MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cb786865e62c6ae888d3f77ff91cca940fadfd771095e9d98c93acd6f2950e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 13

Intelligence 13 IOCs YARA 19 File information Comments

SHA256 hash:	7cb786865e62c6ae888d3f77ff91cca940fadfd771095e9d98c93acd6f2950e8
SHA3-384 hash:	ca5e36b7af04a1d3c4f36b86fd0ce46b90fd7840cb6a67a481fff95bb45d3d8823502ac6b3801264aec8ea3f7fc87508
SHA1 hash:	bd7374946153a21533e1aa8d6b42bc959fba7f94
MD5 hash:	7f8e51c22aa0664013d410d671fdd402
humanhash:	november-fish-arkansas-hamper
File name:	SA00010573 - SİPARİŞ FORMU.VBE
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	556'411 bytes
First seen:	2025-10-06 11:10:04 UTC
Last seen:	Never
File type:	vbe
MIME type:	text/plain
ssdeep	6144:pXJ51vdXEsnaeqxL65O8HvyBNda4UpSeJ3nb08qj/Zqe/Neg9fKPWUs0EzVFC4n1:pXbTEoxxUdy9YEeV70uU1plMT
Threatray	1'353 similar samples on MalwareBazaar
TLSH	T11EC4012609C83F68CFB85A1880FF271DA7E04B9A44AA714DFB37BD466FE754452072D8
Magika	vba
Reporter	abuse_ch
Tags:	MassLogger vbe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e3a3c391bc581176cc6129

Tags:

backdoor spawn shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 evasive obfuscated obfuscated powershell reconnaissance

Link:

https://www.filescan.io/uploads/68e3a3bdf377ab231052aa88/reports/d19d3bf0-b7fd-4db2-af9c-f73d8952c3aa/overview

Verdict:

Malicious

Labled as:

GT:VB.AgentTesla.4

Link:

https://www.hybrid-analysis.com/sample/7cb786865e62c6ae888d3f77ff91cca940fadfd771095e9d98c93acd6f2950e8

Verdict:

Malicious

File Type:

First seen:

2025-10-06T07:56:00Z UTC

Last seen:

2025-10-08T09:30:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/7cb786865e62c6ae888d3f77ff91cca940fadfd771095e9d98c93acd6f2950e8/results?tab=lookup

Result

Threat name:

MSIL Logger, MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1789679

Signature

.NET source code references suspicious native API functions

Bypasses PowerShell execution policy

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected MassLogger RAT

Yara detected MSIL Logger

Yara detected MSILLoadEncryptedAssembly

Yara detected Powershell decode and execute

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/7cb786865e62c6ae888d3f77ff91cca940fadfd771095e9d98c93acd6f2950e8

Verdict:

Malware

YARA:

2 match(es)

Tags:

ADODB.Stream Batch Command MSXML2.DOMDocument MSXML2.DOMDocument.6.0 PowerShell PowerShell Call Scripting.FileSystemObject VBScript WScript.Network WScript.Shell

Link:

https://app.malva.re/file/7f8e51c22aa0664013d410d671fdd402

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7cb786865e62c6ae888d3f77ff91cca940fadfd771095e9d98c93acd6f2950e8/

Verdict:

Malicious

Threat:

Family.MASSLOGGER

Link:

https://tip.neiki.dev/file/7cb786865e62c6ae888d3f77ff91cca940fadfd771095e9d98c93acd6f2950e8

Threat name:

Script-WScript.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-10-06 11:11:04 UTC

File Type:

Text (VBS)

AV detection:

11 of 38 (28.95%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ps3ynbs6mldk5cenh5377eomvfapvx6xoeev5hmyze5m23zjkdua._file

Verdict:

malicious

Label(s):

novastealer

MassLogger

0ef36e084ad7c81a9fea1d0233af25d6d85a35927df6f89426cbed409e8b18a4

MassLogger

222d0a606b3ec409afb2b5716a5450de4c880138e3d74e444fffe5305b8b9425

MassLogger

27bc76d9371b4b42a83ee6a8a13359ebbffc5fa956f6f074a2e6bb92a117713b

MassLogger

6963136965cd4a8cab567d7dc4435484e5a390946d3bb811878ce91f78ddc15c

MassLogger

9edbb405c50942558c0c2fd992038d6e60fbddacf3c996b311a0c3cca836d9b7

MassLogger

a33a1cc44de644f4606244fe1896aae06f65e2e86a569496066918ab190ad465

MassLogger

error

MassLogger

fc26a33b837e60366f55345e182457f06edb1800c88c241a23973ccb2e1401d8

MassLogger

+ 1'343 additional samples on MalwareBazaar

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger collection discovery execution spyware stealer

Link:

https://tria.ge/reports/251006-m965hstmv5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Command and Scripting Interpreter: PowerShell

MassLogger

Masslogger family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/7cb786865e62c6ae888d3f77ff91cca940fadfd771095e9d98c93acd6f2950e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_Encoded_Powershell_Directives Create hunting rule

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	crime_snake_keylogger Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects Snake keylogger payload

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	detect_tiny_vbs Create hunting rule
Author:	daniyyell
Description:	Detects tiny VBS delivery technique

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample