MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00489ef4d50d368d4b8b99ee58a635ffd9cf23ba777f8db5c958e685decc3e94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ConnectWise


Vendor detections: 11


Intelligence 11 IOCs YARA 33 File information Comments

SHA256 hash: 00489ef4d50d368d4b8b99ee58a635ffd9cf23ba777f8db5c958e685decc3e94
SHA3-384 hash: 4b2cd2755dcd113cc24fa1b16659b7b086265da3ff4ed62b1ac3177867a8690d85d350a01e8e2cd69a3840260f1cfff4
SHA1 hash: c0f34b1ea22bb2f3254e512ae7ec6f22f95a15c8
MD5 hash: 601f1f51cc30f7cfe429dd58cabc3552
humanhash: failed-march-salami-florida
File name:00489ef4d50d368d4b8b99ee58a635ffd9cf23ba777f8db5c958e685decc3e94
Download: download sample
Signature ConnectWise
File size:76'210'808 bytes
First seen:2026-06-12 11:09:43 UTC
Last seen:2026-06-12 11:10:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c2a7f6992efe6b526115bc1b752d764 (17 x ConnectWise)
ssdeep 1572864:CDuwPeE7jRgZ8shpCNc4xkHt4vrGm9X13588cns06b1O4Lt:CywPemFgZ8s9FSvr1P358Q06b1OO
TLSH T1A2F72330B64ACD36CD9601B08D3DEBAE602DBA75076590C7B2D83E2D19B15D32736E63
TrID 38.2% (.EXE) Win64 Executable (generic) (6522/11/2)
26.4% (.EXE) Win32 Executable (generic) (4504/4/1)
11.8% (.EXE) OS/2 Executable (generic) (2029/13)
11.7% (.EXE) Generic Win/DOS Executable (2002/3)
11.7% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
dhash icon d0f0c0cccccce42c (3 x ConnectWise)
Reporter JAMESWT_WT
Tags:ConnectWise exe signed

Code Signing Certificate

Organisation:Paula Foster
Issuer:Microsoft ID Verified CS AOC CA 03
Algorithm:sha384WithRSAEncryption
Valid from:2026-06-03T11:55:19Z
Valid to:2026-06-06T11:55:19Z
Serial number: 330001a5a3233b73269302aecf00000001a5a3
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 365793f6d5d111009f520fb0ef87d721868a21e3f02c449d4e9a9530649bcf3f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
2
# of downloads :
142
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
No threats detected
Analysis date:
2026-06-12 11:12:17 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Tags:
connectwise shellcode dropper remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
DNS request
Searching for synchronization primitives
Moving a recently created file
Modifying a system file
Loading a suspicious library
Creating a file in the Program Files subdirectories
Creating a service
Launching a service
Moving a system file
Deleting a system file
Replacing system executable files
Possible injection to a system process
Setting a single autorun event
Enabling autorun with the shell\open\command registry branches
Enabling autorun
Enabling autorun for a service
Unauthorized injection to a recently created process
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug bash crypto dotnet evasive expand expired-cert fingerprint installer-heuristic lolbin lolbin microsoft_visual_cc msiexec overlay packed packed reconnaissance revoked-cert rundll32 runonce short-lived-cert signed
Verdict:
Adware
File Type:
exe x32
First seen:
2026-06-12T08:52:00Z UTC
Last seen:
2026-06-14T01:00:00Z UTC
Hits:
~10
Detections:
not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen
Gathering data
Threat name:
Win32.Trojan.Malgent
Status:
Malicious
First seen:
2026-06-05 21:17:41 UTC
File Type:
PE (Exe)
Extracted files:
1957
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Verdict:
suspicious
Label(s):
admintool_screenconnect
Similar samples:
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence privilege_escalation ransomware revoked_codesign
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Badlisted process makes network request
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Sets service image path in registry
Signed with revoked ConnectWise certificate
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:Jupyter_infostealer
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Lumma_Stealer_Detection
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MAL_Trigon_Dropper
Author:jaszzz
Description:Trigon multi-stage malicious dropper - process injection, keylogging, screenshot capture
Reference:URL|trigon
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:pe_no_import_table
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:reverse_http
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:Rooter
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:SEH__vectored
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb
Rule name:test_Malaysia
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:win_evilconwi_w0
Author:Karsten Hahn @ G DATA CyberDefense
Description:Settings from app.config that hide the connection of the client. These settings are potentially unwanted

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments