MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc89f1981a7cc11ca6074aec4c09e0a1154d31474a0f51a5e5d57153741a00bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc89f1981a7cc11ca6074aec4c09e0a1154d31474a0f51a5e5d57153741a00bd
SHA3-384 hash: 5bd517217a60e2fffbeeb58aabe6c74bafe769f72e53754228a56ab1020b263950a668e8ea6755801bedbbfb97d4517d
SHA1 hash: 119055dbb494e7a892046f5bcbfbc45a14235135
MD5 hash: f4fa8d5666ebd448b0d0a96bc2da001a
humanhash: may-alaska-november-september
File name:Requested Offer 3000082745.js
Download: download sample
Signature MassLogger
Create hunting rule
File size:120'565 bytes
First seen:2025-04-17 11:28:35 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:B55t7X2rXkvLmvLfplCqVgYPOCgaKn20J4bMYuSvfIQEePVz:HbX2rXkvL4bpBVhPOCgae4vvfIQl
Threatray 884 similar samples on MalwareBazaar
TLSH T17DC33A3CE9E9AEC043423CD02B8F2A64E5890757113753AEE8ED211AB86445DD673FBD
Magika javascript
Reporter abuse_ch
Tags:js MassLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
457
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6800e9af2203b3e10cd03503
Tags:
obfuscate autorun xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/6800e61190767142c3d8ebc5/reports/2fcb48da-8242-45d5-8128-4113cacc6f8f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/dc89f1981a7cc11ca6074aec4c09e0a1154d31474a0f51a5e5d57153741a00bd
Result
Threat name:
Batch Injector, MSIL Logger, MassLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1667440
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Batch Injector
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Powershell decode and execute
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667440 Sample: Requested Offer 3000082745.js Startdate: 17/04/2025 Architecture: WINDOWS Score: 100 87 reallyfreegeoip.org 2->87 89 checkip.dyndns.org 2->89 91 checkip.dyndns.com 2->91 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Yara detected Batch Injector 2->101 105 15 other signatures 2->105 9 wscript.exe 1 2 2->9         started        13 cmd.exe 2->13         started        15 cmd.exe 1 2->15         started        17 7 other processes 2->17 signatures3 103 Tries to detect the country of the analysis system (by using the IP) 87->103 process4 file5 65 C:\Users\user\AppData\...\nlppbjafiw.bat, ASCII 9->65 dropped 119 JScript performs obfuscated calls to suspicious functions 9->119 121 Wscript starts Powershell (via cmd or directly) 9->121 123 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->123 125 Suspicious execution chain found 9->125 19 cmd.exe 1 9->19         started        22 cmd.exe 13->22         started        24 conhost.exe 13->24         started        26 cmd.exe 1 15->26         started        28 conhost.exe 15->28         started        30 cmd.exe 1 17->30         started        32 cmd.exe 1 17->32         started        34 cmd.exe 1 17->34         started        36 11 other processes 17->36 signatures6 process7 signatures8 107 Suspicious powershell command line found 19->107 109 Wscript starts Powershell (via cmd or directly) 19->109 111 Bypasses PowerShell execution policy 19->111 38 cmd.exe 2 19->38         started        41 conhost.exe 19->41         started        43 powershell.exe 22->43         started        46 conhost.exe 22->46         started        48 2 other processes 26->48 50 2 other processes 30->50 52 2 other processes 32->52 54 2 other processes 34->54 56 8 other processes 36->56 process9 file10 113 Suspicious powershell command line found 38->113 115 Wscript starts Powershell (via cmd or directly) 38->115 58 powershell.exe 15 18 38->58         started        63 conhost.exe 38->63         started        67 C:\Users\user\AppData\Roaming\...\67f1.bat, ASCII 43->67 dropped 117 Tries to harvest and steal browser information (history, passwords, etc) 43->117 69 C:\Users\user\AppData\Roaming\...\9988.bat, ASCII 48->69 dropped 71 C:\Users\user\AppData\Roaming\...\4791.bat, ASCII 50->71 dropped 73 C:\Users\user\AppData\Roaming\...\8e43.bat, ASCII 52->73 dropped 75 C:\Users\user\AppData\Roaming\...\18e5.bat, ASCII 54->75 dropped 77 C:\Users\user\AppData\Roaming\...\d675.bat, ASCII 56->77 dropped 79 C:\Users\user\AppData\Roaming\...\8846.bat, ASCII 56->79 dropped 81 C:\Users\user\AppData\Roaming\...\73fd.bat, ASCII 56->81 dropped 83 C:\Users\user\AppData\Roaming\...\638f.bat, ASCII 56->83 dropped signatures11 process12 dnsIp13 93 checkip.dyndns.com 193.122.130.0, 49687, 49689, 49696 ORACLE-BMC-31898US United States 58->93 95 reallyfreegeoip.org 104.21.64.1, 443, 49688, 49690 CLOUDFLARENETUS United States 58->95 85 C:\Users\user\AppData\Roaming\...\de0e.bat, ASCII 58->85 dropped 127 Drops script or batch files to the startup folder 58->127 129 Found suspicious powershell code related to unpacking or dynamic code loading 58->129 file14 signatures15
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/dc89f1981a7cc11ca6074aec4c09e0a1154d31474a0f51a5e5d57153741a00bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc89f1981a7cc11ca6074aec4c09e0a1154d31474a0f51a5e5d57153741a00bd/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3se7dga2ptarzjqhjlweycpaueku2mkhjihvdjpf2vyvg5a2ac6q._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
7652d55f845a4914f76058c418df4da0c65f7df5f0febb2aded459ae0b75be61
MassLogger
8e7ff7945bf58f74f96544ccd03b1a6256febb60e67a558cd55080f6a23cef86
MassLogger
9654cbd553df628f50a99ec6f8b405901898c3c9eb99c8a3ba4fbd586290948b
MassLogger
a219e517e4f68db96fa6c7bf2d044b991043884cb1ac1dbd5de22ec5f08ddb00
MassLogger
bedb516c0bbfe25e36c26f81d37be534ab096c087fc4e866fb20bf68cf4b9123
MassLogger
cb45d6a207ad4218619ad1b7e1001b55201894ef21f717588e5f3df5122c0583
MassLogger
ddc6b2bd4382d1ae45bee8f3c4bb19bd20933a55bdf5c2e76c8d6c46bc1516ce
MassLogger
error
MassLogger
f344de0d137247e297701368c696119f63122fdf8b08c0893eaff7eea50c6fc9
MassLogger
+ 874 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution spyware stealer
Link:
https://tria.ge/reports/250417-nlqy3asyfv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
MassLogger
Masslogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7739919249:AAHKGHTy78jD_XCuFhjoHrf_l_sOV-bS69k/sendMessage?chat_id=5382791083
Malware family:
PrivateLogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc89f1981a7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments