MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8373fea2c5155a89422132909719c981bd4ec94e29158b4301001fb66953fa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8373fea2c5155a89422132909719c981bd4ec94e29158b4301001fb66953fa0
SHA3-384 hash: 643427fd7e9053dfe4094127b1e643ad55ef8705c49de3d5695b94d2a2422ab8c9dab6e48a2a3b0b1d3c34bfa0b68cfb
SHA1 hash: 35177c4aba1276436417495f9e1b74c64bc06de9
MD5 hash: 423e9ad8ceaf4ff5e6c5d08d022c58bb
humanhash: ten-virginia-cola-queen
File name:givemebestdaytodaywithgreatness.hta
Download: download sample
Signature MassLogger
Create hunting rule
File size:12'103 bytes
First seen:2025-06-03 14:58:51 UTC
Last seen:2025-06-04 11:42:47 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:3nF6uXL67EbHYn/L/UYnsQt8jbqtkjJJSs6+LgGG:3F6ub6IrYn/bHsQt8npP6G8
Threatray 38 similar samples on MalwareBazaar
TLSH T1BA42200D4C74FE0D4790A07D01DC48D478DC2F36A4B5E691B95C954F0B666CC4DEA2C3
Magika txt
Reporter abuse_ch
Tags:hta MassLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Starter.408.22650.8138.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Starter.408.32506.16282.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683f0e6007b5e8c1cfe451db
Tags:
autorun delphi emotet
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/b8373fea2c5155a89422132909719c981bd4ec94e29158b4301001fb66953fa0/results/dashboard
Payload URLs
URL
File name
http://209.54.101.166/550/TiWorker.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
VBS.Asthma.2.C0539DDB
Link:
https://www.hybrid-analysis.com/sample/b8373fea2c5155a89422132909719c981bd4ec94e29158b4301001fb66953fa0
Result
Threat name:
Cobalt Strike, DBatLoader, MSIL Logger,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1705091
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Detected Cobalt Strike Beacon
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1705091 Sample: givemebestdaytodaywithgreat... Startdate: 03/06/2025 Architecture: WINDOWS Score: 100 81 reallyfreegeoip.org 2->81 83 checkip.dyndns.org 2->83 85 checkip.dyndns.com 2->85 117 Suricata IDS alerts for network traffic 2->117 119 Found malware configuration 2->119 121 Malicious sample detected (through community Yara rule) 2->121 125 18 other signatures 2->125 11 mshta.exe 1 2->11         started        14 rundll32.exe 2->14         started        signatures3 123 Tries to detect the country of the analysis system (by using the IP) 81->123 process4 signatures5 145 Suspicious command line found 11->145 147 PowerShell case anomaly found 11->147 16 cmd.exe 1 11->16         started        19 Yuqvmnsa.PIF 14->19         started        process6 signatures7 95 Detected Cobalt Strike Beacon 16->95 97 Suspicious powershell command line found 16->97 99 Uses ping.exe to sleep 16->99 107 3 other signatures 16->107 21 powershell.exe 42 16->21         started        26 conhost.exe 16->26         started        101 Multi AV Scanner detection for dropped file 19->101 103 Writes to foreign memory regions 19->103 105 Allocates memory in foreign processes 19->105 109 2 other signatures 19->109 28 asnmvquY.pif 19->28         started        process8 dnsIp9 91 209.54.101.166, 49714, 80 ASN-QUADRANET-GLOBALUS United States 21->91 69 C:\Users\user\AppData\Local\...\TiWorker.exe, PE32 21->69 dropped 71 C:\Users\user\AppData\...\TiWorker[1].exe, PE32 21->71 dropped 73 C:\Users\user\AppData\...\axhq40uh.cmdline, Unicode 21->73 dropped 137 Loading BitLocker PowerShell Module 21->137 139 Powershell drops PE file 21->139 30 TiWorker.exe 9 21->30         started        34 csc.exe 3 21->34         started        141 Tries to steal Mail credentials (via file / registry access) 28->141 143 Tries to harvest and steal browser information (history, passwords, etc) 28->143 file10 signatures11 process12 file13 75 C:\Users\user\Links\asnmvquY.pif, PE32 30->75 dropped 77 C:\Users\user\Links\Yuqvmnsa.PIF, PE32 30->77 dropped 149 Multi AV Scanner detection for dropped file 30->149 151 Drops PE files with a suspicious file extension 30->151 153 Writes to foreign memory regions 30->153 155 4 other signatures 30->155 36 asnmvquY.pif 15 2 30->36         started        40 cmd.exe 1 30->40         started        42 cmd.exe 1 30->42         started        44 cmd.exe 1 30->44         started        79 C:\Users\user\AppData\Local\...\axhq40uh.dll, PE32 34->79 dropped 46 cvtres.exe 1 34->46         started        signatures14 process15 dnsIp16 87 checkip.dyndns.com 193.122.130.0, 49719, 49725, 80 ORACLE-BMC-31898US United States 36->87 89 reallyfreegeoip.org 104.21.80.1, 443, 49724, 49726 CLOUDFLARENETUS United States 36->89 127 Detected unpacking (changes PE section rights) 36->127 129 Detected unpacking (overwrites its own PE header) 36->129 131 Tries to steal Mail credentials (via file / registry access) 36->131 133 Uses threadpools to delay analysis 36->133 48 esentutl.exe 2 40->48         started        52 conhost.exe 40->52         started        54 alpha.pif 2 40->54         started        56 alpha.pif 2 40->56         started        135 Uses ping.exe to sleep 42->135 58 PING.EXE 1 42->58         started        61 conhost.exe 42->61         started        63 conhost.exe 44->63         started        65 schtasks.exe 1 44->65         started        signatures17 process18 dnsIp19 67 C:\Users\Public\alpha.pif, PE32 48->67 dropped 111 Drops PE files to the user root directory 48->111 113 Drops PE files with a suspicious file extension 48->113 115 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 48->115 93 127.0.0.1 unknown unknown 58->93 file20 signatures21
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b8373fea2c5155a89422132909719c981bd4ec94e29158b4301001fb66953fa0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8373fea2c5155a89422132909719c981bd4ec94e29158b4301001fb66953fa0/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-03 12:40:21 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
9 of 23 (39.13%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xa3t72rmkfk2rfbccmuqs4m4tan5j3eu4kivrnbqcaa7wzuvh6qa._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
zgrat
Create hunting rule
Similar samples:
0af487f2593b0de4f0a394b4c440ff04e08674f42c77f9cd922a819fca5b7ed8
MassLogger
2567bb2ba292ab96811afc9a327e2e5cdccbc021c3d4aad732a5703c0b4dfd07
MassLogger
540ecfddd158625e0e15030a6bb23a5a8e2f5b33c453a1b6e3915ed724983896
MassLogger
7fe93bf40769f5eb8f536b9c1c2d679d9ac0509d7424b1c2d6cb981d8b9da07e
MassLogger
a2760b3739d264ccefd1fc66cc71549f6949a058d0b52f9fbe64577adf011aa1
MassLogger
be3771d8f3893aecc6e6e907bae7bb4e837fce47b000ce7d4c99e47c330b2d3d
MassLogger
dea1bc8fdb17a134d92f4a0197314eb4f1c792dee72f8a7dd7eaf48d0a0a5e9b
MassLogger
e4808f0dcd8731d7642a89fefad15205ec001eb6f1819280fb664a478a22613b
MassLogger
error
MassLogger
+ 28 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:masslogger family:modiloader collection defense_evasion discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/250603-scw6yatwgs/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
ModiLoader Second Stage
MassLogger
Masslogger family
ModiLoader, DBatLoader
Modiloader family
Malware Config
C2 Extraction:
https://api.telegram.org/bot8004081294:AAEeQb3kkdq-mgW3gSkEAnMJX0fU078688E/sendMessage?chat_id=6023628633
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8373fea2c51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b8373fea2c5155a89422132909719c981bd4ec94e29158b4301001fb66953fa0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MassLogger

HTML Application (hta) hta b8373fea2c5155a89422132909719c981bd4ec94e29158b4301001fb66953fa0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3556793/
  
Delivery method
Distributed via web download

Comments