MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e7ff7945bf58f74f96544ccd03b1a6256febb60e67a558cd55080f6a23cef86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e7ff7945bf58f74f96544ccd03b1a6256febb60e67a558cd55080f6a23cef86
SHA3-384 hash: d6f2a315ced17030ad324173490360e06933cd659e961a4f28175e138ae8df1f54d113429ba3d394fece58f80945f8da
SHA1 hash: 13591784611a0cd0fe31a8e69d4af4c6c29c199c
MD5 hash: 65106335f577958908065322cc511b6d
humanhash: sink-may-early-alpha
File name:EMF-PO49311.js
Download: download sample
Signature MassLogger
Create hunting rule
File size:119'903 bytes
First seen:2025-04-17 05:58:17 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:B93aX2rXkvLcKmwSCUPstD/gp5k05GQIhvovZ2Gi4S:BZaX2rXkvLcPQtD/g8povzS
Threatray 877 similar samples on MalwareBazaar
TLSH T143C3E9BAFE68BED40B6770D1156F7729502E378378710F4CB8C720A9A9BA1C8DE39505
Magika javascript
Reporter abuse_ch
Tags:js MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
454
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68009db1280f5f89a0d02fe1
Tags:
obfuscate autorun xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/680098ace9c1e257979ba310/reports/5137c13b-dc54-43af-9149-3d0fe3662a5f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8e7ff7945bf58f74f96544ccd03b1a6256febb60e67a558cd55080f6a23cef86
Result
Threat name:
Batch Injector, MSIL Logger, MassLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667138
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Batch Injector
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Powershell decode and execute
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667138 Sample: EMF-PO49311.js Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 90 reallyfreegeoip.org 2->90 92 checkip.dyndns.org 2->92 94 checkip.dyndns.com 2->94 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Yara detected Batch Injector 2->104 108 15 other signatures 2->108 9 wscript.exe 1 2 2->9         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 7 other processes 2->17 signatures3 106 Tries to detect the country of the analysis system (by using the IP) 90->106 process4 file5 66 C:\Users\user\AppData\...\jjkudopgadqc.bat, ASCII 9->66 dropped 122 JScript performs obfuscated calls to suspicious functions 9->122 124 Wscript starts Powershell (via cmd or directly) 9->124 126 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->126 128 Suspicious execution chain found 9->128 19 cmd.exe 1 9->19         started        22 cmd.exe 13->22         started        24 conhost.exe 13->24         started        26 cmd.exe 15->26         started        28 conhost.exe 15->28         started        30 cmd.exe 1 17->30         started        32 cmd.exe 1 17->32         started        34 cmd.exe 1 17->34         started        36 11 other processes 17->36 signatures6 process7 signatures8 110 Suspicious powershell command line found 19->110 112 Wscript starts Powershell (via cmd or directly) 19->112 114 Bypasses PowerShell execution policy 19->114 38 cmd.exe 2 19->38         started        41 conhost.exe 19->41         started        43 powershell.exe 22->43         started        46 conhost.exe 22->46         started        48 2 other processes 26->48 51 2 other processes 30->51 53 2 other processes 32->53 55 2 other processes 34->55 57 8 other processes 36->57 process9 dnsIp10 116 Suspicious powershell command line found 38->116 118 Wscript starts Powershell (via cmd or directly) 38->118 59 powershell.exe 15 19 38->59         started        64 conhost.exe 38->64         started        68 C:\Users\user\AppData\Roaming\...\05ea.bat, ASCII 43->68 dropped 120 Tries to harvest and steal browser information (history, passwords, etc) 43->120 88 158.101.44.242, 49704, 49706, 49708 ORACLE-BMC-31898US United States 48->88 70 C:\Users\user\AppData\Roaming\...\d549.bat, ASCII 48->70 dropped 72 C:\Users\user\AppData\Roaming\...\a855.bat, ASCII 51->72 dropped 74 C:\Users\user\AppData\Roaming\...\e9be.bat, ASCII 53->74 dropped 76 C:\Users\user\AppData\Roaming\...\4359.bat, ASCII 55->76 dropped 78 C:\Users\user\AppData\Roaming\...\ee77.bat, ASCII 57->78 dropped 80 C:\Users\user\AppData\Roaming\...\77ee.bat, ASCII 57->80 dropped 82 C:\Users\user\AppData\Roaming\...\59bb.bat, ASCII 57->82 dropped 84 C:\Users\user\AppData\Roaming\...\2f56.bat, ASCII 57->84 dropped file11 signatures12 process13 dnsIp14 96 checkip.dyndns.com 193.122.6.168, 49684, 49691, 49693 ORACLE-BMC-31898US United States 59->96 98 reallyfreegeoip.org 104.21.48.1, 443, 49685, 49692 CLOUDFLARENETUS United States 59->98 86 C:\Users\user\AppData\Roaming\...\6106.bat, ASCII 59->86 dropped 130 Drops script or batch files to the startup folder 59->130 132 Found suspicious powershell code related to unpacking or dynamic code loading 59->132 file15 signatures16
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8e7ff7945bf58f74f96544ccd03b1a6256febb60e67a558cd55080f6a23cef86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e7ff7945bf58f74f96544ccd03b1a6256febb60e67a558cd55080f6a23cef86/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rz77pfc36whxj6lfitgnaoy2mjlp5o3a4z5fldgvkcapnir456da._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
0dfda0125079cb0036cff1ac57f17108f4262bfac5a5aa8b722dd4314c64e523
MassLogger
2440d2269a8723ad47733885b1d51745828fa12710b6c3d3fad11d3010f7a89f
MassLogger
c7c9d973dde6030df749191dd0369ccf303b69f3d60e8a6020f34349bc0e176d
MassLogger
ced40caee716f956a4db4d96f10daa8b80f6c30371f2490129b6cf212dcfd223
MassLogger
dfd642ed5f14bce81563b3921c242393a9ac2a1865a8344af8b29b9faaa16a7f
MassLogger
error
MassLogger
f344de0d137247e297701368c696119f63122fdf8b08c0893eaff7eea50c6fc9
MassLogger
f34ab3c978462c0d763304689c493c9ebb1da5fc6a5aeac13c1a81cb5080a9e6
MassLogger
+ 867 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution
Link:
https://tria.ge/reports/250417-gpr7zayzas/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments