General
-
Target
6cd321b504c7323e893fa7e55125696ba87ab42fc3077e11ff9eedabd6b0893e
-
Size
1.2MB
-
Sample
220521-pkpv2safgq
-
MD5
04cc69bee253cef2d0e5766efa55d358
-
SHA1
0d34cc5bf7340999a3073fae9bfff753a9267143
-
SHA256
6cd321b504c7323e893fa7e55125696ba87ab42fc3077e11ff9eedabd6b0893e
-
SHA512
1bfc297fbf5b943250becbdf3797cb524046208eb4322461d924205c88ffbf9880e5a67ee8b14291aa9c7aa9d7da7bdd7aa621f92b4591e336294668fd1f6451
Static task
static1
Behavioral task
behavioral1
Sample
BOOKING.exe
Resource
win7-20220414-en
Malware Config
Extracted
nanocore
1.2.2.0
u852117.nvpn.so:5638
31a1bd10-70b4-4419-9b7f-75dbc4160d94
-
activate_away_mode
true
-
backup_connection_host
u852117.nvpn.so
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-11T21:26:44.406621436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5638
-
default_group
NEW COMCASTED
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
31a1bd10-70b4-4419-9b7f-75dbc4160d94
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
u852117.nvpn.so
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
BOOKING.EXE
-
Size
291KB
-
MD5
c97d31e6c4311d688c7de8a19ba9f488
-
SHA1
2c0aa234321581f6414535e165a832b8cd4a4704
-
SHA256
1fbae4f859c40f9446d06e76a4acf496fe0a43fb93b87f87d1077ab8a4490480
-
SHA512
62ffa02b28fa3105aa8da596d3f1fa3d26e820909de85e63dc1b539ac02305e08d5e77ec06a462f9864c281d3ff5db71fb8c9f624ea973c99981da080fa8b0ee
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-