healer | d2ec308c83a3256727c6045efb99ea27a19ee06d2966083a0bf99b3300106712 | Triage

Submit
Reports

Overview

overview

Static

static

3

random.exe

windows7-x64

random.exe

windows10-2004-x64

Sharing

General

Target

random.exe
Size

2.7MB
Sample

250129-rnz7aszrhz
MD5

db47ecf2f847ff342c418327eef7186c
SHA1

57196f1d6eeb3ca5ae6bf8b537ff62784a5c113f
SHA256

d2ec308c83a3256727c6045efb99ea27a19ee06d2966083a0bf99b3300106712
SHA512

34ffb69e6d6e4d24d96b20af0b2ecbe818a52594f468bccb15979c5ba3ee85f98895add607ad375bdd15231de71d82478b6a09b03ca9c45383a7d1c6ee24468f
SSDEEP

49152:3dK5/5dc7MIAyxy2QjGhzwcJdAud+EscXQzA:3dK5Rdc7MIDvFbdnd+Es2QzA

Score

10^/10

healer defense_evasion discovery dropper evasion trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

random.exe

Resource

win7-20240903-en

healer defense_evasion discovery dropper evasion trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

random.exe

Resource

win10v2004-20241007-en

healer defense_evasion discovery dropper evasion trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  random.exe
- Size
  
  2.7MB
- MD5
  
  db47ecf2f847ff342c418327eef7186c
- SHA1
  
  57196f1d6eeb3ca5ae6bf8b537ff62784a5c113f
- SHA256
  
  d2ec308c83a3256727c6045efb99ea27a19ee06d2966083a0bf99b3300106712
- SHA512
  
  34ffb69e6d6e4d24d96b20af0b2ecbe818a52594f468bccb15979c5ba3ee85f98895add607ad375bdd15231de71d82478b6a09b03ca9c45383a7d1c6ee24468f
- SSDEEP
  
  49152:3dK5/5dc7MIAyxy2QjGhzwcJdAud+EscXQzA:3dK5Rdc7MIDvFbdnd+Es2QzA
Score

10^/10

healer defense_evasion discovery dropper evasion trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Healer family
  healer
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies Windows Defender TamperProtection settings
  evasion trojan
- Modifies Windows Defender notification settings
  defense_evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Windows security modification
  defense_evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

healerdefense_evasiondiscoverydropperevasiontrojan

behavioral2

healerdefense_evasiondiscoverydropperevasiontrojan

© 2018-2025

Terms | Privacy