MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c23c66da1a8b96e48e659ec201207371a8040cba232bb5dd42f88b99513536e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c23c66da1a8b96e48e659ec201207371a8040cba232bb5dd42f88b99513536e
SHA3-384 hash: a60111c4fc511932b57f0a8bcc047e64913a11553b662865ff0185849c93b385cc6da2c423ce6b954932f6c9a98a341d
SHA1 hash: 82de77375a0933b69f7edce6db813b8647647d3a
MD5 hash: 08dbe7d0039b0c112ea22edb4eb4e64e
humanhash: skylark-bluebird-island-kilo
File name:08dbe7d0039b0c112ea22edb4eb4e64e.js
Download: download sample
Signature MassLogger
Create hunting rule
File size:457'778 bytes
First seen:2026-03-18 09:34:23 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 96:pNCmTeOi7+JWy5PuYGYnl7RsUz1uzIzXz3zEzwpzsz6XX:pPTeOi7Sxpnsc1yYjDMcE6n
Threatray 12 similar samples on MalwareBazaar
TLSH T198A402935AE5CBC8A09F5AC0AA417A57CCF284143A13411C6F57B9FBF4684B9F4E20F9
Magika javascript
Reporter abuse_ch
Tags:geo js MassLogger TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ba71bc93b644ca466b3d00
Tags:
obfuscate autorun xtreme virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook repaired
Link:
https://www.filescan.io/uploads/69ba71ac4ec2f522cc4da4a5/reports/ec447178-0eee-47f9-9c8f-9764f235ce52/overview
Verdict:
Malicious
Labled as:
GT:JS.ObfPadding.1
Link:
https://www.hybrid-analysis.com/sample/9c23c66da1a8b96e48e659ec201207371a8040cba232bb5dd42f88b99513536e
Verdict:
Malicious
File Type:
js
Detections:
Trojan.VBS.SAgent.sb PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Startup.gen HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/9c23c66da1a8b96e48e659ec201207371a8040cba232bb5dd42f88b99513536e/results?tab=lookup
Result
Threat name:
MassLogger RAT, Snake Keylogger, VIP Key
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885522
Signature
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MassLogger RAT
Yara detected Powershell download and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885522 Sample: in4MyJA7B3.js Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 33 reallyfreegeoip.org 2->33 35 controliumbt.com 2->35 37 2 other IPs or domains 2->37 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 53 13 other signatures 2->53 8 wscript.exe 1 3 2->8         started        12 powershell.exe 15 2->12         started        15 wscript.exe 1 2->15         started        signatures3 51 Tries to detect the country of the analysis system (by using the IP) 33->51 process4 dnsIp5 29 C:\Users\...\in4MyJA7B3.js:Zone.Identifier, ASCII 8->29 dropped 31 C:\Users\user\AppData\...\in4MyJA7B3.js, ASCII 8->31 dropped 59 Suspicious powershell command line found 8->59 61 Wscript starts Powershell (via cmd or directly) 8->61 63 Drops script or batch files to the startup folder 8->63 71 3 other signatures 8->71 43 controliumbt.com 65.181.111.236, 443, 49727, 49728 FORTRESSITXUS United States 12->43 65 Writes to foreign memory regions 12->65 67 Injects a PE file into a foreign processes 12->67 69 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 12->69 17 RegSvcs.exe 8 2 12->17         started        19 conhost.exe 12->19         started        21 powershell.exe 15->21         started        file6 signatures7 process8 signatures9 55 Writes to foreign memory regions 21->55 57 Injects a PE file into a foreign processes 21->57 24 RegSvcs.exe 7 2 21->24         started        27 conhost.exe 21->27         started        process10 dnsIp11 39 checkip.dyndns.com 158.101.44.242, 49729, 49730, 49733 ORACLE-BMC-31898US United States 24->39 41 reallyfreegeoip.org 172.67.177.134, 443, 49732, 49734 CLOUDFLARENETUS United States 24->41
Score:
22%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/9c23c66da1a8b96e48e659ec201207371a8040cba232bb5dd42f88b99513536e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c23c66da1a8b96e48e659ec201207371a8040cba232bb5dd42f88b99513536e/
Verdict:
Malicious
Threat:
Trojan.Script.Startup
Link:
https://tip.neiki.dev/file/9c23c66da1a8b96e48e659ec201207371a8040cba232bb5dd42f88b99513536e
Threat name:
Win32.Trojan.ObfPadding
Create hunting rule
Status:
Malicious
First seen:
2026-03-16 14:02:48 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqr4m3nbvc4w4shglhwcaeqhg4niaqgluizlwxouf6eltfitknxa._file
Verdict:
malicious
Label(s):
vipkeylogger
Create hunting rule
Similar samples:
1be46a0856b2be27be4f73327d510a3c87e45f0071d582c678c265bcdf61f402
MassLogger
30d56c8ec53a25a82fec93797c8f7e1bcd4137cedf066cc80ab26027f1204de0
MassLogger
451174e99957ee7e6af9375703bab82ee3f618a307b422236102b2f9587344d3
MassLogger
570693a6bd10e98ca7c67510f7da41e11ad6d055179c7a9f9bfdd9cf8a39ac78
MassLogger
60ca76c8721cac0b8fb9daac721242ae7ae708ca948d096d54c5cc18f31541b1
MassLogger
70530aa73b1ecc545d13cfd5cfcfa292b74b0c90bd26c8a2f222ae74787f4ded
MassLogger
729c6bd4073703ac65a1e4f918cefad5b214f418f09683b2796463a7ea2999ac
MassLogger
edf56f77e260852159a6db03a08dddd88ee3775ab09a779b080d9f1ddf925c91
MassLogger
error
MassLogger
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/260318-lj2xfacx4r/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Drops startup file
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/9c23c66da1a8b96e48e659ec201207371a8040cba232bb5dd42f88b99513536e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments