MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0af487f2593b0de4f0a394b4c440ff04e08674f42c77f9cd922a819fca5b7ed8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0af487f2593b0de4f0a394b4c440ff04e08674f42c77f9cd922a819fca5b7ed8
SHA3-384 hash: 180a6b58a7aec8402243e82841b807b2fab2dc27c0ae4ce43cab62d19f6b99e001efbcb4e5ad28bc101c40365f5f5807
SHA1 hash: d535153ca720218a05a22d5446e7e121640fcd67
MD5 hash: bfebfa38ed9b453150c475eb18de2e07
humanhash: ack-aspen-michigan-monkey
File name:egivemebestdaytodaywithgreatness.hta
Download: download sample
Signature MassLogger
Create hunting rule
File size:12'158 bytes
First seen:2025-06-03 14:58:40 UTC
Last seen:2025-06-04 08:48:04 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:3vTkveZSZwveoSZa4T7Wn6nt/AwlcdIxyeUAl66t6JcveMvex4KSZ3veyPG:fTg+1DYTqn6tIw6dIYeU4tyI5Spm1+
Threatray 40 similar samples on MalwareBazaar
TLSH T108425381BD22DC90A3C1C134AEDF84C5EE6C9F1E48523929305C96C837673A469DA9EE
Magika html
Reporter abuse_ch
Tags:hta MassLogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
78
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Starter.408.5067.15363.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Starter.408.14610.1922.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683f0e5d07b5e8c1cfe451d2
Tags:
autorun delphi emotet
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/0af487f2593b0de4f0a394b4c440ff04e08674f42c77f9cd922a819fca5b7ed8/results/dashboard
Payload URLs
URL
File name
http://209.54.101.166/560/TiWorker.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
VBS.Asthma.2.F70FBE0C
Link:
https://www.hybrid-analysis.com/sample/0af487f2593b0de4f0a394b4c440ff04e08674f42c77f9cd922a819fca5b7ed8
Result
Threat name:
Cobalt Strike, DBatLoader, MSIL Logger,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1705093
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Detected Cobalt Strike Beacon
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1705093 Sample: egivemebestdaytodaywithgrea... Startdate: 03/06/2025 Architecture: WINDOWS Score: 100 68 reallyfreegeoip.org 2->68 70 pki-goog.l.google.com 2->70 72 3 other IPs or domains 2->72 94 Suricata IDS alerts for network traffic 2->94 96 Found malware configuration 2->96 98 Malicious sample detected (through community Yara rule) 2->98 102 16 other signatures 2->102 11 mshta.exe 1 2->11         started        14 rundll32.exe 3 2->14         started        signatures3 100 Tries to detect the country of the analysis system (by using the IP) 68->100 process4 signatures5 120 Suspicious command line found 11->120 16 cmd.exe 1 11->16         started        19 Yuqvmnsa.PIF 14->19         started        process6 signatures7 80 Detected Cobalt Strike Beacon 16->80 82 Suspicious powershell command line found 16->82 84 Uses schtasks.exe or at.exe to add and modify task schedules 16->84 21 powershell.exe 43 16->21         started        26 conhost.exe 16->26         started        86 Multi AV Scanner detection for dropped file 19->86 88 Writes to foreign memory regions 19->88 90 Allocates memory in foreign processes 19->90 92 2 other signatures 19->92 28 asnmvquY.pif 19->28         started        process8 dnsIp9 78 209.54.101.166, 49692, 80 ASN-QUADRANET-GLOBALUS United States 21->78 56 C:\Users\user\AppData\Local\...\TiWorkers.exe, PE32 21->56 dropped 58 C:\Users\user\AppData\...\TiWorker[1].exe, PE32 21->58 dropped 60 C:\Users\user\AppData\...\katock4o.cmdline, Unicode 21->60 dropped 112 Loading BitLocker PowerShell Module 21->112 114 Powershell drops PE file 21->114 30 TiWorkers.exe 9 21->30         started        34 csc.exe 3 21->34         started        116 Tries to steal Mail credentials (via file / registry access) 28->116 118 Tries to harvest and steal browser information (history, passwords, etc) 28->118 file10 signatures11 process12 file13 62 C:\Users\user\Links\asnmvquY.pif, PE32 30->62 dropped 64 C:\Users\user\Links\Yuqvmnsa.PIF, PE32 30->64 dropped 122 Multi AV Scanner detection for dropped file 30->122 124 Drops PE files with a suspicious file extension 30->124 126 Writes to foreign memory regions 30->126 128 4 other signatures 30->128 36 asnmvquY.pif 15 2 30->36         started        40 cmd.exe 1 30->40         started        42 cmd.exe 1 30->42         started        44 cmd.exe 1 30->44         started        66 C:\Users\user\AppData\Local\...\katock4o.dll, PE32 34->66 dropped 46 cvtres.exe 1 34->46         started        signatures14 process15 dnsIp16 74 checkip.dyndns.com 158.101.44.242, 49693, 49696, 80 ORACLE-BMC-31898US United States 36->74 76 reallyfreegeoip.org 104.21.32.1, 443, 49699, 49700 CLOUDFLARENETUS United States 36->76 104 Detected unpacking (changes PE section rights) 36->104 106 Detected unpacking (overwrites its own PE header) 36->106 108 Tries to steal Mail credentials (via file / registry access) 36->108 110 Uses threadpools to delay analysis 36->110 48 conhost.exe 40->48         started        50 schtasks.exe 1 40->50         started        52 conhost.exe 42->52         started        54 conhost.exe 44->54         started        signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0af487f2593b0de4f0a394b4c440ff04e08674f42c77f9cd922a819fca5b7ed8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0af487f2593b0de4f0a394b4c440ff04e08674f42c77f9cd922a819fca5b7ed8/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-03 14:21:06 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
9 of 23 (39.13%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bl2ip4szhmg6j4fdss2miqh7atqim5hufr37ttmsfkaz7ss3p3ma._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
zgrat
Create hunting rule
Similar samples:
4cb3ef2e578fdd542b80162fb0141662b7fd1d6b808bcad220c004fe61e3836c
MassLogger
540ecfddd158625e0e15030a6bb23a5a8e2f5b33c453a1b6e3915ed724983896
MassLogger
9af77540fd21b25fc19ea6e6887ceff4850a014b40f51b2667d167f1559f143f
MassLogger
a2760b3739d264ccefd1fc66cc71549f6949a058d0b52f9fbe64577adf011aa1
MassLogger
ba4445c6d1d77f573ea271d1898c51485b0a49980f16a73205c4f0c5cefe89fc
MassLogger
be3771d8f3893aecc6e6e907bae7bb4e837fce47b000ce7d4c99e47c330b2d3d
MassLogger
c5bdbba41fb3b8126904b5ce2c136d922f479e2c47b1eead8c093a6ba49ced7b
MassLogger
error
MassLogger
f919ad3a0b960e8665024b04de0d5e9b9b8bcfd50276cb6ad03ac3a5ff8f1a48
MassLogger
fa6ec12f35910f73e041be58cd4ac6b7b1ae836879e2960f6d38fc66e2f870c5
MassLogger
+ 30 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:masslogger family:modiloader collection defense_evasion discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/250603-scw6yatpy8/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
ModiLoader Second Stage
MassLogger
Masslogger family
ModiLoader, DBatLoader
Modiloader family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7652194569:AAFLWFEYaKfNfpFqGD7DCC1HKus8HDLSy8g/sendMessage?chat_id=6410945890
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0af487f2593b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0af487f2593b0de4f0a394b4c440ff04e08674f42c77f9cd922a819fca5b7ed8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Windows_Generic_Threat_d7b57912
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

HTML Application (hta) hta 0af487f2593b0de4f0a394b4c440ff04e08674f42c77f9cd922a819fca5b7ed8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3556792/
  
Delivery method
Distributed via web download

Comments