MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 397ea00f3acb1df3da4160048e4010d0bba505a81cff1dbaaf03e740cd5c7fe3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



MassLogger


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments

SHA256 hash: 397ea00f3acb1df3da4160048e4010d0bba505a81cff1dbaaf03e740cd5c7fe3
SHA3-384 hash: ec2d766475b374430598a45422af90a9c334ccdf04035a3ec0e1dfb062a8a0fcb63e61215080578bb00b6e5750614b7b
SHA1 hash: aa7d684aad9fb0021e2c198fdcb624a1f6f7c773
MD5 hash: a201d0a21c749a8dc10e65636a4e3fab
humanhash: winter-washington-winter-apart
File name:orden de compra.js
Download: download sample
Signature MassLogger
File size:2'059'542 bytes
First seen:2026-06-30 05:38:41 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:Z8J97c8qI0EVL+C6WI1AOlkM9bpcYx4w0r:CvoW
Threatray 1'654 similar samples on MalwareBazaar
TLSH T1EF95576AF7CC141163748A0B974A488EAEDE729717EB7C0C21B16ECC8B26C19D9F474D
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika txt
Reporter lowmal3
Tags:js MassLogger

Intelligence


File Origin
# of uploads :
1
# of downloads :
132
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
94.9%
Tags:
backdoor trojan shell spam
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 conhost downloader encrypted evasive lolbin powershell repaired wscript
Verdict:
Malicious
File Type:
js
First seen:
2026-06-29T11:33:00Z UTC
Last seen:
2026-07-01T03:44:00Z UTC
Hits:
~10000
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic
Result
Threat name:
MSIL Logger, MassLogger RAT
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Found malware configuration
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Powershell scriptblock execution from environment variable
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Gathering data
Result
Malware family:
masslogger
Score:
  10/10
Tags:
family:masslogger collection execution persistence spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Downloads MZ/PE file
Family: MassLogger
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

Java Script (JS) js 397ea00f3acb1df3da4160048e4010d0bba505a81cff1dbaaf03e740cd5c7fe3

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments