General
-
Target
niceworkofyummybutterbun.tIF
-
Size
177KB
-
Sample
240820-sfbpeasdrj
-
MD5
151ae78820d98d8873534bf1cdb53c8e
-
SHA1
50a463097f5bb500fcb65e4443243b38e836c61c
-
SHA256
6949f04397e5341b1001fd30382b704065a7d1982c9bb07eb9308714bc416aab
-
SHA512
3ea41997e5bcd53ea2518f56b2f01d81083b7d885e8cca76f9fde07799809ad2e2115c3056b005dd2211c82e6b29b88e15df0dfaa871746d574078a9c10d3bde
-
SSDEEP
3072:8jY0pUVfGtU4bgt5pPGwdCCLULubsxAzAvX:eUVfGtU4BL6nzAv
Static task
static1
Behavioral task
behavioral1
Sample
niceworkofyummybutterbun.vbs
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
niceworkofyummybutterbun.vbs
Resource
win10v2004-20240802-en
Malware Config
Extracted
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg
Extracted
remcos
RemoteHost
brendalu.duckdns.org:2442
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-690S88
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
niceworkofyummybutterbun.tIF
-
Size
177KB
-
MD5
151ae78820d98d8873534bf1cdb53c8e
-
SHA1
50a463097f5bb500fcb65e4443243b38e836c61c
-
SHA256
6949f04397e5341b1001fd30382b704065a7d1982c9bb07eb9308714bc416aab
-
SHA512
3ea41997e5bcd53ea2518f56b2f01d81083b7d885e8cca76f9fde07799809ad2e2115c3056b005dd2211c82e6b29b88e15df0dfaa871746d574078a9c10d3bde
-
SSDEEP
3072:8jY0pUVfGtU4bgt5pPGwdCCLULubsxAzAvX:eUVfGtU4BL6nzAv
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-