MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9756b75600b70867f99e879c1763f2225a04454688c1f8497feb8e1670ca48b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9756b75600b70867f99e879c1763f2225a04454688c1f8497feb8e1670ca48b2
SHA3-384 hash: 2639f2985b1d7351fa658dbde4f0b81279e75b1f69a4e773d5a83449aec208db7816abcbfc31ca1d7541b962fe1880e8
SHA1 hash: 6e86e4338f68255481dfc1d6b8447cc6932c2c75
MD5 hash: c2b6c8e382ea2d534adebf88fc563338
humanhash: wisconsin-table-orange-four
File name:23052025_0617_final.bat
Download: download sample
Signature MassLogger
Create hunting rule
File size:1'367 bytes
First seen:2025-05-27 09:41:44 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24:9dm+S4FDdFAFoudoxooBBjomhsC7X4SewcRcc/e8VQFqQOY+:5rFpFAFoudyo4jTsCCccm8Ca
Threatray 1'171 similar samples on MalwareBazaar
TLSH T11621664204482C09DD1E15BCC1BCFE382CB9E1CB5625C2DE3270A94B291A7BCF27B5D6
Magika batch
Reporter JAMESWT_WT
Tags:bat MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
23052025_0617_final.bat
Verdict:
Malicious activity
Analysis date:
2025-05-27 09:44:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b698830e-2b96-4c13-9ec2-c8f55b347dba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5811/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.20165.4494.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68358a9cacf88f5815e78a71
Tags:
dropper shell spam sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Moving a file to the %AppData% subdirectory
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Sending an HTTP GET request
Searching for the window
Creating a window
Creating a process with a hidden window
Using BITS transfer job for data transfer
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive lolbin persistence powershell wscript
Link:
https://www.filescan.io/uploads/683588f9fd02ed5e0589ed93/reports/96fea364-1ce2-425e-8aec-7bebe2950775/overview
Verdict:
Malicious
Labled as:
Spy.U.Generic
Link:
https://www.hybrid-analysis.com/sample/9756b75600b70867f99e879c1763f2225a04454688c1f8497feb8e1670ca48b2
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1699689
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Register Wscript In Run Key
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MalBat
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1699689 Sample: 23052025_0617_final.bat Startdate: 27/05/2025 Architecture: WINDOWS Score: 100 68 reallyfreegeoip.org 2->68 70 officedesk22.netlify.app 2->70 72 4 other IPs or domains 2->72 88 Sigma detected: Register Wscript In Run Key 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 96 9 other signatures 2->96 9 cmd.exe 8 2->9         started        12 wscript.exe 2->12         started        14 wscript.exe 2->14         started        16 svchost.exe 1 3 2->16         started        signatures3 94 Tries to detect the country of the analysis system (by using the IP) 68->94 process4 dnsIp5 116 Suspicious powershell command line found 9->116 118 Wscript starts Powershell (via cmd or directly) 9->118 19 wscript.exe 1 9->19         started        22 powershell.exe 23 9->22         started        24 powershell.exe 23 9->24         started        30 5 other processes 9->30 26 powershell.exe 12->26         started        28 powershell.exe 14->28         started        64 officedesk22.netlify.app 13.52.115.166, 443, 49690, 49691 AMAZON-02US United States 16->64 66 127.0.0.1 unknown unknown 16->66 signatures6 process7 file8 98 Wscript starts Powershell (via cmd or directly) 19->98 100 Bypasses PowerShell execution policy 19->100 102 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->102 104 Suspicious execution chain found 19->104 33 powershell.exe 7 19->33         started        106 Powershell uses Background Intelligent Transfer Service (BITS) 22->106 108 Loading BitLocker PowerShell Module 22->108 110 Writes to foreign memory regions 26->110 112 Injects a PE file into a foreign processes 26->112 36 AddInProcess32.exe 26->36         started        38 conhost.exe 26->38         started        40 taskkill.exe 26->40         started        50 2 other processes 26->50 42 AddInProcess32.exe 28->42         started        44 conhost.exe 28->44         started        46 taskkill.exe 28->46         started        48 taskkill.exe 28->48         started        60 C:\Users\user\AppData\...\s-nvs_update.vbs, ASCII 30->60 dropped 62 C:\Users\user\AppData\...\nvs_update.txt, Unicode 30->62 dropped signatures9 process10 signatures11 80 Writes to foreign memory regions 33->80 82 Injects a PE file into a foreign processes 33->82 52 AddInProcess32.exe 33->52         started        56 conhost.exe 33->56         started        58 taskkill.exe 33->58         started        84 Tries to steal Mail credentials (via file / registry access) 36->84 86 Tries to harvest and steal browser information (history, passwords, etc) 36->86 process12 dnsIp13 74 mail.gtit.pl 89.174.231.105, 49698, 49701, 49704 INTERSATPL Poland 52->74 76 checkip.dyndns.com 132.226.8.169, 49696, 49699, 49702 UTMEMUS United States 52->76 78 reallyfreegeoip.org 104.21.64.1, 443, 49697, 49700 CLOUDFLARENETUS United States 52->78 114 Tries to steal Mail credentials (via file / registry access) 52->114 signatures14
Score:
44%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/9756b75600b70867f99e879c1763f2225a04454688c1f8497feb8e1670ca48b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9756b75600b70867f99e879c1763f2225a04454688c1f8497feb8e1670ca48b2/
Threat name:
Script-BAT.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-27 09:38:41 UTC
File Type:
Text (Batch)
AV detection:
8 of 24 (33.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s5llovqaw4egp6m6q6oboy7sejnairkgrda7qsl75ohbm4gkjcza._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
0c0d773a601757285e5a3da3e8c45a6bcd4d66ac0363397954de172c8a2da704
MassLogger
0d0c947d97036bcc46f7527e5a3953889c2ff2de32d503e463fbfa19d035716d
MassLogger
35bc7d58c116e83159e745ca536a9b5b0a1a4b4d25d0b8d462efd012b3c8ad21
MassLogger
3fd28257bdeaa92317003361ab95675732239e5282fde0ac2e2c7bf941ba1c98
MassLogger
ade03b33ad1a47b43d99a5eb7f469d127f98df657167c31700fd3c5cc76c522d
MassLogger
error
MassLogger
f73a1acf11bca235d9f0f22c0ba584107a76a54652e6356df080cc5ec040fc18
MassLogger
+ 1'161 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250527-lpcvhasnz7/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
MassLogger
Masslogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7905958978:AAEng8Wyhv-U1eyp4jKpvi8uIC2em6irGnw/sendMessage?chat_id=7629239186
Dropper Extraction:
https://fancy-seehorse.netlify.app/code/final.txt
https://fancy-seehorse.netlify.app/code/first.txt
https://officedesk22.netlify.app/code/encoded.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9756b75600b70867f99e879c1763f2225a04454688c1f8497feb8e1670ca48b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/5811/

Comments