General
-
Target
booking.exe
-
Size
511KB
-
Sample
231127-m29wfaga57
-
MD5
a226eda041d000f311b0aec949893793
-
SHA1
1a6875d6b99f3e798b677cae1392f0f34828d9c9
-
SHA256
58e9a0f9db0f3c6a74f21fcb3d2f35d1d3b7e3d1a4439495745a00aa9d37b809
-
SHA512
c5629eb8390a474d8cf4daa6bd277653956b6602ddc1224aa6fe0be3a7d61dc3aa5b2b88a170adab24fe89121730a6b42251e868e37c766867eaa358b71c47f4
-
SSDEEP
12288:rbgggggeggPgggggg4CzZULwi9qhxLTNokoTk+Dw6Vh:XgggggeggPggggggdzQwi9q3No/k+DwK
Static task
static1
Behavioral task
behavioral1
Sample
booking.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
booking.exe
Resource
win10v2004-20231023-en
Malware Config
Extracted
nanocore
1.2.2.0
194.147.140.186:3636
43ccfdbf-3b7e-4e9b-8ba1-a71cb6a8b3a8
-
activate_away_mode
true
-
backup_connection_host
194.147.140.186
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-09-07T11:28:37.225341036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3636
-
default_group
GRACE OG
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
43ccfdbf-3b7e-4e9b-8ba1-a71cb6a8b3a8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
194.147.140.186
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
booking.exe
-
Size
511KB
-
MD5
a226eda041d000f311b0aec949893793
-
SHA1
1a6875d6b99f3e798b677cae1392f0f34828d9c9
-
SHA256
58e9a0f9db0f3c6a74f21fcb3d2f35d1d3b7e3d1a4439495745a00aa9d37b809
-
SHA512
c5629eb8390a474d8cf4daa6bd277653956b6602ddc1224aa6fe0be3a7d61dc3aa5b2b88a170adab24fe89121730a6b42251e868e37c766867eaa358b71c47f4
-
SSDEEP
12288:rbgggggeggPgggggg4CzZULwi9qhxLTNokoTk+Dw6Vh:XgggggeggPggggggdzQwi9q3No/k+DwK
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-