purplefox | 428792c0a53e4218e0ad0c79b9e3040637977ae118b60aeb6ee1d9a45bb33a3e

Sharing

Copy URL

Twitter E-mail

General

Target

428792c0a53e4218e0ad0c79b9e3040637977ae118b60aeb6ee1d9a45bb33a3e
Size

11.4MB
MD5

6f6bb833a8191f08decacba9730e6d7d
SHA1

0597752575d4f9b9d71f5951506f6a0a6b4645e7
SHA256

428792c0a53e4218e0ad0c79b9e3040637977ae118b60aeb6ee1d9a45bb33a3e
SHA512

7e143310c40100b1ce85504e755a8686d5a5345e03fae4f28e618102ac2e852edee0e004524204cdbb1d3f0a6b411a4c7c037cb7bb8f5111a68ac4ca945013b6
SSDEEP

196608:tpbyXKAoNI2BF/f6BVGTgxVG8VGb3bvGenj01x5DkQ9L/5fgnpjEDIbRp8g6bCzy:+XKAmNeBCbQ9LRsZ/8g6bCzoPAc+Qpce

Score

10^/10

rootkit purplefox

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
sample	purplefox_rootkit

Purplefox family
purplefox

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
428792c0a53e4218e0ad0c79b9e3040637977ae118b60aeb6ee1d9a45bb33a3e

Files

428792c0a53e4218e0ad0c79b9e3040637977ae118b60aeb6ee1d9a45bb33a3e
.exe windows:6 windows x86 arch:x86

2377e074d2e35d2104a7f5fea44b28a9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

J:\EagleEye3.1S\Server\Release\Server.pdb

Imports

kernel32

CreateTimerQueueTimer
DeleteTimerQueueTimer
GetModuleFileNameA
OpenFileMappingA
FreeConsole
AttachConsole
GetConsoleProcessList
CreateToolhelp32Snapshot
Process32First
Process32Next
MultiByteToWideChar
WideCharToMultiByte
QueryPerformanceCounter
QueryPerformanceFrequency
GlobalAlloc
GlobalSize
GlobalUnlock
GlobalLock
GlobalFree
WTSGetActiveConsoleSessionId
Thread32First
Thread32Next
GetVersionExA
OutputDebugStringA
SetWaitableTimer
CancelWaitableTimer
WaitForMultipleObjects
CreateWaitableTimerA
DecodePointer
RaiseException
InitializeCriticalSectionAndSpinCount
CreateRemoteThread
GetProcessId
GlobalMemoryStatusEx
lstrcmpiA
lstrcpyW
Module32First
Module32Next
GetPriorityClass
GetSystemInfo
WinExec
lstrcmpA
lstrcpynA
GetPrivateProfileStringA
GetComputerNameA
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetCurrentThreadId
GetEnvironmentVariableA
IsDebuggerPresent
SetUnhandledExceptionFilter
CreateMutexA
GetCurrentThread
SetPriorityClass
GetModuleFileNameW
LoadLibraryW
CreateFileMappingA
WriteConsoleW
HeapSize
ReadConsoleW
MapViewOfFile
GetStringTypeW
SetStdHandle
SetConsoleCtrlHandler
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
SetFilePointerEx
GetFileSizeEx
GetConsoleMode
GetConsoleOutputCP
GetFileType
FreeLibraryAndExitThread
ResumeThread
ExitThread
GetStdHandle
GetModuleHandleExW
LoadLibraryExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
VirtualQuery
EncodePointer
SetLastError
InterlockedFlushSList
InterlockedPushEntrySList
RtlUnwind
GetFullPathNameW
CreateFileW
SetThreadPriority
WaitForSingleObjectEx
InitOnceComplete
InitOnceBeginInitialize
SleepConditionVariableCS
WakeAllConditionVariable
WakeConditionVariable
InitializeConditionVariable
InitializeCriticalSectionEx
OutputDebugStringW
InitializeSListHead
GetSystemTimeAsFileTime
GetModuleHandleW
GetStartupInfoW
IsProcessorFeaturePresent
UnhandledExceptionFilter
UnmapViewOfFile
GetSystemDirectoryW
GetTickCount
GetVersion
OpenProcess
TerminateProcess
ExitProcess
GetCurrentProcessId
DeviceIoControl
Beep
GetCommandLineA
MoveFileA
GetLogicalDriveStringsA
lstrcatA
lstrcpyA
IsWow64Process
CreateProcessA
GetCurrentProcess
GetLastError
GetVolumeInformationA
SetFileAttributesA
RemoveDirectoryA
GetDriveTypeA
GetDiskFreeSpaceExA
FindNextFileA
FindFirstFileA
CloseHandle
FindClose
DeleteFileA
CreateDirectoryA
IsBadReadPtr
GetWindowsDirectoryA
lstrlenA
LocalSize
LocalReAlloc
FreeLibrary
VirtualProtect
GetSystemDirectoryA
GetProcessHeap
HeapFree
HeapReAlloc
HeapAlloc
WriteFile
SetFilePointer
ReadFile
GetFileSize
GetFileAttributesA
CreateFileA
LoadLibraryA
GetProcAddress
LocalFree
LocalUnlock
LocalLock
LocalAlloc
GetModuleHandleA
GetLocalTime
VirtualFree
VirtualAlloc
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
TerminateThread
CreateThread
Sleep
CreateEventA
WaitForSingleObject
ResetEvent
SetEvent
CancelIo
FlushFileBuffers
SetEndOfFile

user32

SendMessageA
ShowWindow
DispatchMessageA
TranslateMessage
DialogBoxIndirectParamA
EndDialog
GetDlgItem
SetDlgItemTextA
GetDlgItemTextA
SetFocus
SetWindowTextA
GetWindowTextLengthA
GetWindowLongA
SetWindowLongA
SetClassLongA
LoadIconA
wsprintfA
CharNextA
ExitWindowsEx
SwapMouseButton
MoveWindow
GetForegroundWindow
GetWindowRect
MessageBoxA
GetMessageA
EnumWindows
CreateDesktopA
SetThreadDesktop
GetWindow
GetThreadDesktop
PostMessageA
SetWindowPos
GetWindowPlacement
OpenClipboard
CloseClipboard
SetClipboardData
GetClipboardData
EmptyClipboard
keybd_event
mouse_event
IsWindowEnabled
GetMenu
GetMenuStringA
MenuItemFromPoint
GetDC
ReleaseDC
ScreenToClient
MapWindowPoints
WindowFromPoint
PtInRect
GetTopWindow
GetCursorPos
GetSystemMetrics
GetAsyncKeyState
FindWindowA
UnregisterClassA
GetWindowTextA
GetClassNameA
OpenInputDesktop
GetUserObjectInformationA
DefWindowProcA
RegisterClassExA
CreateWindowExA
GetKeyState
IsWindowVisible
PrintWindow
GetCursorInfo
CloseDesktop
WaitForInputIdle
RealChildWindowFromPoint
GetParent
FindWindowExA
GetWindowThreadProcessId
LoadCursorA
DestroyCursor
ChangeDisplaySettingsA
EnumDisplaySettingsA
SystemParametersInfoA
GetGUIThreadInfo
BlockInput
RealGetWindowClassA

gdi32

CreateCompatibleDC
CreateRectRgnIndirect
DeleteDC
CreateCompatibleBitmap
GetRegionData
SelectObject
CreateDIBSection
CombineRgn
BitBlt
GetDIBits
GetDeviceCaps
DeleteObject

advapi32

EnumServicesStatusA
ControlService
ChangeServiceConfigA
RegDeleteKeyExA
CreateProcessAsUserA
RegSaveKeyA
RegRestoreKeyA
RegQueryInfoKeyA
RegSetKeySecurity
RegQueryValueExA
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
FreeSid
AllocateAndInitializeSid
AddAccessAllowedAce
RegFlushKey
RegCreateKeyExA
ConvertStringSecurityDescriptorToSecurityDescriptorA
SetServiceStatus
SetServiceObjectSecurity
OpenServiceA
OpenSCManagerA
DeleteService
CloseServiceHandle
RegSetValueExA
RegCreateKeyA
OpenEventLogA
CloseEventLog
ClearEventLogA
RegQueryValueA
RegOpenKeyExA
RegCloseKey
GetUserNameA
LookupPrivilegeValueA
AdjustTokenPrivileges
LookupAccountSidA
GetTokenInformation
OpenProcessToken
AbortSystemShutdownA
RegOpenKeyA
UnlockServiceDatabase
StartServiceA
QueryServiceStatus
QueryServiceConfig2A
LockServiceDatabase
QueryServiceConfigA

shell32

SHGetFileInfoA
SHGetFolderPathA
SHGetSpecialFolderPathA
ShellExecuteExA

ole32

CoTaskMemFree
CoCreateInstance
CoInitializeEx
CoUninitialize
CoInitialize

oleaut32

SysFreeString

ws2_32

closesocket
connect
htons
recv
select
send
setsockopt
socket
gethostbyname
WSAStartup
gethostname
ioctlsocket
sendto
recvfrom
ntohs
listen
inet_ntoa
inet_addr
getsockname
getpeername
bind
accept
__WSAFDIsSet
WSAIoctl
WSACleanup

winmm

waveOutUnprepareHeader
waveOutPrepareHeader
waveOutClose
waveOutOpen
waveOutGetNumDevs
waveOutReset
waveOutWrite
waveInGetNumDevs
waveInOpen
waveInClose
mciSendStringA
waveInReset
waveInStop
waveInStart
waveInAddBuffer
waveInUnprepareHeader
waveInPrepareHeader

d3d11

D3D11CreateDevice

avrt

AvSetMmThreadCharacteristicsA
AvRevertMmThreadCharacteristics

shlwapi

SHDeleteKeyA

netapi32

NetUserEnum
NetApiBufferFree
NetLocalGroupAddMembers
NetUserGetLocalGroups
NetUserDel
NetUserSetInfo
NetUserGetInfo
NetUserAdd

iphlpapi

GetIfTable

psapi

GetModuleFileNameExA
GetProcessMemoryInfo

wininet

InternetOpenA
InternetConnectA
InternetReadFile
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
InternetCloseHandle

wtsapi32

WTSLogoffSession
WTSDisconnectSession
WTSQuerySessionInformationW
WTSEnumerateSessionsA
WTSQueryUserToken
WTSFreeMemory
WTSQuerySessionInformationA

Sections

.text
Size: 6.6MB - Virtual size: 6.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rodata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 887KB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 127KB - Virtual size: 127KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2377e074d2e35d2104a7f5fea44b28a9

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

ws2_32

winmm

d3d11

avrt

shlwapi

netapi32

iphlpapi

psapi

wininet

wtsapi32

Sections

.text Size: 6.6MB - Virtual size: 6.6MB

.rodata Size: 12KB - Virtual size: 11KB

.rdata Size: 3.8MB - Virtual size: 3.8MB

.data Size: 887KB - Virtual size: 1.6MB

.rsrc Size: 12KB - Virtual size: 12KB

.reloc Size: 127KB - Virtual size: 127KB

.text
Size: 6.6MB - Virtual size: 6.6MB

.rodata
Size: 12KB - Virtual size: 11KB

.rdata
Size: 3.8MB - Virtual size: 3.8MB

.data
Size: 887KB - Virtual size: 1.6MB

.rsrc
Size: 12KB - Virtual size: 12KB

.reloc
Size: 127KB - Virtual size: 127KB