MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f298889e338ec83549b41aa0e20713bf17a81afe6dcce141e5085c3a4e2e8af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f298889e338ec83549b41aa0e20713bf17a81afe6dcce141e5085c3a4e2e8af
SHA3-384 hash: 99cae2df1b4d8a249ccbe60654b193216f63edbc1fc645c1ff051ac7d6fe9a9c9207ad8229db92d58151b35657b8cea2
SHA1 hash: 841c582a2fac5c4a25a854c40e01a44cef3bf7d0
MD5 hash: 47ff11ff5f3396705688e01bbb2a171e
humanhash: alaska-equal-finch-arkansas
File name:OPP00279651 - Pertanyaan.vbs
Download: download sample
Signature MassLogger
Create hunting rule
File size:157'643 bytes
First seen:2025-09-18 07:16:29 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:LrTiAi0j5rAdbD2Y1ZylIM6hW8v8lo4fiLcgflK0h:z5rAdbD2Y1ZylIM6d+LKLckZ
Threatray 1'256 similar samples on MalwareBazaar
TLSH T1A0F3D73DC6E4EDD8077B70D1695C3B91509E5BA3F9310B6CF4C498B65D2A28CEB7A208
Magika vba
Reporter abuse_ch
Tags:MassLogger vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28106/
Verdict:
Clean
Score:
N/A%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cbb22724320325464767c5
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/68cbb30f73287948292e7202/reports/30a55f5e-c96d-4ae1-bc97-4d5a7a21ed80/overview
Verdict:
Malicious
Labled as:
Trojan/BAT.Agent
Link:
https://www.hybrid-analysis.com/sample/9f298889e338ec83549b41aa0e20713bf17a81afe6dcce141e5085c3a4e2e8af
Verdict:
Malicious
File Type:
vbs
First seen:
2025-09-16T21:54:00Z UTC
Last seen:
2025-09-16T21:54:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/9f298889e338ec83549b41aa0e20713bf17a81afe6dcce141e5085c3a4e2e8af/results?tab=lookup
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779835
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779835 Sample: OPP00279651 - Pertanyaan.vbs Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 105 reallyfreegeoip.org 2->105 107 mail.gtit.pl 2->107 109 2 other IPs or domains 2->109 123 Found malware configuration 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Multi AV Scanner detection for submitted file 2->127 131 14 other signatures 2->131 10 wscript.exe 1 2->10         started        14 cmd.exe 2->14         started        16 cmd.exe 1 2->16         started        18 6 other processes 2->18 signatures3 129 Tries to detect the country of the analysis system (by using the IP) 105->129 process4 file5 85 C:\Users\Public\FertilizerPost7827.bat, ASCII 10->85 dropped 147 Wscript starts Powershell (via cmd or directly) 10->147 149 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->149 151 Suspicious execution chain found 10->151 153 Creates processes via WMI 10->153 20 cmd.exe 1 10->20         started        23 cmd.exe 14->23         started        25 conhost.exe 14->25         started        27 cmd.exe 1 16->27         started        29 conhost.exe 16->29         started        31 cmd.exe 1 18->31         started        33 cmd.exe 1 18->33         started        35 cmd.exe 1 18->35         started        37 9 other processes 18->37 signatures6 process7 signatures8 133 Suspicious powershell command line found 20->133 135 Wscript starts Powershell (via cmd or directly) 20->135 39 cmd.exe 1 20->39         started        41 conhost.exe 20->41         started        44 cmd.exe 23->44         started        46 cmd.exe 1 27->46         started        48 cmd.exe 1 31->48         started        50 cmd.exe 1 33->50         started        52 cmd.exe 1 35->52         started        54 cmd.exe 37->54         started        56 2 other processes 37->56 process9 signatures10 58 cmd.exe 2 39->58         started        137 Suspicious powershell command line found 44->137 139 Wscript starts Powershell (via cmd or directly) 44->139 61 powershell.exe 44->61         started        64 conhost.exe 44->64         started        66 2 other processes 46->66 68 2 other processes 48->68 70 2 other processes 50->70 72 2 other processes 52->72 74 2 other processes 54->74 76 4 other processes 56->76 process11 file12 141 Suspicious powershell command line found 58->141 143 Wscript starts Powershell (via cmd or directly) 58->143 78 powershell.exe 19 29 58->78         started        83 conhost.exe 58->83         started        87 C:\Users\user\AppData\Roaming\...\a305.bat, ASCII 61->87 dropped 145 Tries to harvest and steal browser information (history, passwords, etc) 61->145 89 C:\Users\user\AppData\Roaming\...\11c2.bat, ASCII 66->89 dropped 91 C:\Users\user\AppData\Roaming\...\1152.bat, ASCII 68->91 dropped 93 C:\Users\user\AppData\Roaming\...\a0c1.bat, ASCII 70->93 dropped 95 C:\Users\user\AppData\Roaming\...\0658.bat, ASCII 72->95 dropped 97 C:\Users\user\AppData\Roaming\...\09d7.bat, ASCII 74->97 dropped 99 C:\Users\user\AppData\Roaming\...\c822.bat, ASCII 76->99 dropped 101 C:\Users\user\AppData\Roaming\...\712d.bat, ASCII 76->101 dropped signatures13 process14 dnsIp15 111 mail.gtit.pl 89.174.231.105, 49689, 49692, 49695 INTERSATPL Poland 78->111 113 checkip.dyndns.com 193.122.6.168, 49685, 49690, 49693 ORACLE-BMC-31898US United States 78->113 115 reallyfreegeoip.org 172.67.177.134, 443, 49686, 49691 CLOUDFLARENETUS United States 78->115 103 C:\Users\user\AppData\Roaming\...\fadb.bat, ASCII 78->103 dropped 117 Drops script or batch files to the startup folder 78->117 119 Found suspicious powershell code related to unpacking or dynamic code loading 78->119 121 Loading BitLocker PowerShell Module 78->121 file16 signatures17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9f298889e338ec83549b41aa0e20713bf17a81afe6dcce141e5085c3a4e2e8af
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f298889e338ec83549b41aa0e20713bf17a81afe6dcce141e5085c3a4e2e8af/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-17 01:28:48 UTC
File Type:
Text
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t4uyrcpdhdwigve3igva4idrhpyxvanp43om4fa6kcc4hjhc5cxq._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
044d63ab7ef7390e0db6d6809165edaefc81b164e32ccb8f6bc522a746254f3f
MassLogger
2e6129b0aa7aed4e1161b9e09d14a2f5637cfd426e97fce1e95b0bee7ac28826
MassLogger
8898cadc10c37da4ae4ee2da7b37b5f60fb081918e1d5cf7aedccc3c37a40005
MassLogger
90b230c7b8c4991a8f657bc8031157a9070c24eb3de9cd074241985dc99489c0
MassLogger
b355c43bd26f9727f4a9461afe6ee78995deceb671ebfddc6f7cf895cc663a02
MassLogger
ca8cf8aa0bab28b391de182e61cf7f9e8f8464717ab971384b73db628aef7267
MassLogger
cbc366eb88520c2f1a9c0db8a7f5318b4f8a9a0993352a31d877c63e8abc8d0c
MassLogger
de054d8f9b649022d29cfcf89c05e8468e765fb5a5543d25abe29b9e41a3abae
MassLogger
e2140c6390f7696be2a70de9072137210c6ec238e5586fce237917a2082bbdd9
MassLogger
error
MassLogger
fe386321400e854668b2d82cb426c25936969b2c078d693a3d1290cc0634cfe9
MassLogger
+ 1'246 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution spyware stealer
Link:
https://tria.ge/reports/250918-h62y6scl2v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Badlisted process makes network request
MassLogger
Masslogger family
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f298889e338ec83549b41aa0e20713bf17a81afe6dcce141e5085c3a4e2e8af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28106/

Comments