{
	"id": "1c6b78ff-f41c-4348-b05b-e22448b0b609",
	"created_at": "2026-04-06T01:31:02.144299Z",
	"updated_at": "2026-04-10T03:21:20.560782Z",
	"deleted_at": null,
	"sha1_hash": "31c48fc8cdb310e4e16062d6da85f94988681bd0",
	"title": "Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1541307,
	"plain_text": "Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry\r\nBy Prashil Moon\r\nPublished: 2025-06-18 · Archived: 2026-04-06 01:03:16 UTC\r\nDuring our recent investigation at Seqrite Labs, we identified a sophisticated variant of Masslogger credential\r\nstealer malware spreading through .VBE (VBScript Encoded) files. Initially, the variant appeared to be a typical\r\nscript-based threat, but upon deeper analysis it turned out to be a multi-stage fileless malware that heavily relies\r\non Windows Registry to store and execute its malicious payload.\r\nIn this blog post, we analyzed the internal flow of VBScript code, the obfuscation mechanism used, and how it\r\nmanipulates system to remain fileless. Also, we have explained about the Stagers and the capabilities of the final\r\nMasslogger payload.\r\nInitial Infection Vector:\r\nThe infection begins with .VBE file, likely distributed via spam email or drive-by downloads. .VBE file is a\r\nVBScript encoded with Microsoft’s built-in encoding scheme to detect casual inspection. Once decoded, the script\r\nreveals multiple layers of obfuscation, modular routines and true functionality.\r\nAnalysis of Decoded .VBS – [VBScript] File:\r\nInitially, .VBS file prepares and writes multiple registry values under a specific key used by the malware. It sets\r\nup the execution environment for storing a fileless payload.\r\nRegistry Key and Value names are hard-coded and straightforward. However, few of the critical value data are\r\nkept encoded and are decoded during file execution.\r\n-Registry Setup for Commands and Stager Configuration:\r\nSubroutine AKAAU() is used to prepare keys and values before they are written to the registry.   Value names and\r\nValue Data are stored as a separate array – “QORXG” and “ZBZLV” respectively. Both arrays are written to\r\nregistry by using “RegWrite”.\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 1 of 16\n\nFig-1 : .VBS file prepares and writes multiple Windows Registries\r\nOnce system is infected, we can find these malicious registry entries in Registry Editor:\r\nFig-2: Malicious  Registry entries, values and their probable Meaning\r\nHere is the summary of Registry Entries written to the system at registry path “HKCU\\Software\\”:\r\nValue\r\nName\r\nValue Data Summary\r\ncn\r\nStop-Process -Name\r\nconhost -Force\r\nForcefully kill conhost.exe process.\r\ni “AddInProcess32.exe” Target process for code injection.\r\nin “0”\r\nControl flag, checking if PowerShell command already run or\r\nnot.\r\ninstant LPICU\r\nObfuscated PowerShell commands. Deobfuscate and loads\r\nStager-1 in memory.\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 2 of 16\n\nPath esBbIgyFlZcXjUl\r\nName of the registry key path. It is appended to\r\n“HKCU\\Software\\”.\r\nr WAJLA .Net assembly, stored in reversed string format. Stager-2.\r\ns RKFYI(DGSLP)\r\nHex Decoded String. .Net assembly stored in reversed, Base64\r\nformat. Stager-1.\r\nv HIKGO()\r\nObfuscated Commands for PowerShell. Deobfuscate and loads\r\nStager-1 in memory. Specifically used as user input simulation.\r\nTable-1: Summary of added registry entries\r\nBefore writing these registries, malware calls a subroutine “ZGYHW()” that checks if the file\r\n“C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe” is present at location.\r\nDepending upon the presence, malware deploys different versions of Stagers. Specifically, Stager-2 in this\r\nscenario:\r\nFig-3: Check for MSBuild.exe file presence\r\n– Registry Setup for Final Payload Deployment:\r\nAfter above registries are configured and written, there is a call to another subroutine “XSSAY()”. This function is\r\nresponsible for reading another larger string data (which is an actual Masslogger payload, kept encoded). This data\r\nis then split into 25,000-character chunks and writes them in another registry values in segmented form.\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 3 of 16\n\nFig-4: Malware splitting another large string data to chunks and writing it to registries\r\nEach chunk is written to the registry at these paths:\r\nHKEY_CURRENT_USER\\SOFTWARE\\esBbIgyFlZcXjUl\\donn\\segment1\r\nHKEY_CURRENT_USER\\SOFTWARE\\esBbIgyFlZcXjUl\\donn\\segment2\r\nHKEY_CURRENT_USER\\SOFTWARE\\esBbIgyFlZcXjUl\\donn\\segment*\r\nFig-5: New registries added as a chunks of string data\r\n-Task scheduler:\r\nMalware establishes persistence via a Windows scheduled task, ensuring that malware keeps running in the\r\nsystem. Trigger for the task starts on the date of infection (20xx-xx–xxT00:00:00) and repeats every 1 minute\r\n(PT1M). Task is scheduled to run ignoring the battery-related restrictions.\r\nFig-6: Task Scheduling\r\nTask uses the same name as a created registry key i.e. esBbIgyFlZcXjUl and is triggered to run a .VBS file. This\r\n.VBS acts as a persistent execution loop that checks for a created registries indicating whether a payload should be\r\nexecuted.\r\n-Task Scheduler Script – Capable of Simulating User Input:\r\nAs we can see in the image below:\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 4 of 16\n\nIt runs for around 10000 times, sleeping for 10 seconds between each cycle.\r\nIt reads registry value “i” to get the name of process and confirm if it is running or not.\r\nThen it checks for registry value “in” set to 1,\r\nif yes, it silently executes malicious command stored in registry “instant”.\r\nWhen value in “in” is not set to 1.\r\nIt launches PowerShell in visible window mode and uses “.SendKeys” methods to input values of\r\n“v” and “cn” registries followed by “{ENTER}”.\r\nThis technique is like simulating user inputs to PowerShell.\r\nFig-7: esBbIgyFlZcXjUl.VBS file with user input simulation\r\nAs we saw in summary table,\r\n“cn” registry is used to forcefully stop the running instance of conhost.exe process.\r\n“instant” and “v” registries are used as a PowerShell to de-obfuscate, prepare and load Stager .Net assembly in\r\nmemory, without touching the disk.\r\nCheck for System Protection Status:\r\nMalware checks the protection status of the target system and possibly remain undetected during execution. It\r\ndoes so by querying some important registries. Below are a few of the registries where AV / Security products\r\nusually register their presence:\r\n“HKLM\\SOFTWARE\\Microsoft\\Security Center\\Provider\\Av”,\r\n“HKLM\\SOFTWARE\\Microsoft\\Security Center\\Monitoring”,\r\n“HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Security and Maintenance\\Providers”,\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 5 of 16\n\n“HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Security Center\\Providers”\r\nThese registries are defined in the script in encoded format. Malware tries to enumerate through the subkeys of\r\nabove keys and attempts to read “DisplayName” value. DisplayName holds the name of the installed AV /\r\nSecurity tool. If multiple security products are found to be installed on target system, malware halts its execution.\r\nFig-8: Check the presence of installed security tools\r\n-Trigger for Stager:\r\nThe subroutine SQSKP() in .VBE file is a critical part of malware execution chain. It dynamically constructs and\r\nruns a PowerShell command that performs in-memory execution of a .NET stager retrieved from the Windows\r\nRegistry.\r\nFig-9: Trigger for stager\r\nHere, the decoded text is a de-obfuscated PowerShell commands, after replacing |path| with RVOYN.\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 6 of 16\n\nFig-10: Deobfuscated PowerShell command\r\nAs we can see in Fig-10 –\r\n1. This PowerShell command is formed and assigned to variable “LPICU”.\r\n2. The contents of variable are then written to registry value “\\instant”, which is created inside registry key\r\n“Computer\\HKEY_CURRENT_USER\\SOFTWARE\\esBbIgyFlZcXjUl”.\r\n3. Function runs the constructed PowerShell command silently, where “0” – hides PowerShell window.\r\n4. The PowerShell then reads registry key “HKCU\\Software\\esBbIgyFlZcXjUl\\s” – This registry key\r\ncontains the Stager-1, kept in revered Base64- encoded format.\r\nFig-11: Forming stager-1 by reversing and Base64 decoding\r\nWe have seen malware authors implementing this encoding combo in many of the recent credential stealers,\r\nincluding VIPKeylogger, Remcos, AsyncRAT etc.\r\n5. The PowerShell command reverse the string, joining them, decodes base64 strings and load it as a .Net\r\nassembly using “[AppDomain]::CurrentDomain.Load ()” function in memory. This approach allows\r\nmalware to:\r\nAvoid writing actual malware files to disk (Evasive capability).\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 7 of 16\n\nDynamically construct and load payload at runtime.\r\n6. Invokes entry method “[v.v]::v(‘esBbIgyFlZcXjUl’)”, that refers to the registry path.\r\nWe took the dump of deobfuscated stager-1 payload for further analysis. Our observations are as follows:\r\nAnalysis of Stager-1:\r\nStager-1 is a small executable kept encoded at registry “HKCU\\Software\\esBbIgyFlZcXjUl\\s”. It is compiled in\r\n.Net and size is around ~14KB.\r\nAnalyzing its code, we found that the file is trying to read contents from another registry key with name “r” –\r\n[HKCU\\Software\\esBbIgyFlZcXjUl\\r].\r\nThose contents are reversed and another .Net compiled binary is formed – the stager-2.\r\nThis binary is then loaded in memory using “Assembly.Load()”. Stager-1 tries to locate method r() inside the class\r\nr inside the Stager-2 assembly. It is the entry point for the execution of stager-2.\r\nFig-12: Stager-1 trying to load Stager-2 and locate Method “r” in it\r\n Analysis of Stager-2:\r\nAfter Stager-1 completes its setup, malware proceeds to its Stager-2 loader. This stage of infection is focused on\r\nextracting actual Masslogger payload from registry and injecting it into target process.\r\nStager-2 initially constructs potential file paths to launch process and performing code injection.\r\nIt checks if a file (whose name is retrieved from the registry value “i”) exists in any of these paths.\r\nIn our case, we found the target file/process path is:\r\n“%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe”\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 8 of 16\n\nFig-13: Constructing file/process path for code injection.\r\nFurther, malware extracts actual Masslogger payload which was previously written (by subroutine “XSSAY()”) in\r\nmultiple registry subkeys under below registries, that we saw earlier “.\r\nHKEY_CURRENT_USER\\SOFTWARE\\esBbIgyFlZcXjUl\\donn\\segment1\r\nHKEY_CURRENT_USER\\SOFTWARE\\esBbIgyFlZcXjUl\\donn\\segment2\r\nHKEY_CURRENT_USER\\SOFTWARE\\esBbIgyFlZcXjUl\\donn\\segment*\r\nThe BBX() function of class ‘r’ is responsible for collecting all value entries, concatenate them, reverses the\r\ncombined string, and then decodes it from hexadecimal into raw bytes.  This technique allows malware authors to\r\nhide a full PE binary across multiple registry keys. The decoded payload is then used for process hollowing.\r\nProcess hollowing is performed using function .XGP()\r\nIt’s a clever way to keep everything stored in the registry and only use memory for execution.\r\nFig-14:Function performing payload deobfuscation and process hollowing\r\n-France Specific Payload Delivery:\r\nGeo-targeted payload delivery is now common in advanced malware to alter behavior based on the victim’s\r\nlocation. Stager-2 of this infection checks if current system’s input language is set to French “Fr” and whether\r\nlocale contains “France”.\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 9 of 16\n\nFig-15: France specific payload delivery\r\nIf conditions are met, it tries to download specially crafted additional payload from hardcoded URL –\r\nhxxps://144.91.92.251/MoDi.txt. At the time of analysis, the URL was not accessible.\r\n-Terminating Traces and Exiting:\r\nAt the end of its execution, the malware forcibly terminates running instances of conhost.exe and PowerShell.exe\r\nprocesses.\r\nFig-16: Process killing to hide traces\r\nBy killing these processes, malware likely aims to hide its activity traces. Finally, it exits application using\r\nProjectData.EndApp(), completing stager-2 lifecycle.\r\n Analysis of Masslogger Final Payload:\r\nAfter successful deobfuscation of final payload from registry, Masslogger is injected to into target process –\r\n“AddInProcess32.exe”. We can see the marker of this malware in memory dump of the injected process as below:\r\nFig-17: Marker of Masslogger in memory\r\nWe took a memory dump of this payload representing the final stage in malware chain. It is responsible for\r\nexecuting the main credential – info stealing functionalities.\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 10 of 16\n\n-Data Harvesting:\r\nJust like many infostealer malware’s, this malware is also targeting multiple Web browsers and few email clients\r\nfor stealing sensitive information, like saved Username, Passwords, autofill data, etc. Below are list of Web\r\nBrowsers and few email clients Masslogger is trying to target.\r\nFig-18: Targeted browsers and email client for credential Harvesting\r\nLet’s see one of the modules in detail where malware is trying to harvest saved login credentials from the Chrome\r\nbrowser.\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 11 of 16\n\nFig-19: Chrome browser specific module for credential harvesting\r\nIt locates the user’s login data by accessing its “Login Data” SQLite database. It extracts website URLs along with\r\ncorresponding usernames and passwords and collects them for further use. If valid credentials are found, they are\r\nstored in a structured format like the website, username, and password.\r\nApart from targeting browsers and email clients for info stealing, Masslogger also possesses capabilities of:\r\nKeylogger activity.\r\nTake and clear snapshot files.\r\nRetrieve clipboard data.\r\nTry monitoring user activity by calling GetForegroundWindow, GetWindowText etc.\r\nRead system details, like IP address and Country.\r\nUploading multiple files to server.\r\n-Data Exfilteration:\r\nThe SpeedOffPWExport() method in final payload enables data exfiltration by sending collected credentials and\r\nsystem information to remote locations via multiple channels, like FTP, SMTP or Telegram.\r\nIf FTP is enabled, the method uploads the stolen data as a .txt file to a remote FTP server using hard-coded\r\ncredentials.\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 12 of 16\n\nFig-20: Data exfilteration via FTP\r\nFor SMTP, it constructs an email containing the data in either the message body or as an attached text file and\r\nsends it using the specified mail server.\r\nFig-21: Data exfilteration via SMTP\r\nIf Telegram exfiltration is enabled, it sends the data as a document using the Telegram Bot API, including a\r\ncaption with the victim’s username and IP.\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 13 of 16\n\nFig-22: Data exfilteration via Telegram\r\nConclusion:\r\nThe Masslogger fileless variant shows the evolving trend of info-stealing malware. Delivered via a .VBE script, it\r\nabuses Windows Registry to store actual executable payload and loads that payload directly in memory without\r\ntouching the disk. It possesses capability to harvest stored credentials from multiple browsers and email clients\r\nand using multiple channels [FTP, SMTP, Telegram Bot] for data exfiltration.\r\nThis variant shows the shift of credential stealer malware towards fileless and operation in multiple stages (Stager-1, Stager-2). This challenges traditional AV and signature-based detection methods. To overcome this, security\r\ndefenders must employ advanced detection mechanisms like behavioral detection, monitor registry anomalies etc.\r\nIndicators of Compromise (IoC’s):\r\nFile MD5:\r\n.VBE: 29DBD06402D208E5EBAE1FB7BA78AD7A\r\n.VBS: F30F07EBD35B4C53B7DB1F936F72BE93\r\nStager-1: 2F1E771264FC0A782B8AB63EF3E74623\r\nStager-2: 37F0EB34C8086282752AF5E70F57D34C\r\nMassLogger Payload: 1E11B72218448EF5F3FCA3C5312D70DB\r\nURL:\r\nhxxps://144.91.92.251/MoDi.txt\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 14 of 16\n\nSeqrite Detection:\r\nScript.trojan.49618.GC\r\nTrojan.MSIL\r\nTrojan.YakbeexMSIL.ZZ4\r\nMITRE ATT\u0026CK\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name\r\nSub-technique IDSub-Technique\r\nName\r\nInitial Access T1566 Phishing T1566.001\r\nSpear phishing\r\nAttachment\r\nExecution T1059\r\nCommand and Scripting\r\nInterpreter\r\nT1059.005 Visual Basic\r\nExecution T1059\r\nCommand and Scripting\r\nInterpreter\r\nT1059.001 PowerShell\r\nPersistence T1053 Scheduled Task/Job T1053.005 Scheduled Task\r\nDefense Evasion T1140\r\nDe-obfuscate/Decode Files\r\nor Information\r\n– –\r\nDefense Evasion T1112 Modify Registry – –\r\nDefense Evasion T1055 Process Injection T1055.012 Process Hollowing\r\nDefense Evasion T1562 Impair Defenses T1562.001\r\nDisable or Modify\r\nTools\r\nDefense Evasion T1059\r\nCommand and Scripting\r\nInterpreter\r\nT1059.001 PowerShell\r\nDiscovery T1518 Software Discovery T1518.001\r\nSecurity Software\r\nDiscovery\r\nDiscovery T1082\r\nSystem Information\r\nDiscovery\r\n– –\r\nDiscovery T1012 Query Registry – –\r\nCredential\r\nAccess\r\nT1555\r\nCredentials from Password\r\nStores\r\nT1555.003\r\nCredentials from\r\nWeb Browsers\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 15 of 16\n\nCredential\r\nAccess\r\nT1056 Input Capture T1056.001 Keylogging\r\nCollection T1113 Screen Capture – –\r\nCollection T1115 Clipboard Data – –\r\nCollection T1056 Input Capture T1056.001 Keylogging\r\nCollection T1083 File and Directory Discovery – –\r\nCommand and\r\nControl\r\nT1071 Application Layer Protocol T1071.001 Web Protocols\r\nCommand and\r\nControl\r\nT1071 Application Layer Protocol T1071.002\r\nFile Transfer\r\nProtocols\r\nCommand and\r\nControl\r\nT1071 Application Layer Protocol T1071.003 Mail Protocols\r\nCommand and\r\nControl\r\nT1105 Ingress Tool Transfer – –\r\nExfiltration T1041 Exfiltration Over C2 Channel – –\r\nExfiltration T1567\r\nExfiltration Over Web\r\nService\r\nT1567.002\r\nExfiltration to Cloud\r\nStorage\r\nExfiltration T1567\r\nExfiltration Over Web\r\nService\r\nT1567.001\r\nExfiltration to Code\r\nRepository\r\nSource: https://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nhttps://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.seqrite.com/blog/masslogger-fileless-vbe-registry-malware/"
	],
	"report_names": [
		"masslogger-fileless-vbe-registry-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439062,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/31c48fc8cdb310e4e16062d6da85f94988681bd0.pdf",
		"text": "https://archive.orkl.eu/31c48fc8cdb310e4e16062d6da85f94988681bd0.txt",
		"img": "https://archive.orkl.eu/31c48fc8cdb310e4e16062d6da85f94988681bd0.jpg"
	}
}