{
	"id": "11008322-3d4c-4f63-a9d3-96aaeb7dfe14",
	"created_at": "2026-04-06T00:09:40.994761Z",
	"updated_at": "2026-04-10T03:37:54.432724Z",
	"deleted_at": null,
	"sha1_hash": "967398f7cd0d4f0f5d68becbdc3bd5814d7d0700",
	"title": "TDL4 - Purple Haze (Pihar) Variant - sample and analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 591737,
	"plain_text": "TDL4 - Purple Haze (Pihar) Variant - sample and analysis\r\nArchived: 2026-04-05 16:48:48 UTC\r\nDistribution\r\nThe exploit host is featured on CleanMX .  The domain was repossessed by GoDaddy after January 24, 2012 by but\r\nyou can see some of the URLs. Infection happened via Blackhole exploit kit\r\n95.211.115.228\r\nGeneral File Information\r\nFile: w.php.exe\r\nSize: 130560\r\nMD5:  A1B3E59AE17BA6F940AFAF86485E5907\r\nDownload\r\nOriginal scan was only 2/43 but it is better now. It gets detected as a generic trojan or rootkit or as\r\nTDL/TDSS/Alureon.\r\nVirustotal \r\nSHA256:     9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932\r\nSHA1:     6d07cf72201234a07ab57fb3fc00b9e5a0b3678e\r\nMD5:     a1b3e59ae17ba6f940afaf86485e5907\r\nFile size:     127.5 KB ( 130560 bytes )\r\nFile name:     w.php.exe\r\nFile type:     Win32 EXE\r\nDetection ratio:     24 / 43\r\nAnalysis date:     2012-02-02 06:50:05 UTC ( 1 minute ago )\r\nAntiVir     TR/Alureon.FK.93     20120201\r\nAvast     Win32:Rootkit-gen [Rtk]     20120202\r\nBitDefender     Trojan.Generic.7154539     20120202\r\nComodo     TrojWare.Win32.Trojan.Agent.Gen     20120202\r\nDrWeb     BackDoor.Tdss.5231     20120202\r\nEmsisoft     Trojan.Win32.FakeAV!IK     20120202\r\neSafe     Win32.Rorpian.C     20120130\r\nF-Secure     Trojan.Generic.7154539     20120202\r\nFortinet     W32/Rorpian.C!tr     20120202\r\nGData     Trojan.Generic.7154539     20120202\r\nIkarus     Trojan.Win32.FakeAV     20120202\r\nKaspersky     Trojan.Win32.FakeAV.kpsj     20120202    (TDSS Killer detects it as Pihar.b)\r\nMcAfee-GW-Edition     Artemis!A1B3E59AE17B     20120202\r\nhttp://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html\r\nPage 1 of 7\n\nMicrosoft     Trojan:Win32/Alureon.FK     20120202\r\nNOD32     Win32/Olmarik.AYD     20120202\r\nNorman     W32/Troj_Generic.LPAP     20120201\r\nSophos     Mal/Generic-L     20120202\r\nTrendMicro-HouseCall     TROJ_SPNR.16AQ12     20120202\r\nVBA32     -     20120131\r\nVIPRE     Trojan.Win32.Generic!BT     20120202\r\nDesription\r\nYou can read more detailed binary analysis on the ESET blog (Feb.2 2012) : \"TDL4 reloaded: Purple Haze all in\r\nmy brain\"\r\nUpdate. Feb 2, 2012\r\nI heard today it is a recent  but known variant detected by Kaspersky as \"Pihar\", which is supposedly a member of the\r\nTDL/TDSS/Olmarik/Alureon/ - Maxss family that does not encrypt the hidden container. I have to say I saw that\r\nKaspersky detected it as Pihar.b via TDSS Killer (the dropper is detected as FakeAV)  but it was a totally different\r\nname and I could not find any explanation of how Pihar is different from TDL4 - whether it is a misdetection, a\r\ndifferent rootkit, some generic signature name, or a different variant of TDL. With the number of malware variants\r\nthese days in the wild, it does not surprise me that it was known to them but there was no analysis posted (or I did not\r\nfind it). I hope this analysis and the work done by ESET will make the family description more complete.  TDSS\r\nKiller also removes it.\r\n \r\nIt is a kernel mode rootkit compatible with x86 and x64 Windows. It uses dll injection ph.dll and phx.dll (for x64). It\r\ncreates a hidden VFS to store all the data. \r\nThe list of hidden system files:\r\n1. Phdata\r\n[PurpleHaze]\r\npn=161\r\nall=ph.dll\r\nallx=phx.dll\r\nwait=3600\r\n2. phm  (original master boot record)\r\n3. ph.dll  (payload dll for x86)\r\n4. phx.dll (payload dll for x64)\r\n5. phd (driver x86)\r\n6. phdx (driver x64)\r\n7. phs (RC4 encrypted list of CC Urls, the key is phs - see the ESET post. In this case they are\r\nhttp://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html\r\nPage 2 of 7\n\nhttp://howtodoitman[.]com\r\nhttp://ntvgljvty[.]com\r\nhttp://chucjhomepage[.]com\r\nhttp://ebuyadult[.]com\r\nhttp://141.136.16.152\r\nhttp://piratesmustdie[.]com\r\nhttp://gjhyjljvty[.]com\r\n8. phld (16-bit loader code)\r\n9. phln (rootkit driver replacing kdcom.dll for x86)\r\n10. phlx (rootkit driver replaceing kdcom.dll for x64)\r\nIt lowers internet security settings to enable the clicker component perform extensive browsing without any alerts or\r\npop-ups.\r\nPurple Haze\r\nhttp://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html\r\nPage 3 of 7\n\nChange IE settings\r\nTraffic\r\n\"Advertising Botnet\" by Securelist\r\nhttp://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html\r\nPage 4 of 7\n\nC\u0026C check-in upon install\r\nThe bot generates  high volume traffic to thousands of websites with ads, sites serving as referrers, as well as pages\r\nfilled with ad links (over 800 sessions a minute) for approximately 2 hours and then stops. Most serious advertising\r\ncompanies easily detect large clicks from the same ip and block it. The botnet owners limit clicks to just a few and\r\ncompensate it by programming the bot to click on thousands of ads. \r\nClick to enlarge. 11 hours of traffic monitoring. 2 hour spike following the infection.\r\nTraffic capture - Using fake referrer (serch-direct.com) and passing fake search strings to the C\u0026C, which responds\r\nwith iframe redirect to the ad link.\r\nhttp://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html\r\nPage 5 of 7\n\nThere are hundreds of fake search and referrer sites in use in this case, starting from pages containing nothing but ad\r\nlinks and ending with several ip ranges serving iframe.The list of servers is below\r\nFake referrer = serch\r\n The list of servers serving iframe content is limited to several 108.59.x.x ranges.\r\nThey all are hosted \r\n108.59.4.128/27\r\n108.59.7.0/27\r\n108.59.13.160/27\r\nIn all cases the registration information is as follows:\r\nDOMAINS:\r\nhosted-by.leaseweb.com\r\nWhoisGuard\r\nWhoisGuard Protected ()\r\nFax:\r\n11400 W. Olympic Blvd. Suite 200\r\nhttp://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html\r\nPage 6 of 7\n\nLos Angeles, CA 90064\r\nUnited States\r\nIPs:\r\nPrivate Customer\r\nPrivate Residence\r\nBryansk\r\n241000\r\nRussian Federation\r\n In some cases, legitimate \"traffic quality\" providers were used as referrers, such as ezanga.com\r\nSource: http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html\r\nhttp://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html"
	],
	"report_names": [
		"purple-haze-bootkit.html"
	],
	"threat_actors": [
		{
			"id": "0ae281f0-886a-46ab-b413-e2db5c0f3142",
			"created_at": "2025-05-29T02:00:03.217545Z",
			"updated_at": "2026-04-10T02:00:03.869082Z",
			"deleted_at": null,
			"main_name": "PurpleHaze",
			"aliases": [],
			"source_name": "MISPGALAXY:PurpleHaze",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c",
			"created_at": "2022-10-25T16:07:23.750796Z",
			"updated_at": "2026-04-10T02:00:04.736762Z",
			"deleted_at": null,
			"main_name": "Ke3chang",
			"aliases": [
				"APT 15",
				"BackdoorDiplomacy",
				"Bronze Davenport",
				"Bronze Idlewood",
				"Bronze Palace",
				"CTG-9246",
				"G0004",
				"G0135",
				"GREF",
				"Ke3chang",
				"Metushy",
				"Nylon Typhoon",
				"Operation Ke3chang",
				"Operation MirageFox",
				"Playful Dragon",
				"Playful Taurus",
				"PurpleHaze",
				"Red Vulture",
				"Royal APT",
				"Social Network Team",
				"Vixen Panda"
			],
			"source_name": "ETDA:Ke3chang",
			"tools": [
				"Agentemis",
				"Anserin",
				"BS2005",
				"BleDoor",
				"CarbonSteal",
				"Cobalt Strike",
				"CobaltStrike",
				"DarthPusher",
				"DoubleAgent",
				"EternalBlue",
				"GoldenEagle",
				"Graphican",
				"HenBox",
				"HighNoon",
				"IRAFAU",
				"Ketrican",
				"Ketrum",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MS Exchange Tool",
				"Mebroot",
				"Mimikatz",
				"MirageFox",
				"NBTscan",
				"Okrum",
				"PluginPhantom",
				"PortQry",
				"ProcDump",
				"PsList",
				"Quarian",
				"RbDoor",
				"RibDoor",
				"Royal DNS",
				"RoyalCli",
				"RoyalDNS",
				"SAMRID",
				"SMBTouch",
				"SilkBean",
				"Sinowal",
				"SpyWaller",
				"Theola",
				"TidePool",
				"Torpig",
				"Turian",
				"Winnti",
				"XSLCmd",
				"cobeacon",
				"nbtscan",
				"netcat",
				"spwebmember"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434180,
	"ts_updated_at": 1775792274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/967398f7cd0d4f0f5d68becbdc3bd5814d7d0700.pdf",
		"text": "https://archive.orkl.eu/967398f7cd0d4f0f5d68becbdc3bd5814d7d0700.txt",
		"img": "https://archive.orkl.eu/967398f7cd0d4f0f5d68becbdc3bd5814d7d0700.jpg"
	}
}