MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85bebb4da660f33be5aefd120cf7e715f76d22d87fc9334413f0061f1a238fa5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MassLogger

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	85bebb4da660f33be5aefd120cf7e715f76d22d87fc9334413f0061f1a238fa5
SHA3-384 hash:	647796d51611d65f94c033b2143a5baa14433f694e030a076af4a9a33773234bea71137fa7babf1ed86cad919c58322a
SHA1 hash:	15c2d2b96830c529d0479061e99a244a430da360
MD5 hash:	abfd77f13c92d8748e37558ecb3db828
humanhash:	seventeen-pasta-october-utah
File name:	comprobante de pago.js
Download:	download sample
Signature	MassLogger Create hunting rule
File size:	8'917'082 bytes
First seen:	2026-06-25 05:51:41 UTC
Last seen:	2026-06-25 05:52:17 UTC
File type:	js
MIME type:	text/plain
ssdeep	3072:jp8Gqo2IYanVsM+nrT6W22q13CEB78GDGRnaOyyAic2A/f24tIDLlFUCpvnXFRH/:ejHNg8u68p1jC
TLSH	T1CE961B2DBBEE015C9C26D386EAF151E4C5ACB92203DF651F80765ECE5312386D93226F
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	txt
Reporter	lowmal3
Tags:	js MassLogger

Intelligence

File Origin

# of uploads :

# of downloads :

123

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a3cc22f86bc95245bf95511

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 conhost encrypted powershell repaired zero-day

Link:

https://www.filescan.io/uploads/6a3cc22362d0679105ff3484/reports/d0b17cdf-a99d-48c4-a961-b690a784ae0f/overview

Verdict:

Suspicious

Labled as:

JS/Agent.ENT

Link:

https://www.hybrid-analysis.com/sample/85bebb4da660f33be5aefd120cf7e715f76d22d87fc9334413f0061f1a238fa5

Verdict:

Malicious

File Type:

First seen:

2026-06-24T14:48:00Z UTC

Last seen:

2026-06-25T02:52:00Z UTC

Hits:

~1000

Detections:

PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic HEUR:Trojan.Script.Agent.gen

Link:

https://opentip.kaspersky.com/85bebb4da660f33be5aefd120cf7e715f76d22d87fc9334413f0061f1a238fa5/results?tab=lookup

Result

Threat name:

MSIL Logger, MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1933529

Signature

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Creates an undocumented autostart registry key

Encrypted powershell cmdline option found

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

WScript reads language and country specific registry keys (likely country aware script)

Yara detected MassLogger RAT

Yara detected MSIL Logger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/85bebb4da660f33be5aefd120cf7e715f76d22d87fc9334413f0061f1a238fa5

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/85bebb4da660f33be5aefd120cf7e715f76d22d87fc9334413f0061f1a238fa5/

Verdict:

Malicious

Threat:

Family.MASSLOGGER

Link:

https://tip.neiki.dev/file/85bebb4da660f33be5aefd120cf7e715f76d22d87fc9334413f0061f1a238fa5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qw7lwtngmdztxzno7ujaz57hcx3w2iwyp7etgrat6adb6grdr6sq._file

Result

Malware family:

masslogger

Score:

10/10

Tags:

family:masslogger collection defense_evasion execution persistence spyware stealer

Link:

https://tria.ge/reports/260625-gk193shx6n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Obfuscated Files or Information: Command Obfuscation

Checks computer location settings

Registers new Windows logon scripts automatically executed at logon.

Badlisted process makes network request

Family: MassLogger

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/85bebb4da660f33be5aefd120cf7e715f76d22d87fc9334413f0061f1a238fa5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MassLogger

js 85bebb4da660f33be5aefd120cf7e715f76d22d87fc9334413f0061f1a238fa5

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample