MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c3315293e6b55efbdb2020b21f1d82b70360dfe880d2f88b5080d2abbfcbfd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c3315293e6b55efbdb2020b21f1d82b70360dfe880d2f88b5080d2abbfcbfd5
SHA3-384 hash: 59a963bfbfc7fda979cf8e445d355bf98918bc17f1c248ea8652541056b9dea67580740a3cdc1b5ba7ae9adcc5ac21ef
SHA1 hash: dde5d981d578e69b3bb159e1b47643d8c05362e7
MD5 hash: 76373c54f92408f0e75d82252d968b46
humanhash: tennis-charlie-nebraska-quiet
File name:FANGHUA STEEL_Q251117001.vbs
Download: download sample
Signature MassLogger
Create hunting rule
File size:274'164 bytes
First seen:2025-11-18 06:57:17 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:Bv09obOGTaelfV2ZKaNn8a5Ec2lUCCUdbNqDTQBPA5W3DASV6MmDmBNOsWwuZ5Pb:NbKBWJ6P27hb8y6
Threatray 208 similar samples on MalwareBazaar
TLSH T14744293D452C8CAA7EE721627635070C206A2A856E24DF2BC056EC5B4D15ED9FFF62CC
Magika vba
Reporter abuse_ch
Tags:MassLogger vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38543/
Detection(s):
SecuriteInfo.com.BAT.Obfus-10.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691c192d434cd67b17c2ba4f
Tags:
autorun spam
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 cmd evasive lolbin obfuscated powershell
Link:
https://www.filescan.io/uploads/691c18e04e43be3f7163eab7/reports/f69e5292-370e-41af-8f0f-98ff43527e4c/overview
Verdict:
Malicious
Labled as:
Generik.HJYGGED trojan
Link:
https://www.hybrid-analysis.com/sample/3c3315293e6b55efbdb2020b21f1d82b70360dfe880d2f88b5080d2abbfcbfd5
Verdict:
Malicious
File Type:
vbs
First seen:
2025-11-16T22:24:00Z UTC
Last seen:
2025-11-20T04:15:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Script.Generic Trojan.PowerShell.AmsiBypass.sb PDM:Trojan.Win32.Generic Trojan-Spy.MSIL.BPLogger.sb Trojan-PSW.Win32.Stelega.sb Trojan.BAT.Agent.sb Trojan-PSW.Win32.Stealer.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.JS.SAgent.sb HEUR:Trojan.VBS.SAgent.gen HEUR:Trojan.PowerShell.Tesre.sb HEUR:Trojan.BAT.Tesre.gen
Link:
https://opentip.kaspersky.com/3c3315293e6b55efbdb2020b21f1d82b70360dfe880d2f88b5080d2abbfcbfd5/results?tab=lookup
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1815827
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Powershell decode and execute
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1815827 Sample: FANGHUA STEEL_Q251117001.vbs Startdate: 18/11/2025 Architecture: WINDOWS Score: 100 99 reallyfreegeoip.org 2->99 101 mail.catarinomoreira.pt 2->101 103 2 other IPs or domains 2->103 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Multi AV Scanner detection for submitted file 2->115 119 16 other signatures 2->119 10 wscript.exe 2 2->10         started        14 cmd.exe 2->14         started        16 cmd.exe 1 2->16         started        18 4 other processes 2->18 signatures3 117 Tries to detect the country of the analysis system (by using the IP) 99->117 process4 file5 83 C:\Users\Public\HarvestTerritory.bat, ASCII 10->83 dropped 133 VBScript performs obfuscated calls to suspicious functions 10->133 135 Wscript starts Powershell (via cmd or directly) 10->135 137 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->137 139 Suspicious execution chain found 10->139 20 cmd.exe 1 10->20         started        23 cmd.exe 14->23         started        25 conhost.exe 14->25         started        27 cmd.exe 1 16->27         started        29 conhost.exe 16->29         started        31 cmd.exe 1 18->31         started        33 cmd.exe 1 18->33         started        35 cmd.exe 1 18->35         started        37 5 other processes 18->37 signatures6 process7 signatures8 121 Suspicious powershell command line found 20->121 123 Wscript starts Powershell (via cmd or directly) 20->123 125 Bypasses PowerShell execution policy 20->125 39 cmd.exe 1 20->39         started        41 conhost.exe 20->41         started        43 cmd.exe 23->43         started        46 cmd.exe 1 27->46         started        48 cmd.exe 1 31->48         started        50 cmd.exe 1 33->50         started        52 cmd.exe 1 35->52         started        54 cmd.exe 37->54         started        process9 signatures10 56 cmd.exe 2 39->56         started        141 Suspicious powershell command line found 43->141 143 Wscript starts Powershell (via cmd or directly) 43->143 59 powershell.exe 43->59         started        62 conhost.exe 43->62         started        68 2 other processes 46->68 64 powershell.exe 48->64         started        66 conhost.exe 48->66         started        70 2 other processes 50->70 72 2 other processes 52->72 74 2 other processes 54->74 process11 file12 127 Suspicious powershell command line found 56->127 129 Wscript starts Powershell (via cmd or directly) 56->129 76 powershell.exe 16 28 56->76         started        81 conhost.exe 56->81         started        85 C:\Users\user\AppData\Roaming\...\7a23.bat, ASCII 59->85 dropped 131 Tries to harvest and steal browser information (history, passwords, etc) 59->131 87 C:\Users\user\AppData\Roaming\...\0343.bat, ASCII 64->87 dropped 89 C:\Users\user\AppData\Roaming\...\77c0.bat, ASCII 68->89 dropped 91 C:\Users\user\AppData\Roaming\...\b6bc.bat, ASCII 70->91 dropped 93 C:\Users\user\AppData\Roaming\...\b450.bat, ASCII 72->93 dropped 95 C:\Users\user\AppData\Roaming\...\4219.bat, ASCII 74->95 dropped signatures13 process14 dnsIp15 105 mail.catarinomoreira.pt 78.46.79.10, 49692, 49695, 49699 HETZNER-ASDE Germany 76->105 107 checkip.dyndns.com 193.122.130.0, 49687, 49693, 49696 ORACLE-BMC-31898US United States 76->107 109 reallyfreegeoip.org 172.67.177.134, 443, 49688, 49694 CLOUDFLARENETUS United States 76->109 97 C:\Users\user\AppData\Roaming\...\b61e.bat, ASCII 76->97 dropped 145 Drops script or batch files to the startup folder 76->145 147 Found suspicious powershell code related to unpacking or dynamic code loading 76->147 149 Unusual module load detection (module proxying) 76->149 151 Loading BitLocker PowerShell Module 76->151 file16 signatures17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3c3315293e6b55efbdb2020b21f1d82b70360dfe880d2f88b5080d2abbfcbfd5
Verdict:
Malware
YARA:
1 match(es)
Tags:
VBScript
Link:
https://app.malva.re/file/76373c54f92408f0e75d82252d968b46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c3315293e6b55efbdb2020b21f1d82b70360dfe880d2f88b5080d2abbfcbfd5/
Verdict:
Malicious
Threat:
Family.MASSLOGGER
Link:
https://tip.neiki.dev/file/3c3315293e6b55efbdb2020b21f1d82b70360dfe880d2f88b5080d2abbfcbfd5
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-11-17 01:39:35 UTC
File Type:
Text (VBS)
AV detection:
10 of 38 (26.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqzrkkj6nnk67pnsaifsd4oyfnydmdp6rags7cfvbagsvo74x7kq._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
05afcd6fed8fc4ae9c43f7de2c0d717eb02f91fed941246231d88cfb01170400
MassLogger
10d96a57b4a446b30816229307984a151f1d319eb8e25fdffb0b6185055f778a
MassLogger
4ffb945bc637b8c2e1d287c1f6127121d967e1366f0a437f2b7f505fac391f5d
MassLogger
6f96b534bcfec55b97dbeb18cbeaf59c2a7b745e667fea1a0998b1ff9df72b45
MassLogger
750178918522765b83b32510dce10c8cf9614ae72b95539f93b8ba7088bb1779
MassLogger
80943dad82a060b3506f2312c2d282f117e08a1b16cd9f1f6fcaf852be916407
MassLogger
833273614f0b78225a6b6975e70c0a07cc0052a448c3eb175cf6af0edb6ed4b3
MassLogger
864f41d231931ce8dda8dfef17c84106adab9d3d2023b5e41ddc403e79ea3461
MassLogger
aaddb0601ec56272d1fa36b29bd5c35d9d8705841a16a84dcee9f0698b2bde15
MassLogger
dfcfd9411491364986e5933eac3626e484c6fcf3921ddb86fe99edf180ecc225
MassLogger
error
MassLogger
+ 198 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution spyware stealer
Link:
https://tria.ge/reports/251118-hrdb9scm9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Badlisted process makes network request
MassLogger
Masslogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c3315293e6b55efbdb2020b21f1d82b70360dfe880d2f88b5080d2abbfcbfd5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38543/

Comments