MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a12a1b3fd111b6ad03f830176b8742c7aead54a2a137d7944c2b067c04196cf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	a12a1b3fd111b6ad03f830176b8742c7aead54a2a137d7944c2b067c04196cf5
SHA3-384 hash:	aa235d2158fedfe5a03d2c2976893857aac48a1c6d257544d8815a31e44c50e86ad13a24963635a39b0e5f63dc1c0ad7
SHA1 hash:	11690089ce8a886a0ceaeb81b31686b3830b0dab
MD5 hash:	38d5ebcb821a6c236e51a6547515a75e
humanhash:	lactose-quebec-cardinal-network
File name:	Unpacked PE Image: 32-bit DLL.dll
Download:	download sample
File size:	829'440 bytes
First seen:	2026-03-24 14:07:13 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep	12288:ooAE6udzbomlopspwF2dvA17brkbpQGi1SI8HwbH8IQaKaO6CapE/6vCkkcEUxy:gE6ua9p4fdvjQGGQaRCapE/6vKRUxy
TLSH	T143057C1276BA9F43ED4E4B31C0D19C242BB6E58467ABF33F918A1994880F392CB57D47
TrID	87.8% (.DLL) Generic .NET DLL/Assembly (236632/4/32) 2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 2.4% (.EXE) Win64 Executable (generic) (6522/11/2) 1.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Skynet11
Tags:	dll Unpacked PE Image: 32-bit DLL

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/e544d6e6-ea8b-41e0-877b-d252203d33d1/

Gathering data

Detection(s):

Win.Malware.Zusy-10009321-0

Win.Malware.Msilheracles-10019320-0

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69c29a9e390b996474134a5d

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Behaviour

Connection attempt

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 krypt net_reactor obfuscated obfuscated packed reconnaissance vbnet venomrat zusy

Link:

https://www.filescan.io/uploads/69c29a9a5229aae88c82fa15/reports/6317df27-bde4-463f-a1a7-10feef7155cc/overview

Verdict:

Malicious

Labled as:

Application.MSILheracles.Generic

Link:

https://www.hybrid-analysis.com/sample/a12a1b3fd111b6ad03f830176b8742c7aead54a2a137d7944c2b067c04196cf5

Result

Gathering data

Verdict:

Clean

File Type:

executable.pe.32.dll

Link:

https://opentip.kaspersky.com/a12a1b3fd111b6ad03f830176b8742c7aead54a2a137d7944c2b067c04196cf5/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5c0800e8-2b8e-4a88-8d57-1304f478c9b4

Score:

19%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/a12a1b3fd111b6ad03f830176b8742c7aead54a2a137d7944c2b067c04196cf5

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a12a1b3fd111b6ad03f830176b8742c7aead54a2a137d7944c2b067c04196cf5/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/a12a1b3fd111b6ad03f830176b8742c7aead54a2a137d7944c2b067c04196cf5

Threat name:

Win32.Trojan.Msilheracles

Status:

Malicious

First seen:

2026-03-24 14:07:26 UTC

File Type:

PE (.Net Dll)

Extracted files:

AV detection:

14 of 36 (38.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uevbwp6rcg3k2a7ygalwxb2cy6xk2vfcue35pfcmfmdhybaznt2q._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/260324-re6byshz4z/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Unpacked files

SH256 hash:

a12a1b3fd111b6ad03f830176b8742c7aead54a2a137d7944c2b067c04196cf5

MD5 hash:

38d5ebcb821a6c236e51a6547515a75e

SHA1 hash:

11690089ce8a886a0ceaeb81b31686b3830b0dab

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/e4dce580-e2b5-4d5a-832e-ea4d735501ec/

Parent samples :

6a3368fb5ffab1283df539c6f17cb1244b563f5a3ad94d96adcde2dcadab66ae
057dd07c9fe02bf1560249258a6bbe88a39f8d02a1a754ff655ad83f99341669
a12a1b3fd111b6ad03f830176b8742c7aead54a2a137d7944c2b067c04196cf5

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.56

Link:

https://yomi.yoroi.company/submissions/a12a1b3fd111b6ad03f830176b8742c7aead54a2a137d7944c2b067c04196cf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	extracted_at_0x44b Create hunting rule
Author:	cb
Description:	sample - file extracted_at_0x44b.exe
Reference:	Internal Research

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/59000/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample