MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fe4b1c7d4b24503a9941afaaef7b4a62bb081c522cd4a69c7c51fb879bdcdd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fe4b1c7d4b24503a9941afaaef7b4a62bb081c522cd4a69c7c51fb879bdcdd9
SHA3-384 hash: f63fabf516b792e02e0a2fe8e36fac41f3769f18a543eae15e17133deb510db9cccf141c1b8ebe72eef9375d1711b314
SHA1 hash: 1e7a37fc9da524f0cb88c9aff0e623f6b2d9e3ee
MD5 hash: 1972ce2826f1a35e310f41bfc9a33ae7
humanhash: pasta-music-beer-lake
File name:Doc N°47255.vbs
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'340'584 bytes
First seen:2026-01-30 12:36:34 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:Me+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+Xe+t:W+q0/fk+QTx2xte
Threatray 1'580 similar samples on MalwareBazaar
TLSH T11C5512DA1605B211C36BFA3E8C40441CF093D6D2EBBC659BADBB05D01CBCA15ABD7D1A
Magika txt
Reporter abuse_ch
Tags:MassLogger vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50858/
Detection(s):
SecuriteInfo.com.VBS.Agent-101.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6979fe75bec9764f452f9814
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 base64 fingerprint obfuscated obfuscated overlay powershell
Link:
https://www.filescan.io/uploads/697ca60816ebb08a94662b36/reports/a046d126-92b5-487c-a9be-455c6245d170/overview
Verdict:
Malicious
Labled as:
Trojan.VBS.Agent
Link:
https://www.hybrid-analysis.com/sample/1fe4b1c7d4b24503a9941afaaef7b4a62bb081c522cd4a69c7c51fb879bdcdd9
Verdict:
Malicious
File Type:
vbs
First seen:
2026-01-28T08:40:00Z UTC
Last seen:
2026-02-01T09:35:00Z UTC
Hits:
~1000
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/1fe4b1c7d4b24503a9941afaaef7b4a62bb081c522cd4a69c7c51fb879bdcdd9/results?tab=lookup
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1860400
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates processes via WMI
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1860400 Sample: Doc N#U00b047255.vbs Startdate: 30/01/2026 Architecture: WINDOWS Score: 100 26 reallyfreegeoip.org 2->26 28 neccgroup.com 2->28 30 3 other IPs or domains 2->30 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 50 14 other signatures 2->50 8 wscript.exe 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 26->48 process4 dnsIp5 56 Suspicious powershell command line found 8->56 58 Wscript starts Powershell (via cmd or directly) 8->58 60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->60 62 2 other signatures 8->62 14 powershell.exe 14 15 8->14         started        36 127.0.0.1 unknown unknown 11->36 signatures6 process7 dnsIp8 38 neccgroup.com 162.240.146.3, 443, 49682 UNIFIEDLAYER-AS-1US United States 14->38 40 digitsgroup.com 103.53.42.238, 443, 49681 PUBLIC-DOMAIN-REGISTRYUS India 14->40 64 Writes to foreign memory regions 14->64 66 Injects a PE file into a foreign processes 14->66 68 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->68 18 AddInProcess32.exe 15 2 14->18         started        22 conhost.exe 14->22         started        24 AddInProcess32.exe 14->24         started        signatures9 process10 dnsIp11 32 checkip.dyndns.com 193.122.6.168, 49684, 80 ORACLE-BMC-31898US United States 18->32 34 reallyfreegeoip.org 172.67.177.134, 443, 49687 CLOUDFLARENETUS United States 18->34 52 Tries to steal Mail credentials (via file / registry access) 18->52 54 Tries to harvest and steal browser information (history, passwords, etc) 18->54 signatures12
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1fe4b1c7d4b24503a9941afaaef7b4a62bb081c522cd4a69c7c51fb879bdcdd9/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/1fe4b1c7d4b24503a9941afaaef7b4a62bb081c522cd4a69c7c51fb879bdcdd9
Threat name:
Script-WScript.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2026-01-28 12:17:59 UTC
File Type:
Binary
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d7sldr6uwjcqhkmudl5k555uuyv3baofelguu2ohyup3q6n5zxmq._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
2d8bbcadfe1614de3baaf2a4cd63b1f7d566d5535571c2a59f4d48ca1539b92c
MassLogger
30d2391235b157a81c33a2a7716c3d07bd897b3d1cd663f24f9838ec3ac2eec3
MassLogger
3204af9817beaecaa95bb0b0d8b0e21232650503a4543009d6fb57a73afdc603
MassLogger
52e12c457102a51e41bd42ed8585673fa13c81d75aae5d7250f9b60d69f0f42d
MassLogger
65fdfb2fe35b497f7daf12505ca9ed686342b615b6d9b0b4b13af4ea390eb808
MassLogger
8d950928f9492e19a346689b43c077047d1ca80211714ab9adebd300f8bd1c11
MassLogger
cf518a1c6d447d1537802e21a32994e5fe3670e7521abe51bf20e96e3495bd22
MassLogger
e4ef9e3b63d39aa5f72cf8ee5d2f3cd3f7643d61ca6fff2169cb3e3eeb2d66b9
MassLogger
eb5c7c6370d533e6675ef2fb8b5f3f10cabc36584ddd3d3ad026af5266e84ed7
MassLogger
error
MassLogger
fe49bbc0cce0e57cdf3c9da9bcdedd0dc070f78cbc4a2b25d653cb2f67775466
MassLogger
+ 1'570 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution spyware stealer
Link:
https://tria.ge/reports/260130-pterfacw7g/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
MassLogger
Masslogger family
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://digitsgroup.com/wp-includes/zz/optimized_MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/1fe4b1c7d4b24503a9941afaaef7b4a62bb081c522cd4a69c7c51fb879bdcdd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/50858/

Comments