MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20e281548b9a3a02a258d3989215c6cbddde61f2055f2d1afe02aa3b3f22cf83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20e281548b9a3a02a258d3989215c6cbddde61f2055f2d1afe02aa3b3f22cf83
SHA3-384 hash: ca74fdcbd661c94a8973a5190249a3d14b15862caa667c67ceb024278536ca8bf5d2da97c17a035c654dcb2fa1660cbe
SHA1 hash: cc23086a90f9a80a9182b52868dd594013a74717
MD5 hash: a93b757f3237c21e8272fce5f23d9eb8
humanhash: emma-eight-yellow-eighteen
File name:Urgent RFQ - electronic components 052125.vbs
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'996 bytes
First seen:2025-05-21 06:45:20 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:5xH8bJzpEkbZiorkib1IL+MdDpkFTChgoICwjBMzueWEztuUF2awLiDYbwjL0aHf:M7EFQpT6K+jICwl6Rzk9Ba9HwYL
Threatray 1'061 similar samples on MalwareBazaar
TLSH T17A41235B5841C3718B62CA0493AA5E54E1AFF42F537089183C18C9CD7A795BC99742EB
Magika vba
Reporter lowmal3
Tags:MassLogger vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.24074.5116.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682d76912f280a98fb42c7a5
Tags:
dropper shell sage
Verdict:
Malicious
Labled as:
GT:VB.Downloader.3
Link:
https://www.hybrid-analysis.com/sample/20e281548b9a3a02a258d3989215c6cbddde61f2055f2d1afe02aa3b3f22cf83
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1695637
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Powershell uses Background Intelligent Transfer Service (BITS)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Register Wscript In Run Key
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MalBat
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695637 Sample: Urgent RFQ - electronic com... Startdate: 21/05/2025 Architecture: WINDOWS Score: 100 65 reallyfreegeoip.org 2->65 67 unknown-website-code.netlify.app 2->67 69 4 other IPs or domains 2->69 87 Sigma detected: Register Wscript In Run Key 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 95 15 other signatures 2->95 10 wscript.exe 4 2->10         started        15 wscript.exe 2->15         started        17 wscript.exe 2->17         started        19 svchost.exe 1 4 2->19         started        signatures3 93 Tries to detect the country of the analysis system (by using the IP) 65->93 process4 dnsIp5 77 unknown-website-code.netlify.app 54.215.62.21, 443, 49681, 49690 AMAZON-02US United States 10->77 63 C:\Users\user\AppData\...\app_update.txt, DOS 10->63 dropped 107 System process connects to network (likely due to code injection or exploit) 10->107 109 VBScript performs obfuscated calls to suspicious functions 10->109 111 Wscript starts Powershell (via cmd or directly) 10->111 113 3 other signatures 10->113 21 cmd.exe 8 10->21         started        24 powershell.exe 15->24         started        26 powershell.exe 17->26         started        79 pub-bcefb9e553ee4137a6d296b7c71a767e.r2.dev 172.66.0.235, 443, 49691 CLOUDFLARENETUS United States 19->79 81 127.0.0.1 unknown unknown 19->81 file6 signatures7 process8 signatures9 99 Suspicious powershell command line found 21->99 101 Wscript starts Powershell (via cmd or directly) 21->101 28 wscript.exe 21->28         started        31 powershell.exe 23 21->31         started        33 powershell.exe 21 21->33         started        41 5 other processes 21->41 103 Writes to foreign memory regions 24->103 105 Injects a PE file into a foreign processes 24->105 35 AddInProcess32.exe 24->35         started        44 3 other processes 24->44 37 AddInProcess32.exe 26->37         started        39 conhost.exe 26->39         started        46 2 other processes 26->46 process10 file11 115 Wscript starts Powershell (via cmd or directly) 28->115 48 powershell.exe 28->48         started        117 Powershell uses Background Intelligent Transfer Service (BITS) 31->117 119 Loading BitLocker PowerShell Module 31->119 121 Tries to steal Mail credentials (via file / registry access) 35->121 123 Tries to harvest and steal browser information (history, passwords, etc) 35->123 59 C:\Users\user\AppData\...\s-nvs_update.vbs, ASCII 41->59 dropped 61 C:\Users\user\AppData\...\nvs_update.txt, Unicode 41->61 dropped signatures12 process13 signatures14 83 Writes to foreign memory regions 48->83 85 Injects a PE file into a foreign processes 48->85 51 AddInProcess32.exe 48->51         started        55 conhost.exe 48->55         started        57 taskkill.exe 48->57         started        process15 dnsIp16 71 mail.gtit.pl 89.174.231.105, 49698, 49702, 49705 INTERSATPL Poland 51->71 73 checkip.dyndns.com 193.122.130.0, 49696, 49699, 49703 ORACLE-BMC-31898US United States 51->73 75 reallyfreegeoip.org 104.21.80.1, 443, 49697, 49700 CLOUDFLARENETUS United States 51->75 97 Tries to steal Mail credentials (via file / registry access) 51->97 signatures17
Score:
21%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/20e281548b9a3a02a258d3989215c6cbddde61f2055f2d1afe02aa3b3f22cf83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20e281548b9a3a02a258d3989215c6cbddde61f2055f2d1afe02aa3b3f22cf83/
Threat name:
Script-WScript.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-21 01:04:01 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=edricvelti5afisy2omjefogzpo54ypsavps2gx6akvdwpzcz6bq._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
0c0d773a601757285e5a3da3e8c45a6bcd4d66ac0363397954de172c8a2da704
MassLogger
0d0c947d97036bcc46f7527e5a3953889c2ff2de32d503e463fbfa19d035716d
MassLogger
35bc7d58c116e83159e745ca536a9b5b0a1a4b4d25d0b8d462efd012b3c8ad21
MassLogger
3fd28257bdeaa92317003361ab95675732239e5282fde0ac2e2c7bf941ba1c98
MassLogger
ade03b33ad1a47b43d99a5eb7f469d127f98df657167c31700fd3c5cc76c522d
MassLogger
error
MassLogger
f73a1acf11bca235d9f0f22c0ba584107a76a54652e6356df080cc5ec040fc18
MassLogger
+ 1'051 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250521-hjaamsfl2x/
Behaviour
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
MassLogger
Masslogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7905958978:AAEng8Wyhv-U1eyp4jKpvi8uIC2em6irGnw/sendMessage?chat_id=7629239186
Dropper Extraction:
https://unknown-website-code.netlify.app/code/final.txt
https://unknown-website-code.netlify.app/code/first.txt
https://pub-bcefb9e553ee4137a6d296b7c71a767e.r2.dev/encoded.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/20e281548b9a3a02a258d3989215c6cbddde61f2055f2d1afe02aa3b3f22cf83

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments