MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd4ce12ff6104595f16f7149c38a722ba77031a0ae10486ed325a75187803698. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd4ce12ff6104595f16f7149c38a722ba77031a0ae10486ed325a75187803698
SHA3-384 hash: d27da56eded7514a727a10b22b627761109a98e245f452d4adda706a9f48964abd340f58c7abfb24a094e502dec30a71
SHA1 hash: e3926355ffc400b1a0a06a53d8b425bcc5990baa
MD5 hash: c4a0de36c23563cae7032c9b20620698
humanhash: lima-queen-thirteen-oven
File name:nhlkle.exe
Download: download sample
File size:609'280 bytes
First seen:2023-03-01 18:27:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:2wYRI9RO+lueu8IRBNvzUzpJUS6RuttyIxM8PWUCJbresvZfBv:2wiSDuR/zS29AMaWUC9rRvZJ
Threatray 314 similar samples on MalwareBazaar
TLSH T1F6D423771FFC2D81DF0B76756F2EFA6FB6B0760F9A18E2D4908477A5B4002211166B82
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter 0xToxin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
nhlkle.exe
Verdict:
Malicious activity
Analysis date:
2023-03-01 18:28:52 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/0a933068-de01-4b9d-bd4a-85bb81e58fdc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370859/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Reading critical registry keys
Creating a file
Launching a process
Creating a process with a hidden window
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63ff9933bbedb8176ff205e7/reports/33161820-159c-4e92-a59f-2150422c225d/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/cd4ce12ff6104595f16f7149c38a722ba77031a0ae10486ed325a75187803698
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/99e6f12f-71b9-4fb4-a448-051cb13144a3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1185101
Signature
Antivirus / Scanner detection for submitted sample
Deletes itself after installation
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd4ce12ff6104595f16f7149c38a722ba77031a0ae10486ed325a75187803698/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 18:28:07 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvgocl7wcbczl4lpofe4hctsfotxamnavyieq3wtewtvdb4ag2ma._file
Verdict:
malicious
Similar samples:
4fd83cdcd89efdb7ce2d771a305c10e3575c2e2da874da9b28fabd940785b059
5178b113ff589ee961f692de2a2f0c577c31b9511d81d8ec0af052bc732b2ff5
6d62cebf308b5ab873d98e0447c68f936bc34addeb924eb8ef972072ca13d4bf
78e3a6a4c1ad570f4411fe72ba86c6e8c171ce38ad2373a0bc6183af6b83561c
8785300bc02bbf034417c477db91c121123b31b1eaf24fc0f74ee11e11ec058c
8b1d3c51ec4e9c3675e220f892b6d94b722d9fdbf4010d6c2f914fcc2bc4f36d
98d78baf7a1ceff6ec4f3d2330a30075df9c461d03ceaac23c478112bb333d48
a95f3ca79acd4178d465fc84f47532a29087f5b40c59b51af8f0454c9719a03d
bc2f9fb51d4da2cf6a3009c0540ad2031a544dad8d37a3c262728e2012d60f2c
d3d91b831503504e524659f07a1c31d2bc74d0637f6468667ed14382a8ca84d5
+ 304 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230301-w4bwvsha8y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
cd4ce12ff6104595f16f7149c38a722ba77031a0ae10486ed325a75187803698
MD5 hash:
c4a0de36c23563cae7032c9b20620698
SHA1 hash:
e3926355ffc400b1a0a06a53d8b425bcc5990baa
Link:
https://www.unpac.me/results/cd25d736-287d-4e7a-bd9a-548869d463f6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd4ce12ff610/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.52
Link:
https://yomi.yoroi.company/submissions/cd4ce12ff6104595f16f7149c38a722ba77031a0ae10486ed325a75187803698

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370859/

Comments