MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0961f362e4bd89c42505248704010be1d62f5fe62ef5b2a65338d85c7ce7b9db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Healer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0961f362e4bd89c42505248704010be1d62f5fe62ef5b2a65338d85c7ce7b9db
SHA3-384 hash: 13fde85c4f6966f2c3605040d2eb0c63b353778b3f3a73d8d7742e08a7d7d8da588190ef4ac4d604feee958ed6b51a53
SHA1 hash: 943fa6a131ee2280a96938162117b14037bcf6a4
MD5 hash: da25f04e051edbae6a2bc697cd1b79a9
humanhash: victor-juliet-mobile-black
File name:file
Download: download sample
Signature Healer
Create hunting rule
File size:2'799'616 bytes
First seen:2024-11-28 06:37:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:f2W8Lo2lWkzqqAYnoPLRTBR2aByVr6fN+w7T5ifTQsG:f2W8LFldz5AYoPLRTBR28yJUMf
Threatray 11 similar samples on MalwareBazaar
TLSH T131D54BD2A509B2CFD88A1774452BCEC2AE5D43F9472089C3D96C64BEFD63CC115BAC29
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe Healer


Avatar
Bitsight
url: http://185.215.113.16/off/random.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
436
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2024-11-28 06:42:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5cd060c4-a6a9-4db4-a0c0-3ac4e37feb6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Zusy-10036805-0
Create hunting rule

Win.Packed.Zusy-10037550-0
Create hunting rule

Win.Packed.Zusy-10037551-0
Create hunting rule

Win.Packed.Zusy-10037840-0
Create hunting rule

Win.Packed.Zusy-10037925-0
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6748110fd0583382434b9d18
Tags:
vmdetect
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Launching a service
Creating a file
Blocking the Windows Defender launch
Disabling the operating system update service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed packed packer_detected
Link:
https://www.filescan.io/uploads/67480fd1fa3557b45ebe1303/reports/a7a94f6b-5736-4d57-b608-b61729f3ea9f/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/0961f362e4bd89c42505248704010be1d62f5fe62ef5b2a65338d85c7ce7b9db
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b094524-2230-4abe-9a46-3a1c4f07dd40
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1564323
Signature
AI detected suspicious sample
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0961f362e4bd89c42505248704010be1d62f5fe62ef5b2a65338d85c7ce7b9db
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0961f362e4bd89c42505248704010be1d62f5fe62ef5b2a65338d85c7ce7b9db/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-11-28 06:38:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfq7gyxexwe4ijifesdqiail4hlc6x7gf323fjsthdmfy7hhxhnq._file
Verdict:
malicious
Label(s):
sorano
Create hunting rule
Similar samples:
00ab27ea1504e59ae5c8fc57793a2a05311319db91a1058350e9820fde89b5e4
Healer
0456e14dab2d9d41a45b28c8723ed8552261af595dadcb2c8c51c360768aa549
Healer
0961f362e4bd89c42505248704010be1d62f5fe62ef5b2a65338d85c7ce7b9db
Healer
482b3d609f547c1ca3c65e42fb8b7447da245121781edac72e414fb7b20f9ec2
Healer
59492c239987c11dac31153e0588926b4262589e19da4288915cc49a09a7b43e
Healer
7ee4e5f1ced524a4907c22207ce79668112eae18ee32d5111ef0b7c35ccec49d
Healer
8b904d7e94549459baf5e36c36674a51c0aaf16af03c363ae4068c017c31fa52
Healer
aebc2898eff671909be705730e8feb4fc049710bb485839a0299b7c037b144cd
Healer
b11878f626f1edf687231b583380efdba57ee846801ff869f9910aacfcd7b995
Healer
error
Healer
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion trojan
Link:
https://tria.ge/reports/241128-hd24gavndm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Windows security modification
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Defender Real-time Protection settings
Verdict:
Malicious
Tags:
Win.Packed.Zusy-10036805-0
YARA:
n/a
Link:
https://app.threat.zone/submission/8d9d0246-affb-45dd-a778-0cecf1dab1bf
Unpacked files
SH256 hash:
0961f362e4bd89c42505248704010be1d62f5fe62ef5b2a65338d85c7ce7b9db
MD5 hash:
da25f04e051edbae6a2bc697cd1b79a9
SHA1 hash:
943fa6a131ee2280a96938162117b14037bcf6a4
Link:
https://www.unpac.me/results/eea5bb73-de39-42e2-9753-b5c780bd5328/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0961f362e4bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0961f362e4bd89c42505248704010be1d62f5fe62ef5b2a65338d85c7ce7b9db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Healer

Executable exe 0961f362e4bd89c42505248704010be1d62f5fe62ef5b2a65338d85c7ce7b9db

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3245479/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments