Trojan.MSIL.Heracles.RF

By CagedTech in Trojans

Threat Scorecard

Threat Level:	80 % (High)
Infected Computers:	660

First Seen:	May 23, 2023
Last Seen:	March 25, 2026
OS(es) Affected:	Windows

Table of Contents

Analysis Report

General information

Family Name:	Trojan.MSIL.Heracles.RF
Signature status:	No Signature

Known Samples

MD5: 6522e1a7d753bfcca3755f962684b425

SHA1: ae5ce57529c0d8ebf3cabdaa41d0baf3574c48f1

File Size: 1.75 MB, 1745408 bytes

MD5: b28ff163babd1006ec20a617ac1ca4b6

SHA1: 5d2c768484fe0999d8f8d1af613a65eff5202a42

SHA256: D8623FDBF56DF0E42A84568A1A22466DFC6334CFF9CA5E389DCB311007EACCAE

File Size: 2.18 MB, 2179072 bytes

MD5: b1ccc1107161f1a82a100bba066f1c19

SHA1: 9733ee32621a303da5fd7840e0c5af6e2a855eaf

SHA256: 0223D6687D9200F8D54640A9B168C5D187E2067B7A4FE485735821535A0BC3B9

File Size: 1.80 MB, 1800192 bytes

MD5: 4c33c979f3285c8df3c3131e6f4fa456

SHA1: 34e081c2a88514d1a6721aa92907bc27e820d9a5

SHA256: FDF7A83C22AEFF399725CE4058BBEF8EA06119471B8A0E815D306FF894E493C6

File Size: 158.72 KB, 158720 bytes

MD5: 9b04a7ddd7d09801e607ce402c84a72a

SHA1: 4925c070d1bd936b76c0dd723c21657b986f418e

SHA256: B54CDDAD0D6775447C86EC24F5C98473FC9DBC06BEDED693593A8EC7EE440282

File Size: 31.74 KB, 31744 bytes

MD5: 53352299e1e1adf0ad4e125474f1be6f

SHA1: 4e50dfdb673968b2f1ab3b7f5209dd841c8f1a61

SHA256: E9D27C52FDAFC4D3E238E1F26AC65B1A951E013E4949B85226EE1CCE4AB8B2A2

File Size: 1.33 MB, 1325056 bytes

MD5: cfcc7a00b416bf52f0bbd4e5b3b39118

SHA1: ff032abc1d036926dfcab6367e768d63e2127aad

SHA256: DB3A842F1327B1E5C4E44BE65841564EF5ADF4A01F0D4D3963DBD24D47692D0E

File Size: 340.99 KB, 340992 bytes

MD5: dedd893ba12a0c0e07bf65a602ccc30d

SHA1: 6383adafac1d2d6dbece6f4bf4fc2f901eec39e4

SHA256: 69D8E810306F44A9964A74FFD563DC547A14EF80E07D825E44DF0BB2FD45E6E4

File Size: 1.88 MB, 1878528 bytes

MD5: 852203b8e3dd324d716707e9cadc7399

SHA1: 85785f58412c9a0c872f37abae7a83c382075142

SHA256: 51EFC44B7CD9789DF385A422E96C7B6A8D36ED7B510E11FDCA6AD23A054A2A4A

File Size: 1.88 MB, 1881088 bytes

MD5: 14a362ddedb20acfe359b2aee89a04d7

SHA1: 8dd280d15b2fa357424140f21c62008108db5ad2

SHA256: F674653D7137CD2A77B63CE48AE56012EEDA2761691415EACEF2D5BC10893360

File Size: 3.39 MB, 3391488 bytes

MD5: f9fe0cc27b3aa1561dcd8a03407fbfb8

SHA1: 90911517eeaf9fc9e210c1602a7c130eb76c6033

SHA256: DE16F8870FFE128A91562D316D372A3A0FF5A1A503462D08024E835280FE6B11

File Size: 47.10 KB, 47104 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File is .NET application
File is 32-bit executable
File is 64-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Assembly Version	1.0.0.0
Company Name	Kz Cheats Paradox TTY-SPOOFER-CONSOLE-C#
File Description	C#Panel Test Kz Cheats Nezur painel tik tok Paradox Power INITE TTY-SPOOFER-CONSOLE-C# Valex xitexternal
File Version	1.0.0.0
Internal Name	C#Panel Test.exe Kz Cheats.dll painel tik tok.exe Paradox.dll Power INITE.exe TTY-SPOOFER-CONSOLE-C#.dll Valex.exe xitexternal.exe
Legal Copyright	Copyright © 2025 Copyright © 2026
Original Filename	C#Panel Test.exe Kz Cheats.dll painel tik tok.exe Paradox.dll Power INITE.exe TTY-SPOOFER-CONSOLE-C#.dll Valex.exe xitexternal.exe
Product Name	C#Panel Test Kz Cheats Nezur painel tik tok Paradox Power INITE TTY-SPOOFER-CONSOLE-C# Valex xitexternal
Product Version	1.0.0.0 1.0.0

File Traits

.NET
Agile.net
Fody
HighEntropy
VirtualQueryEx
WriteProcessMemory
x64
x86

Block Information

Total Blocks:	60
Potentially Malicious Blocks:	30
Whitelisted Blocks:	22
Unknown Blocks:	8

Visual Map

x x x x x x x x x x x x x x x x x x x x x x x x x x x 0 ? ? x ? ? ? 0 0 0 0 0 0 x 0 0 0 0 0 ? ? 0 ? x 0 0 0 0 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

MSIL.Heracles.RF

Files Modified

File	Attributes
c:\users\user\downloads\scripts\komorebi.lua	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKCU\software\valex::workspacefolder	c:\\users\\user\\downloads\\workspace	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing		RegNtPreCreateKey

HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filetracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKCU\software\valex::autoexecutefolder	c:\\users\\user\\downloads\\autoexec	RegNtPreCreateKey

Windows API Usage

Category	API
User Data Access	GetComputerName GetComputerNameEx GetUserDefaultLocaleName GetUserObjectInformation
Encryption Used	BCryptOpenAlgorithmProvider
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
Other Suspicious	AdjustTokenPrivileges
Network Info Queried	GetAdaptersAddresses GetNetworkParams
Network Winsock2	WSAConnect WSASend WSASocket WSAStartup WSAttemptAutodialName
Network Winsock	bind closesocket freeaddrinfo getaddrinfo recv send setsockopt
Network Winhttp	WinHttpOpen
Syscall Use	ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreatePortSection ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcDeleteSecurityContext ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage ntdll.dll!NtAlpcSendWaitReceivePort Show More ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtGetCompleteWnfStateSubscription ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenSection ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryEvent ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtQueryWnfStateNameInformation ntdll.dll!NtQueueApcThread ntdll.dll!NtQueueApcThreadEx2 ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReadVirtualMemory ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRemoveIoCompletion ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationObject ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetSystemInformation ntdll.dll!NtSetTimer2 ntdll.dll!NtSetTimerEx ntdll.dll!NtSetValueKey ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl 14 additional items are not displayed above.

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.MSIL.Heracles.RF

Threat Scorecard

EnigmaSoft Threat Scorecard

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Submit Comment

Trending

Demotrix.org

UNC4899 Cloud Compromise Campaign

Chargeback Invoice Email Scam

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Pornktube.porn

Discord Shows Black Screen when Sharing Screen