MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d9735c8d10949ca2322708580e98dd28045e81bf2db6ac4769ffd1d16561438. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d9735c8d10949ca2322708580e98dd28045e81bf2db6ac4769ffd1d16561438
SHA3-384 hash: 109f290cc5f8548f7ec867b9beb6c0aea50107374851c19909d367334435bcec19837d54ee909465aa65a362cde4f6c4
SHA1 hash: c7980a9444fb536d1b365bc4161c332319fda025
MD5 hash: 1aa45a05a9163eac634a5717f1ed4b10
humanhash: connecticut-seven-pluto-ink
File name:INQ-RFQ-D-0022026.bat
Download: download sample
Signature MassLogger
Create hunting rule
File size:237'863 bytes
First seen:2026-03-17 08:49:07 UTC
Last seen:2026-03-18 13:10:40 UTC
File type:Batch (bat) bat
MIME type:text/html
ssdeep 6144:Wj5AqyKKDQWQWi/F/c4XXUVbrTTDP7wKPCZFvrwxxY0GL:WyiJLmfTnMZZUxle
Threatray 4'043 similar samples on MalwareBazaar
TLSH T1F834F2108C986FB8DFB86C1880FF2B5A23E08E9A553675CEAB237D46FFEA54441170D5
Magika batch
Reporter lowmal3
Tags:bat MassLogger

Intelligence

File Origin
# of uploads :
4
# of downloads :
88
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
Link:
https://research.acce.ciphertechsolutions.com/results/65c6faef-decb-43ed-8a37-4be7433264f4/
Malware family:
n/a
ID:
1
File name:
INQ-RFQ-D-0022026.bat
Verdict:
Malicious activity
Analysis date:
2026-03-17 08:49:42 UTC
Tags:
auto-reg susp-powershell evasion snake keylogger donutloader loader stealer
Link:
https://app.any.run/tasks/47059eff-45db-4709-8167-047c6da86337

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57717/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b9158d88c80c01586b1225
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Verdict:
Malicious
Labled as:
PowerShell/TrojanDropper.Agent
Link:
https://www.hybrid-analysis.com/sample/1d9735c8d10949ca2322708580e98dd28045e81bf2db6ac4769ffd1d16561438
Verdict:
Malicious
File Type:
html
Detections:
Trojan.PowerShell.Cobalt.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Cobalt.gen
Link:
https://opentip.kaspersky.com/1d9735c8d10949ca2322708580e98dd28045e81bf2db6ac4769ffd1d16561438/results?tab=lookup
Result
Threat name:
DonutLoader, MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1884732
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Compiles code for process injection (via .Net compiler)
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected DonutLoader
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1884732 Sample: INQ-RFQ-D-0022026.bat Startdate: 17/03/2026 Architecture: WINDOWS Score: 100 84 reallyfreegeoip.org 2->84 86 mail.taikei-rmc-co.biz 2->86 88 2 other IPs or domains 2->88 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Multi AV Scanner detection for submitted file 2->106 110 16 other signatures 2->110 10 cmd.exe 1 2->10         started        13 mshta.exe 1 2->13         started        15 mshta.exe 1 2->15         started        signatures3 108 Tries to detect the country of the analysis system (by using the IP) 84->108 process4 signatures5 112 Suspicious powershell command line found 10->112 114 Uses cmd line tools excessively to alter registry or file data 10->114 116 Encrypted powershell cmdline option found 10->116 118 2 other signatures 10->118 17 cmd.exe 4 10->17         started        21 conhost.exe 10->21         started        23 cmd.exe 1 13->23         started        25 cmd.exe 15->25         started        process6 file7 70 C:\Users\user\AppData\Roaming\...\wine.cmd, HTML 17->70 dropped 72 C:\Users\user\AppData\Roaming\...\COLD.hta, HTML 17->72 dropped 96 Suspicious powershell command line found 17->96 98 Uses cmd line tools excessively to alter registry or file data 17->98 100 Encrypted powershell cmdline option found 17->100 27 powershell.exe 30 17->27         started        31 powershell.exe 16 17->31         started        33 conhost.exe 17->33         started        43 3 other processes 17->43 35 cmd.exe 1 23->35         started        37 conhost.exe 23->37         started        39 cmd.exe 25->39         started        41 conhost.exe 25->41         started        signatures8 process9 file10 78 C:\Users\user\AppData\Local\...\zlyhv2y4.0.cs, C++ 27->78 dropped 80 C:\Users\user\AppData\...\btu5ktob.cmdline, Unicode 27->80 dropped 120 Injects code into the Windows Explorer (explorer.exe) 27->120 122 Writes to foreign memory regions 27->122 124 Creates a thread in another existing process (thread injection) 27->124 45 explorer.exe 27->45 injected 49 csc.exe 3 27->49         started        52 csc.exe 3 27->52         started        82 C:\Users\user\AppData\Local\Temp\LIVE.ps1, Unicode 31->82 dropped 126 Found suspicious powershell code related to unpacking or dynamic code loading 31->126 128 Compiles code for process injection (via .Net compiler) 31->128 130 Suspicious powershell command line found 35->130 132 Uses cmd line tools excessively to alter registry or file data 35->132 134 Encrypted powershell cmdline option found 35->134 54 powershell.exe 15 35->54         started        56 conhost.exe 35->56         started        58 reg.exe 1 35->58         started        62 3 other processes 35->62 60 conhost.exe 39->60         started        64 5 other processes 39->64 signatures11 process12 dnsIp13 90 mail.taikei-rmc-co.biz 103.253.42.215, 49701, 49703, 49705 TELE-ASTeleAsiaLimitedHK Hong Kong 45->90 92 checkip.dyndns.com 193.122.6.168, 49698, 49702, 49704 ORACLE-BMC-31898US United States 45->92 94 reallyfreegeoip.org 172.67.177.134, 443, 49699 CLOUDFLARENETUS United States 45->94 136 System process connects to network (likely due to code injection or exploit) 45->136 138 Tries to harvest and steal browser information (history, passwords, etc) 45->138 140 Unusual module load detection (module proxying) 45->140 74 C:\Users\user\AppData\Local\...\btu5ktob.dll, PE32 49->74 dropped 66 cvtres.exe 1 49->66         started        76 C:\Users\user\AppData\Local\...\zlyhv2y4.dll, PE32 52->76 dropped 68 cvtres.exe 1 52->68         started        file14 signatures15 process16
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1d9735c8d10949ca2322708580e98dd28045e81bf2db6ac4769ffd1d16561438
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d9735c8d10949ca2322708580e98dd28045e81bf2db6ac4769ffd1d16561438/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/1d9735c8d10949ca2322708580e98dd28045e81bf2db6ac4769ffd1d16561438
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dwltlsgrbfe4uizcoccyb2mn2kael2a36lnwvrdwt76r2fswcq4a._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
2460e0f651198919ed5e3ba7e9384752d7841bd39435a6d1b6210cdacfde989c
MassLogger
55011c7e77605612e1386d23d2bb03623326bd041c077e7913d02b16f9dd854a
MassLogger
6fbe5f3b1d94c0f1d75b94eefb0f50d8dcaa6579b97b426ff0500a55dba79cf0
MassLogger
9f11a53f99a46a3f038bbc277cb935090d521731ef806b4e9ad5cde9bcac9e0e
MassLogger
baa4644728c7e2bb52305701569700be80e76adf9a50bdca2faa54eed64cfc9f
MassLogger
df8a0674c9865e2cb1ec78d54f48d9c6af47e4955b8724c49567f98ae060bb3f
MassLogger
error
MassLogger
+ 4'033 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:masslogger collection defense_evasion execution loader persistence spyware stealer
Link:
https://tria.ge/reports/260317-kq45psfv6n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Detects DonutLoader
DonutLoader
Donutloader family
MassLogger
Masslogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1d9735c8d10949ca2322708580e98dd28045e81bf2db6ac4769ffd1d16561438

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Batch (bat) bat 1d9735c8d10949ca2322708580e98dd28045e81bf2db6ac4769ffd1d16561438

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/57717/

Comments