purplefox | 62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3

General

Target

62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3.exe
Size

4.6MB
MD5

413d58c415fa4547a7126ea6321d23a9
SHA1

3a9c911496f4c2fcca114aaf8278a5e963227392
SHA256

62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3
SHA512

06eca03ffb223eb2ccb68f7f43fd9365fbbf13ad73780348c841607e868b13d50c726f7f0d98dc7a9e5ff155a2cd785a466f646d5575f6ed1520ebb47965313f
SSDEEP

98304:yXvUNEDFN6F6xoSgoxEspdJipIddobqWQl:yXXvxzxFU8d5W+

Score

10^/10

purplefox rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2576-57-0x0000000010000000-0x00000000101B0000-memory.dmp	purplefox_rootkit

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/356-9-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-30-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-45-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-43-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-41-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-28-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-26-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-24-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-19-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-15-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-11-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-7-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-5-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-2-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/356-1-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2848	PING.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
356	62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3.exe
356	62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3.exe
356	62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3.exe

C:\Users\Admin\AppData\Local\Temp\62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3.exe
"C:\Users\Admin\AppData\Local\Temp\62adb2037a9e5a3fa1440a513fa42c986538e6c1759864774d4c5025cb303bc3.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:356
- C:\Windows\Aqiyq.exe
  C:\Windows\Aqiyq.exe
  2⤵
  PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\Aqiyq.exe > nul
    3⤵
    PID:3012

C:\Windows\Aqiyq.exe
C:\Windows\Aqiyq.exe -auto
1⤵
PID:2548
- C:\Windows\Aqiyq.exe
  C:\Windows\Aqiyq.exe -acsi
  2⤵
  PID:2600

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
1⤵
- Runs ping.exe
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Aqiyq.exe

Filesize
1KB

MD5
4a00665d9e6ec86e48482a4b001550b5

SHA1
18aa59293e2adbce57ebf79000293ee51c98cf23

SHA256
90ee90d62c8dc5f76098748f8fac0d2b1aaf333779e5a01e8162fded6314b5ba

SHA512
842a944174fd8d04a5c71ccd9cc5dea8c1493c1dccc39c13bd9780015961422d6e67709d7090ae4bf752495c26780d919d8c3fc2a2179b5a1da1f91d83f92d04

Download Submit
C:\Windows\Aqiyq.exe

Filesize
5KB

MD5
25f8d8dd7d493d5c8e3e45c6ca21700f

SHA1
e1e501d7fe8ff738d4559fdf1def47e97e76eaed

SHA256
f2c9aec73845ea6cdad8cdf0cd8958ecaf411e0756bdb26c6e3a451810924acc

SHA512
76fc0937a341497115b1c65573e2df321cd9c53c27ac6b318eb342300bd5809aa12da76ec9b8a91efeb1bb3495d82f2785eff39b41cbe31bd9cbda8d63e73a8c

Download Submit
C:\Windows\Aqiyq.exe

Filesize
53KB

MD5
7308aad4d36488a9389f2d242a7d9f8c

SHA1
eb879687b0b953eb7795efef6bad9e87e1a83410

SHA256
d547e3da1472015d895151fd66c6b0520e25cbce3dc33956dcbdab4efcc64aee

SHA512
0cba240aed03b57a5233a5cc63f505cd278092866d601e9928f8c76ac5c21ecc1f0b87d8c71a7ef33a94729aac1592a23d9954f65ab2e8d62f6f7878f0ecd0e6

Download Submit
C:\Windows\Aqiyq.exe

Filesize
36KB

MD5
e774155f057b013e1569ca7371269493

SHA1
dbab7e39f8f0f5f6cffdaf4576c5387deca2ed9e

SHA256
49a90ac173697f2268f4dbf822bde913cc5a7faf7643e54744afd49fdca77667

SHA512
aad851c1d226758479d75a36cde0efcfef5b6853d11984b78b00be4787f9446aea09bad946dde2d0b19a81f0f97dbee74f7d528ff19674392a1eae2b5bc17b8c

Download Submit
C:\Windows\Aqiyq.exe

Filesize
24KB

MD5
56173050866cb0597c1085db208dabcb

SHA1
6aecbfecec72cc9bfb9b70c03bdfbe8fd9553bf3

SHA256
c08e1b5ef4fd6b18726dd055ffc3dc90799199cbcc1917b4abcf8beebbb71e14

SHA512
7113b438cff1ed370b152ef6dad2e86b27d04045f6b1fb211a07782bbe210957f16b436c6b424324b0a46102ba458564baa97a1734e79b37c00b716e0594d70a

Download Submit
memory/356-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-24-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-1-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-41-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-43-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-45-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-30-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-26-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-19-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-9-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-15-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-11-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-7-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/356-2-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2576-57-0x0000000010000000-0x00000000101B0000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing