MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ad4c1b5018e8b639a26c8eca1415dffcd4f828fa82a65bf90955f1925831f64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Healer

Vendor detections: 14

Intelligence 14 IOCs YARA 8 File information Comments

SHA256 hash:	0ad4c1b5018e8b639a26c8eca1415dffcd4f828fa82a65bf90955f1925831f64
SHA3-384 hash:	26ec80c8401b536013fdb72c6899d0374c4594d6c02c5314abbbd05f07f9c44d42427c3bc9c0ff4ef40e973fb5ccde89
SHA1 hash:	e81ac21ea5a25f1b63abd16c098976019b90fb60
MD5 hash:	c1a9fd7decc2fdc62544e711b1e66854
humanhash:	sodium-ten-sweet-north
File name:	random.exe
Download:	download sample
Signature	Healer Create hunting rule
File size:	1'741'312 bytes
First seen:	2025-02-15 16:20:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	49152:aCs4IEvhKMJi8cBgpWJU1kVZiZyxDEvpQ:aCs49vhKL8cBgpJ10b5y
TLSH	T1408533382CA587E5CD075BFAE6922F1E15433C64463B12721CDB3AD788AE74A3325D9C
TrID	52.9% (.EXE) Win32 Executable (generic) (4504/4/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	aachum
Tags:	exe Healer

iamaachum

http://185.215.113.16/defend/random.exe

Intelligence

File Origin

# of uploads :

# of downloads :

421

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

http://185.215.113.209/soka/random.exe

Verdict:

Malicious activity

Analysis date:

2025-02-15 15:49:09 UTC

Tags:

amadey botnet stealer stealc loader cryptbot lumma exfiltration povertystealer lumar gcleaner tas17 xenorat rat tofsee auto generic arch-exec github smtp miner asyncrat remote ransomware telegram pastebin themida pythonstealer systembc proxyware qrcode python credentialflusher antivm ahk screenconnect

Link:

https://app.any.run/tasks/ffb27cdf-61cc-4864-8f47-904f1ebcfa4d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.31328.BadINC.UNOFFICIAL

Win.Packed.Zusy-10036805-0

Win.Packed.Zusy-10037550-0

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67b0bff928ab76d43a5b0c91

Tags:

vmdetect virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Searching for the window

Launching a service

Creating a file

Blocking the Windows Defender launch

Disabling the operating system update service

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/0ad4c1b5018e8b639a26c8eca1415dffcd4f828fa82a65bf90955f1925831f64

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/49844867-ecfd-4696-a441-0f98fc9dd672

Result

Threat name:

Healer AV Disabler

Detection:

malicious

Classification:

phis.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1615893

Signature

Detected unpacking (changes PE section rights)

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Modifies windows update settings

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Yara detected Healer AV Disabler

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0ad4c1b5018e8b639a26c8eca1415dffcd4f828fa82a65bf90955f1925831f64

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0ad4c1b5018e8b639a26c8eca1415dffcd4f828fa82a65bf90955f1925831f64/

Threat name:

Win32.Infostealer.Tinba

Status:

Malicious

First seen:

2025-02-15 16:21:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 37 (48.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=blkmdnibr2fwhgrgzdwkcqk577gu7aupvavglp4qsvprsjmdd5sa._file

Result

Malware family:

healer

Score:

10/10

Tags:

family:healer defense_evasion discovery dropper evasion trojan

Link:

https://tria.ge/reports/250215-tt2y7asrfl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Identifies Wine through registry keys

Windows security modification

Downloads MZ/PE file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects Healer an antivirus disabler dropper

Healer

Healer family

Modifies Windows Defender DisableAntiSpyware settings

Modifies Windows Defender Real-time Protection settings

Modifies Windows Defender TamperProtection settings

Modifies Windows Defender notification settings

Verdict:

Malicious

Tags:

Win.Packed.Zusy-10036805-0

YARA:

n/a

Link:

https://app.threat.zone/submission/43694503-abe5-412f-91ed-c882a88881dd

Unpacked files

SH256 hash:

0ad4c1b5018e8b639a26c8eca1415dffcd4f828fa82a65bf90955f1925831f64

MD5 hash:

c1a9fd7decc2fdc62544e711b1e66854

SHA1 hash:

e81ac21ea5a25f1b63abd16c098976019b90fb60

Link:

https://www.unpac.me/results/4136dbf8-83a6-4321-95ad-033a763ee93e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0ad4c1b5018e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0ad4c1b5018e8b639a26c8eca1415dffcd4f828fa82a65bf90955f1925831f64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	mal_healer Create hunting rule
Author:	Nikos 'n0t' Totosis
Description:	Payload disabling Windows AV

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)