MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 830c3556d97682d080c5877a49d64b8e12c0da52e1979f9da6edcf89fb748d23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 830c3556d97682d080c5877a49d64b8e12c0da52e1979f9da6edcf89fb748d23
SHA3-384 hash: f11565f3c42deac60322947d4426e28f93f76d51ff733c3b63e0973765c053b87c44da4a8a923193289540341d97467c
SHA1 hash: 01040f69377c22da3e536bc123284b7651ab0061
MD5 hash: 7f318ebf6a6dd7c86aa25be0e50543e4
humanhash: bakerloo-twelve-cup-connecticut
File name:IR38064MTRPBF_INF_20,000_22 .vbs
Download: download sample
Signature MassLogger
Create hunting rule
File size:2'129 bytes
First seen:2025-05-23 08:31:59 UTC
Last seen:2025-05-27 09:41:38 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:5jH8bJzpEkbZiorkib1Io+Mda0237ap0PhAombCeBMzueWEztuUFZGawLiDYbzO/:W7EFQpqYOZmbCG6RzkvBvWAxk9HwYL
Threatray 1'082 similar samples on MalwareBazaar
TLSH T13A4153676D40D2708B62CA04935A6E58E19EF43F537085183D1CC5CE3A7DAF8A9782FB
Magika vba
Reporter abuse_ch
Tags:MassLogger vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.12552.8799.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6830338d4912a6b9dd4c51cd
Tags:
dropper shell sage
Verdict:
Suspicious
Labled as:
Trojan.Script.VBS
Link:
https://www.hybrid-analysis.com/sample/830c3556d97682d080c5877a49d64b8e12c0da52e1979f9da6edcf89fb748d23
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1697603
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Register Wscript In Run Key
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MalBat
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1697603 Sample: IR38064MTRPBF_INF_20,000_22 .vbs Startdate: 23/05/2025 Architecture: WINDOWS Score: 100 69 reallyfreegeoip.org 2->69 71 officedesk22.netlify.app 2->71 73 4 other IPs or domains 2->73 91 Sigma detected: Register Wscript In Run Key 2->91 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 99 14 other signatures 2->99 10 wscript.exe 4 2->10         started        15 wscript.exe 2->15         started        17 wscript.exe 2->17         started        19 svchost.exe 1 4 2->19         started        signatures3 97 Tries to detect the country of the analysis system (by using the IP) 69->97 process4 dnsIp5 81 fancy-seehorse.netlify.app 54.215.62.21, 443, 49681, 49690 AMAZON-02US United States 10->81 67 C:\Users\user\AppData\...\app_update.txt, DOS 10->67 dropped 111 System process connects to network (likely due to code injection or exploit) 10->111 113 VBScript performs obfuscated calls to suspicious functions 10->113 115 Wscript starts Powershell (via cmd or directly) 10->115 117 3 other signatures 10->117 21 cmd.exe 8 10->21         started        24 powershell.exe 15->24         started        26 powershell.exe 17->26         started        83 officedesk22.netlify.app 13.52.115.166, 443, 49691 AMAZON-02US United States 19->83 85 127.0.0.1 unknown unknown 19->85 file6 signatures7 process8 signatures9 101 Suspicious powershell command line found 21->101 103 Wscript starts Powershell (via cmd or directly) 21->103 28 wscript.exe 21->28         started        31 powershell.exe 23 21->31         started        33 powershell.exe 22 21->33         started        41 5 other processes 21->41 105 Writes to foreign memory regions 24->105 107 Injects a PE file into a foreign processes 24->107 35 AddInProcess32.exe 24->35         started        44 3 other processes 24->44 37 AddInProcess32.exe 26->37         started        39 conhost.exe 26->39         started        46 2 other processes 26->46 process10 file11 119 Wscript starts Powershell (via cmd or directly) 28->119 48 powershell.exe 28->48         started        121 Powershell uses Background Intelligent Transfer Service (BITS) 31->121 123 Loading BitLocker PowerShell Module 31->123 51 MpCmdRun.exe 31->51         started        125 Tries to steal Mail credentials (via file / registry access) 35->125 127 Tries to harvest and steal browser information (history, passwords, etc) 35->127 63 C:\Users\user\AppData\...\s-nvs_update.vbs, ASCII 41->63 dropped 65 C:\Users\user\AppData\...\nvs_update.txt, Unicode 41->65 dropped signatures12 process13 signatures14 87 Writes to foreign memory regions 48->87 89 Injects a PE file into a foreign processes 48->89 53 AddInProcess32.exe 48->53         started        57 conhost.exe 48->57         started        59 taskkill.exe 48->59         started        61 conhost.exe 51->61         started        process15 dnsIp16 75 mail.gtit.pl 89.174.231.105, 49698, 49702, 49705 INTERSATPL Poland 53->75 77 checkip.dyndns.com 193.122.130.0, 49696, 49699, 49703 ORACLE-BMC-31898US United States 53->77 79 reallyfreegeoip.org 104.21.80.1, 443, 49697, 49700 CLOUDFLARENETUS United States 53->79 109 Tries to steal Mail credentials (via file / registry access) 53->109 signatures17
Score:
16%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/830c3556d97682d080c5877a49d64b8e12c0da52e1979f9da6edcf89fb748d23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/830c3556d97682d080c5877a49d64b8e12c0da52e1979f9da6edcf89fb748d23/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/830c3556d97682d080c5877a49d64b8e12c0da52e1979f9da6edcf89fb748d23
Threat name:
Script-WScript.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2025-05-23 06:29:56 UTC
File Type:
Text (VBS)
AV detection:
10 of 38 (26.32%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qmgdkvwzo2bnbagfq55etvslryjmbwss4glz7hng5xhyt63ururq._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
0c0d773a601757285e5a3da3e8c45a6bcd4d66ac0363397954de172c8a2da704
MassLogger
20e281548b9a3a02a258d3989215c6cbddde61f2055f2d1afe02aa3b3f22cf83
MassLogger
35bc7d58c116e83159e745ca536a9b5b0a1a4b4d25d0b8d462efd012b3c8ad21
MassLogger
3fd28257bdeaa92317003361ab95675732239e5282fde0ac2e2c7bf941ba1c98
MassLogger
ade03b33ad1a47b43d99a5eb7f469d127f98df657167c31700fd3c5cc76c522d
MassLogger
error
MassLogger
f73a1acf11bca235d9f0f22c0ba584107a76a54652e6356df080cc5ec040fc18
MassLogger
+ 1'072 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250523-kfa4wabn91/
Behaviour
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
MassLogger
Masslogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7905958978:AAEng8Wyhv-U1eyp4jKpvi8uIC2em6irGnw/sendMessage?chat_id=7629239186
Dropper Extraction:
https://fancy-seehorse.netlify.app/code/final.txt
https://fancy-seehorse.netlify.app/code/first.txt
https://officedesk22.netlify.app/code/encoden.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/830c3556d97682d080c5877a49d64b8e12c0da52e1979f9da6edcf89fb748d23

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments