MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9912ca71987c2be04d546bedff137ea1f902b8971a96d9ba3dfac4640dd0fe28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Healer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9912ca71987c2be04d546bedff137ea1f902b8971a96d9ba3dfac4640dd0fe28
SHA3-384 hash: 5b06b85f041729f05849d38e4fc86060793dfdeb0432477ce872c427202148ad6c2de3549461f280eb8b0088f1023b95
SHA1 hash: 86054bbf6c942b7f9866c9f0e481dc4323268d92
MD5 hash: a7842d0059d8044e7603a05be32ff9f6
humanhash: carbon-paris-eight-juliet
File name:file
Download: download sample
Signature Healer
Create hunting rule
File size:1'728'512 bytes
First seen:2024-10-17 22:41:56 UTC
Last seen:2024-10-17 22:43:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:exLltwLdm2OA71wQECbJKDQJMQv0P2Wm3vUvA2V6IOVOVKGrRg6Z1:exnOdPBwQECbaIMbQ3UJbbRT
TLSH T1B985331F8672727CC81629377A938606AE7C00C074D34DA81FD159B34F6B7EA92A1E1F
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe Healer


Avatar
Bitsight
url: http://185.215.113.103/off/random.exe

Intelligence

File Origin
# of uploads :
20
# of downloads :
525
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2024-10-17 22:44:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e14d1fd7-6768-4cbc-8f30-df3574e57d5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671192c3e706a56b5a029dde
Tags:
Micro
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/671192c068b648f346849c51/reports/c3c50578-3bfc-470c-9597-419c19ba00f3/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/9912ca71987c2be04d546bedff137ea1f902b8971a96d9ba3dfac4640dd0fe28
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f0ebdbb0-a19e-4ec3-896b-1787fe2f641c
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1536543
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9912ca71987c2be04d546bedff137ea1f902b8971a96d9ba3dfac4640dd0fe28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9912ca71987c2be04d546bedff137ea1f902b8971a96d9ba3dfac4640dd0fe28/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2024-10-17 22:42:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tejmu4mypqv6atkunpw76e36uh4qfoexdklntor57lcgidoq7yua._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion trojan
Link:
https://tria.ge/reports/241017-2mnrzstgkq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Launches sc.exe
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Windows security modification
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Defender Real-time Protection settings
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ac8d3ad5-cef7-404e-b716-f0a45cfce8f3
Unpacked files
SH256 hash:
9912ca71987c2be04d546bedff137ea1f902b8971a96d9ba3dfac4640dd0fe28
MD5 hash:
a7842d0059d8044e7603a05be32ff9f6
SHA1 hash:
86054bbf6c942b7f9866c9f0e481dc4323268d92
Link:
https://www.unpac.me/results/130dde57-e5db-49dd-a532-03aff08d7ef2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9912ca71987c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9912ca71987c2be04d546bedff137ea1f902b8971a96d9ba3dfac4640dd0fe28

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Healer

Executable exe 9912ca71987c2be04d546bedff137ea1f902b8971a96d9ba3dfac4640dd0fe28

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3228691/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments