ceb15bc72978264fb36810f3b01aae018423227b4edc0fee0321b6a487bfef3964e080a49e6d27099642a74d164d4b662929fb9405a45caacfaeeb89c5db2

Score

10^/10

purplefox discovery evasion rootkit trojan

Static task

static1

Behavioral task

behavioral1

Sample

file.lnk

Resource

win7-20230831-en

purplefox discovery evasion rootkit trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.lnk

Resource

win10v2004-20230915-en

purplefox discovery evasion rootkit trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  file.lnk
- Size
  
  2KB
- MD5
  
  b9c5bbb9e1c14a7d34087b9dab239a8c
- SHA1
  
  c71c5c794d76c252c77eae881685108a0a01f5ee
- SHA256
  
  2971aa6c623ae9f42fd06a7dcf166598857ff63548937ff663ca972bc40fd7c7
- SHA512
  
  7c0ceb15bc72978264fb36810f3b01aae018423227b4edc0fee0321b6a487bfef3964e080a49e6d27099642a74d164d4b662929fb9405a45caacfaeeb89c5db2
Score

10^/10

purplefox discovery evasion rootkit trojan
- Detect PurpleFox MSI
  Detect PurpleFox MSI.
  rootkit
- PurpleFox
  PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
  rootkit trojan purplefox
- Blocklisted process makes network request
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Use of msiexec (install) with remote resource
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

purplefoxdiscoveryevasionrootkittrojan

behavioral2

purplefoxdiscoveryevasionrootkittrojan

© 2018-2025

Terms | Privacy