# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/
# Reference: https://documents.trendmicro.com/assets/appendix-purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses%20powershell.pdf
# Reference: https://otx.alienvault.com/pulse/5d77a74893cf13ee33a1000f

http://141.98.216.130
jeitacave.org
brownsine.com
zopso.org

# Reference: https://wemp.app/posts/378f9dd9-88ef-4de2-8305-11a937894b0e?utm_source=bottom-latest-posts
# Reference: https://app.any.run/tasks/4ce2ec22-8fc6-4e2f-b480-c66ff511bdd3/
# Reference: https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox

gk.vwxqv.xyz
bk.xdzxxf.xyz

# Reference: http://www.rewterz.com/rewterz-news/rewterz-threat-alert-purple-fox-trojan-iocs

es.ldbdhm.xyz

# Reference: https://app.any.run/tasks/0b68b869-04fe-428f-bdbb-9b87a441c967/

111.68.27.46:11806
124.239.139.42:10894
158.247.194.123:11722
180.97.195.49:12742
202.60.94.196:12568
212.103.61.107:10157
60.208.125.106:13632

# Reference: https://www.proofpoint.com/us/blog/threat-insight/purple-fox-ek-adds-exploits-cve-2020-0674-and-cve-2019-1458-its-arsenal
# Reference: https://broadanalysis.com/2019/12/05/purple-fox-exploit-kit-drops-fileless-malware/
# Note: rest of IoCs are in 'hiddenbee.txt'

raw.githack.xyz
38.75.137.14:9000

# Reference: https://twitter.com/panda_zheng/status/1287684578853888000
# Reference: https://app.any.run/tasks/c92d4513-c505-46b4-a8da-b1c8925258df/

raw.githack.store

# Generic

/sqlexec/
/SMB1.jpg
/SMB2.jpg
/SMB3.jpg
