purplefox | 9639cb66a7291c91ca89430860016db1d013b5a89d2af192b490fcfdf9fd3afb

Sharing

Copy URL

Twitter E-mail

General

Target

9639cb66a7291c91ca89430860016db1d013b5a89d2af192b490fcfdf9fd3afb
Size

419KB
MD5

34e384f9a5486bf95fdc4bfa3cf60b96
SHA1

a4a50ee03e3e290429a18d37900b35eb3ec95cf0
SHA256

9639cb66a7291c91ca89430860016db1d013b5a89d2af192b490fcfdf9fd3afb
SHA512

08cd8e06c61679b4ef2b46144cda9fb54544386c6531c4daee0811725c6a96244d370f7b6f17a7d65237bf174a057521b1e4e318b21af79af7cd3cbda85171fb
SSDEEP

6144:OdpH3nobeCfgkyR6F5yRzleFeorqrldqJ8Bn:oJXqbgkybRu8J

Score

10^/10

rootkit purplefox

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
sample	purplefox_rootkit

Purplefox family
purplefox

Files

9639cb66a7291c91ca89430860016db1d013b5a89d2af192b490fcfdf9fd3afb
.sys windows:10 windows x64 arch:x64

68c5678a06e383607e9474330e8f3a34

Code Sign

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

20-05-2013 00:00

Not After

20-05-2014 23:59

Subject

CN=Shenzhen yundian Technology Co.\, Ltd,O=Shenzhen yundian Technology Co.\, Ltd,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22-02-2011 19:31

Not After

22-02-2021 19:41

Subject

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5a:e6:df:fe:e1:f8:b6:e9:72:ce:59:93:64:24:b6:4e:70:e7:fa:67
Signer

Actual PE Digest

5a:e6:df:fe:e1:f8:b6:e9:72:ce:59:93:64:24:b6:4e:70:e7:fa:67

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

J:\hidden-master-2.1\x64\Release\QAssist.pdb

Imports

fltmgr.sys

FltUnregisterFilter
FltStartFiltering
FltGetFileNameInformation
FltReleaseFileNameInformation
FltRegisterFilter

ntoskrnl.exe

RtlInitUnicodeString
ExAllocatePoolWithTag
ExFreePoolWithTag
ZwClose
ZwOpenKey
ZwQueryValueKey
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
PsGetCurrentProcessId
__C_specific_handler
RtlAppendUnicodeStringToString
RtlGetVersion
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
RtlPrefixUnicodeString
ZwQuerySystemInformation
ZwQueryInformationProcess
strstr
KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
ExGetPreviousMode
PsCreateSystemThread
PsTerminateSystemThread
ObReferenceObjectByHandle
ObfDereferenceObject
MmIsAddressValid
NtTraceControl
MmGetSystemRoutineAddress
IoGetCurrentProcess
PsGetProcessId
PsLookupProcessByProcessId
RtlCompareUnicodeString
RtlEqualUnicodeString
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
ExAcquireFastMutex
ExReleaseFastMutex
ObRegisterCallbacks
ObUnRegisterCallbacks
PsSetCreateProcessNotifyRoutineEx
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsGetThreadProcessId
ZwOpenProcess
PsProcessType
PsThreadType
RtlCopyUnicodeString
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlDeleteElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
ObfReferenceObject
RtlLookupElementGenericTableAvl
CmUnRegisterCallback
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
ZwEnumerateKey
ZwEnumerateValueKey
ObOpenObjectByPointer
_vsnwprintf
_local_unwind
CmKeyObjectType
KeDelayExecutionThread
ExAllocatePoolWithQuotaTag
KeBugCheckEx

Sections

.text
Size: 58KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 341KB - Virtual size: 341KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

68c5678a06e383607e9474330e8f3a34

Code Sign

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99Certificate

Extended Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

61:1f:b0:a4:00:00:00:00:00:1dCertificate

Key Usages

5a:e6:df:fe:e1:f8:b6:e9:72:ce:59:93:64:24:b6:4e:70:e7:fa:67Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

fltmgr.sys

ntoskrnl.exe

Sections

.text Size: 58KB - Virtual size: 58KB

.rdata Size: 341KB - Virtual size: 341KB

.data Size: 3KB - Virtual size: 5KB

.pdata Size: 2KB - Virtual size: 2KB

INIT Size: 3KB - Virtual size: 2KB

.reloc Size: 5KB - Virtual size: 5KB

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

5a:e6:df:fe:e1:f8:b6:e9:72:ce:59:93:64:24:b6:4e:70:e7:fa:67
Signer

.text
Size: 58KB - Virtual size: 58KB

.rdata
Size: 341KB - Virtual size: 341KB

.data
Size: 3KB - Virtual size: 5KB

.pdata
Size: 2KB - Virtual size: 2KB

INIT
Size: 3KB - Virtual size: 2KB

.reloc
Size: 5KB - Virtual size: 5KB