PUA

PUA:Win32/SystemHealer (file analysis)

Malware Removal

The PUA:Win32/SystemHealer is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What PUA:Win32/SystemHealer virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Presents an Authenticode digital signature
  • Creates RWX memory
  • Anomalous file deletion behavior detected (10+)
  • A process attempted to delay the analysis task.
  • Dynamic (imported) function loading detected
  • Performs HTTP requests potentially not found in PCAP.
  • A named pipe was used for inter-process communication
  • Enumerates running processes
  • Reads data out of its own binary image
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Uses Windows utilities for basic functionality
  • Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
  • Installs itself for autorun at Windows startup
  • Checks the CPU name from registry, possibly for anti-virtualization
  • Attempts to modify proxy settings
  • Uses suspicious command line tools or Windows utilities

How to determine PUA:Win32/SystemHealer?



File Info:

name: 099B297000EF73F771EA.mlw
path: /opt/CAPEv2/storage/binaries/e98834e649f8c87600605b76c15d6a8ef33e5ead55c5a926cf0ee0ec1219f472
crc32: 33402435
md5: 099b297000ef73f771eabc9627e12716
sha1: 5b1f4bd07094ce4d74b786d7b87ff4137d336e83
sha256: e98834e649f8c87600605b76c15d6a8ef33e5ead55c5a926cf0ee0ec1219f472
sha512: b9228ce124ebf8ffcab7ad4245b4a13867a8fc36a1f247f6b837fdd2b9ab41b2fc295bfaba1beb4c61a9dcf9e2cb6546b896615efb69fd67869c6b8f30b558f4
ssdeep: 98304:9CftFcS8WvGYqLQ7GavGqQ6KWa3POGtXB5yw7D9gj6S4c4saZ7saIDA:qSWv/jGqUN32GtXBUwv9a6XcVaZ7saIc
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T13A26330267C218F3E8215A7489F512503D33FDA417F7879B1D78EA1EA83A3C64D75A93
sha3_384: cbdab6283680f641083ea0dcc20110a60ebbb22fde316f33d59192d0388eb81357e0bd953f61095254e3f69e50de034a
ep_bytes: 558bec83c4a453565733c08945c48945
timestamp: 2016-04-06 14:39:04


Version Info:

Comments: This installation was built with Inno Setup.
CompanyName:                                                             
FileDescription:                                                             
FileVersion:                     
LegalCopyright:                                                                                                     
ProductName:                                                             
ProductVersion:                                                   
Translation: 0x0000 0x04b0

PUA:Win32/SystemHealer also known as:

BkavW32.AIDetect.malware2
Elasticmalicious (high confidence)
MicroWorld-eScanGen:Variant.Bulz.310621
FireEyeGen:Variant.Bulz.310621
ALYacGen:Variant.Bulz.310621
CylanceUnsafe
SangforTrojan.Win32.AGEN.1037441
K7AntiVirusAdware ( 0052a2281 )
AlibabaAdWare:Win32/Adposhel.aa96c7b7
K7GWAdware ( 0052a2281 )
CrowdStrikewin/malicious_confidence_100% (D)
CyrenW32/Adware.UFMJ-2547
SymantecPUA.Gen.2
ESET-NOD32multiple detections
APEXMalicious
Paloaltogeneric.ml
KasperskyUDS:Trojan.Multi.GenericML.xnet
BitDefenderGen:Variant.Bulz.310621
NANO-AntivirusRiskware.Win32.Adposhel.fgvpwg
AvastWin32:Adware-gen [Adw]
TencentTrojan.Win32.BitCoinMiner.la
Ad-AwareGen:Variant.Bulz.310621
SophosGeneric PUA FL (PUA)
ComodoApplicUnwnt@#3c8p0yxl5ghk8
DrWebTrojan.Adposhel.28
VIPRETrojan.Win32.Generic!BT
TrendMicroTROJ_GEN.R002C0GJD21
McAfee-GW-EditionArtemis!PUP
EmsisoftApplication.OptInstall (A)
SentinelOneStatic AI – Suspicious PE
AviraHEUR/AGEN.1109573
MAXmalware (ai score=84)
Antiy-AVLTrojan/Generic.ASMalwS.2886F31
MicrosoftPUA:Win32/SystemHealer
ViRobotAdware.Adposhel.4583320.CB
GDataGen:Variant.Bulz.310621
CynetMalicious (score: 99)
McAfeeArtemis!099B297000EF
VBA32Trojan.Adposhel
MalwarebytesMalware.AI.4229740044
TrendMicro-HouseCallTROJ_GEN.R002C0GJD21
RisingTrojan.Generic@ML.92 (RDML:pq0OrvOqeGe3gm5bC50Qhg)
eGambitUnsafe.AI_Score_99%
FortinetAdware/Adposhel
AVGWin32:Adware-gen [Adw]
Cybereasonmalicious.000ef7
PandaPUP/SuperPCCleaner

How to remove PUA:Win32/SystemHealer?

PUA:Win32/SystemHealer removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment