Overview

overview

10

Static

static

3

d2ec308c83...12.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d2ec308c83a3256727c6045efb99ea27a19ee06d2966083a0bf99b3300106712.zip

  • Size

    1.6MB

  • Sample

    250129-rvdlwa1kgt

  • MD5

    6e3d303d7e5304c5284fee32542fcf58

  • SHA1

    49ebe277f1a1a80810c163fd87c34a51e2c5524c

  • SHA256

    0a043f9c6870e66e32f9172f543d24a55b1d26ce062824ac2c3f852decadb80a

  • SHA512

    ff9f7ff8a5228d79ea424bc6b384edc09e17b49abf65b0650c1c55f4bd39016587072a01c5157705d84890d263a32248308e8b8eec88f4ce52855dfe73c83b85

  • SSDEEP

    49152:avSovbNI3xYintZOsb5gbG9DF+0AAprjIhG:aqovOKindlgC9D80aG

Score
10/10
healerdefense_evasiondiscoverydropperevasiontrojan

Malware Config

Targets

    • Target

      d2ec308c83a3256727c6045efb99ea27a19ee06d2966083a0bf99b3300106712.exe

    • Size

      2.7MB

    • MD5

      db47ecf2f847ff342c418327eef7186c

    • SHA1

      57196f1d6eeb3ca5ae6bf8b537ff62784a5c113f

    • SHA256

      d2ec308c83a3256727c6045efb99ea27a19ee06d2966083a0bf99b3300106712

    • SHA512

      34ffb69e6d6e4d24d96b20af0b2ecbe818a52594f468bccb15979c5ba3ee85f98895add607ad375bdd15231de71d82478b6a09b03ca9c45383a7d1c6ee24468f

    • SSDEEP

      49152:3dK5/5dc7MIAyxy2QjGhzwcJdAud+EscXQzA:3dK5Rdc7MIDvFbdnd+Es2QzA

    Score
    10/10
    healerdefense_evasiondiscoverydropperevasiontrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Healer family

      healer

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Modifies Windows Defender TamperProtection settings

      evasiontrojan

    • Modifies Windows Defender notification settings

      defense_evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Windows security modification

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks