MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3708e10da6bcba4e8d54fca40feea45ea90237d52440125efb952ddc8022976. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MassLogger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3708e10da6bcba4e8d54fca40feea45ea90237d52440125efb952ddc8022976
SHA3-384 hash: 879bcc45c623d11587cc84ec8e7dd01c95fdf828fc8554c9efca4940bd38c322dc4b5738f8781da41cd28d9f52be3d94
SHA1 hash: aea9877a67dcdbb04c5fcc8bb873920ae23ead5f
MD5 hash: e85b8d48ae6355d178ec2b2c3a99a101
humanhash: stairway-oven-black-four
File name:báo giá vật tư_04062025.vbs
Download: download sample
Signature MassLogger
Create hunting rule
File size:921 bytes
First seen:2025-06-04 07:03:06 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:GOD7iq3OEJB33qdq13oz5ngKQYMrEqkAC/HpH:1WqeE3HBoz5nnQVEqkAOJH
Threatray 1'110 similar samples on MalwareBazaar
TLSH T15411106A1558CC7743028DC6C4E5AF44DE3CDD5B9CA2AF385524F8CBC22AAB432581E7
Magika vba
Reporter abuse_ch
Tags:MassLogger vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7216/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683ff0a08bd5d68a12e4e5b1
Tags:
dropper shell sage
Result
Threat name:
MSIL Logger, MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1705620
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Register Wscript In Run Key
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MalBat
Yara detected MassLogger RAT
Yara detected MSIL Logger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1705620 Sample: b#U00e1o gi#U00e1 v#U1eadt ... Startdate: 04/06/2025 Architecture: WINDOWS Score: 100 67 reallyfreegeoip.org 2->67 69 service-omega-snowy.vercel.app 2->69 71 4 other IPs or domains 2->71 89 Sigma detected: Register Wscript In Run Key 2->89 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 97 13 other signatures 2->97 10 wscript.exe 4 2->10         started        15 wscript.exe 2->15         started        17 wscript.exe 2->17         started        19 svchost.exe 1 4 2->19         started        signatures3 95 Tries to detect the country of the analysis system (by using the IP) 67->95 process4 dnsIp5 79 service-omega-snowy.vercel.app 64.29.17.1, 443, 49682, 49686 COGECO-PEER1CA Canada 10->79 65 C:\Users\user\AppData\Roaming\...\config.txt, DOS 10->65 dropped 109 System process connects to network (likely due to code injection or exploit) 10->109 111 VBScript performs obfuscated calls to suspicious functions 10->111 113 Wscript starts Powershell (via cmd or directly) 10->113 115 3 other signatures 10->115 21 cmd.exe 8 10->21         started        24 powershell.exe 15->24         started        26 powershell.exe 17->26         started        81 pub-bcefb9e553ee4137a6d296b7c71a767e.r2.dev 172.66.0.235, 443, 49688 CLOUDFLARENETUS United States 19->81 83 127.0.0.1 unknown unknown 19->83 file6 signatures7 process8 signatures9 99 Suspicious powershell command line found 21->99 101 Wscript starts Powershell (via cmd or directly) 21->101 28 wscript.exe 21->28         started        31 powershell.exe 23 21->31         started        33 powershell.exe 23 21->33         started        41 5 other processes 21->41 103 Writes to foreign memory regions 24->103 105 Injects a PE file into a foreign processes 24->105 35 AddInProcess32.exe 24->35         started        44 3 other processes 24->44 37 AddInProcess32.exe 26->37         started        39 conhost.exe 26->39         started        46 2 other processes 26->46 process10 file11 117 Wscript starts Powershell (via cmd or directly) 28->117 48 powershell.exe 28->48         started        119 Powershell uses Background Intelligent Transfer Service (BITS) 31->119 121 Loading BitLocker PowerShell Module 31->121 123 Tries to steal Mail credentials (via file / registry access) 35->123 125 Tries to harvest and steal browser information (history, passwords, etc) 35->125 61 C:\Users\user\AppData\...\s-nvs_update.vbs, ASCII 41->61 dropped 63 C:\Users\user\AppData\...\nvs_update.txt, Unicode 41->63 dropped 51 conhost.exe 41->51         started        signatures12 process13 signatures14 85 Writes to foreign memory regions 48->85 87 Injects a PE file into a foreign processes 48->87 53 AddInProcess32.exe 48->53         started        57 conhost.exe 48->57         started        59 taskkill.exe 48->59         started        process15 dnsIp16 73 checkip.dyndns.com 193.122.6.168, 49694, 49699, 49702 ORACLE-BMC-31898US United States 53->73 75 mail.gtit.pl 89.174.231.105, 49698, 49701, 49705 INTERSATPL Poland 53->75 77 reallyfreegeoip.org 104.21.64.1, 443, 49695, 49700 CLOUDFLARENETUS United States 53->77 107 Tries to steal Mail credentials (via file / registry access) 53->107 signatures17
Score:
81%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e3708e10da6bcba4e8d54fca40feea45ea90237d52440125efb952ddc8022976
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3708e10da6bcba4e8d54fca40feea45ea90237d52440125efb952ddc8022976/
Threat name:
Script-WScript.Trojan.MassLogger
Create hunting rule
Status:
Malicious
First seen:
2025-06-04 07:03:29 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4nyi4eg2npf2j2gvj7feb7xkixvjai35kjcacjppxfjn3sacff3a._file
Verdict:
malicious
Label(s):
novastealer
Create hunting rule
Similar samples:
20e281548b9a3a02a258d3989215c6cbddde61f2055f2d1afe02aa3b3f22cf83
MassLogger
35bc7d58c116e83159e745ca536a9b5b0a1a4b4d25d0b8d462efd012b3c8ad21
MassLogger
3fd28257bdeaa92317003361ab95675732239e5282fde0ac2e2c7bf941ba1c98
MassLogger
830c3556d97682d080c5877a49d64b8e12c0da52e1979f9da6edcf89fb748d23
MassLogger
9756b75600b70867f99e879c1763f2225a04454688c1f8497feb8e1670ca48b2
MassLogger
ade03b33ad1a47b43d99a5eb7f469d127f98df657167c31700fd3c5cc76c522d
MassLogger
d6c9e6e01fcd604d1e539bb7576a630779be6422923fc0b47a5e20fbc75af2dd
MassLogger
error
MassLogger
+ 1'100 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/250604-hvj9zssvd1/
Behaviour
outlook_office_path
outlook_win_path
Kills process with taskkill
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
MassLogger
Masslogger family
Malware Config
C2 Extraction:
https://api.telegram.org/bot7905958978:AAEng8Wyhv-U1eyp4jKpvi8uIC2em6irGnw/sendMessage?chat_id=7629239186
Dropper Extraction:
https://service-omega-snowy.vercel.app/final.txt
https://service-omega-snowy.vercel.app/first.txt
https://pub-bcefb9e553ee4137a6d296b7c71a767e.r2.dev/server/code/encoded.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/e3708e10da6bcba4e8d54fca40feea45ea90237d52440125efb952ddc8022976

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/7216/

Comments