MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10d96a57b4a446b30816229307984a151f1d319eb8e25fdffb0b6185055f778a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10d96a57b4a446b30816229307984a151f1d319eb8e25fdffb0b6185055f778a
SHA3-384 hash: 13b7ded2a67c92338d4c97beec58dac8323ae2e6aed138501f55b1631cf24f130ee8be526b118881fea2d724ee2d08be
SHA1 hash: d5ed3157984f8c1034d1c59703add06fc828404e
MD5 hash: ad61ec87cf6c3eed61d66cfebcb663bd
humanhash: bakerloo-kansas-lemon-princess
File name:RFQ-SDS-11152022(1)_20250215095300.635_X.vbs
Download: download sample
Signature MassLogger
Create hunting rule
File size:253'998 bytes
First seen:2025-11-08 16:46:35 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:R5foAiRXNhTJuPUqd/KeqvqU+J6VzgYh1G5T6wBhyKr2V37oncOG51TnrK:qTJD+J6VBwBcC
Threatray 188 similar samples on MalwareBazaar
TLSH T107449F3D0710CE53467FBC6123661526B96F063570E63736C2A1B024BF9C938E6AEEE5
Magika vba
Reporter abuse_ch
Tags:MassLogger vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36555/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690f742430bacec888c9f083
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 cmd evasive fingerprint lolbin obfuscated powershell
Link:
https://www.filescan.io/uploads/690f7418f6e846549f392578/reports/b3722e5d-08fd-4fb2-8baf-788151d54eb0/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/10d96a57b4a446b30816229307984a151f1d319eb8e25fdffb0b6185055f778a
Verdict:
Malicious
File Type:
vbs
First seen:
2025-11-06T05:43:00Z UTC
Last seen:
2025-11-10T04:10:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.VBS.SAgent.gen Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic HEUR:Trojan.PowerShell.Tesre.sb Trojan-Downloader.JS.Cryptoload.sb
Link:
https://opentip.kaspersky.com/10d96a57b4a446b30816229307984a151f1d319eb8e25fdffb0b6185055f778a/results?tab=lookup
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1810655
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Powershell decode and execute
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1810655 Sample: RFQ-SDS-11152022(1)_2025021... Startdate: 08/11/2025 Architecture: WINDOWS Score: 100 99 reallyfreegeoip.org 2->99 101 mail.catarinomoreira.pt 2->101 103 2 other IPs or domains 2->103 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Yara detected MSIL Logger 2->115 119 15 other signatures 2->119 10 wscript.exe 1 2->10         started        14 cmd.exe 2->14         started        16 cmd.exe 1 2->16         started        18 4 other processes 2->18 signatures3 117 Tries to detect the country of the analysis system (by using the IP) 99->117 process4 file5 83 C:\Users\Public\PasturePlace.bat, ASCII 10->83 dropped 133 Wscript starts Powershell (via cmd or directly) 10->133 135 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->135 137 Suspicious execution chain found 10->137 139 Creates processes via WMI 10->139 20 cmd.exe 1 10->20         started        23 cmd.exe 14->23         started        25 conhost.exe 14->25         started        27 cmd.exe 1 16->27         started        29 conhost.exe 16->29         started        31 cmd.exe 1 18->31         started        33 cmd.exe 1 18->33         started        35 cmd.exe 1 18->35         started        37 5 other processes 18->37 signatures6 process7 signatures8 121 Suspicious powershell command line found 20->121 123 Wscript starts Powershell (via cmd or directly) 20->123 125 Bypasses PowerShell execution policy 20->125 39 cmd.exe 1 20->39         started        41 conhost.exe 20->41         started        43 cmd.exe 23->43         started        46 cmd.exe 1 27->46         started        48 cmd.exe 1 31->48         started        50 cmd.exe 1 33->50         started        52 cmd.exe 1 35->52         started        54 cmd.exe 37->54         started        process9 signatures10 56 cmd.exe 2 39->56         started        141 Suspicious powershell command line found 43->141 143 Wscript starts Powershell (via cmd or directly) 43->143 59 powershell.exe 43->59         started        62 conhost.exe 43->62         started        64 powershell.exe 46->64         started        66 conhost.exe 46->66         started        68 2 other processes 48->68 70 2 other processes 50->70 72 2 other processes 52->72 74 2 other processes 54->74 process11 file12 127 Suspicious powershell command line found 56->127 129 Wscript starts Powershell (via cmd or directly) 56->129 76 powershell.exe 16 28 56->76         started        81 conhost.exe 56->81         started        85 C:\Users\user\AppData\Roaming\...\f641.bat, ASCII 59->85 dropped 131 Tries to harvest and steal browser information (history, passwords, etc) 59->131 87 C:\Users\user\AppData\Roaming\...\4147.bat, ASCII 64->87 dropped 89 C:\Users\user\AppData\Roaming\...\6cba.bat, ASCII 68->89 dropped 91 C:\Users\user\AppData\Roaming\...\a51b.bat, ASCII 70->91 dropped 93 C:\Users\user\AppData\Roaming\...\2e8c.bat, ASCII 72->93 dropped 95 C:\Users\user\AppData\Roaming\...\23d7.bat, ASCII 74->95 dropped signatures13 process14 dnsIp15 105 mail.catarinomoreira.pt 78.46.79.10, 49692, 49695, 49699 HETZNER-ASDE Germany 76->105 107 checkip.dyndns.com 132.226.8.169, 49689, 49693, 49696 UTMEMUS United States 76->107 109 reallyfreegeoip.org 104.21.67.152, 443, 49690, 49694 CLOUDFLARENETUS United States 76->109 97 C:\Users\user\AppData\Roaming\...\fc8c.bat, ASCII 76->97 dropped 145 Drops script or batch files to the startup folder 76->145 147 Found suspicious powershell code related to unpacking or dynamic code loading 76->147 149 Loading BitLocker PowerShell Module 76->149 file16 signatures17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/10d96a57b4a446b30816229307984a151f1d319eb8e25fdffb0b6185055f778a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10d96a57b4a446b30816229307984a151f1d319eb8e25fdffb0b6185055f778a/
Verdict:
Malicious
Threat:
Family.MASSLOGGER
Link:
https://tip.neiki.dev/file/10d96a57b4a446b30816229307984a151f1d319eb8e25fdffb0b6185055f778a
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-11-08 16:47:26 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdmwuv5uurdlgcawekjqpgckcupr2mm6xdrf7x73bnqykbk7o6fa._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
05afcd6fed8fc4ae9c43f7de2c0d717eb02f91fed941246231d88cfb01170400
MassLogger
18a2bf78aeed6e4f42e56c3b933d1326ec195aefaf29292c36a4e19cc23b0fb2
MassLogger
1d03bf975d8312c7578ceb8f9c8c9d471196806810613aaef602fb6bca22c022
MassLogger
1e1fbd670fe9bf85942895e60c487d9eeb247acffd4c890ab75c1a5a50512998
MassLogger
6f96b534bcfec55b97dbeb18cbeaf59c2a7b745e667fea1a0998b1ff9df72b45
MassLogger
750178918522765b83b32510dce10c8cf9614ae72b95539f93b8ba7088bb1779
MassLogger
80943dad82a060b3506f2312c2d282f117e08a1b16cd9f1f6fcaf852be916407
MassLogger
833273614f0b78225a6b6975e70c0a07cc0052a448c3eb175cf6af0edb6ed4b3
MassLogger
864f41d231931ce8dda8dfef17c84106adab9d3d2023b5e41ddc403e79ea3461
MassLogger
error
MassLogger
febef3a364126ac2aa64f960389c62bd38cc9cfced7606726afe7f0824c239a7
MassLogger
+ 178 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution spyware stealer
Link:
https://tria.ge/reports/251108-vansws1rap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
MassLogger
Masslogger family
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36555/

Comments