MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02559d7b5aa2ea2e2a333d7abdf553d079cfd5e32fef9f1e6bcc23d2aabb53cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 8

Intelligence 8 IOCs YARA 7 File information Comments

SHA256 hash:	02559d7b5aa2ea2e2a333d7abdf553d079cfd5e32fef9f1e6bcc23d2aabb53cc
SHA3-384 hash:	86ea85f89449758b17c13376478d31e39329b9e82d410039059ef5ddce4aef5fc84f18d0db9eddf6344b14f297277b00
SHA1 hash:	17f82717a19bd3152b07bdeca3fd4bdb351a62ef
MD5 hash:	d623707a62b629e0bbb4a8c6fa5c453a
humanhash:	mississippi-muppet-september-table
File name:	win10.msi
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	11'628'544 bytes
First seen:	2025-07-07 07:54:59 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	196608:5Wh0cGwxWh0cG1Wh0cG0Wh0cG8Wh0cGLWh0cG:5WacHWacMWacLWactWac8Wac
Threatray	791 similar samples on MalwareBazaar
TLSH	T1DBC6232523FD401AF8F75A79ED3682F45972BE68CF22C11E9328B90D2974D4096727B3
TrID	80.0% (.MSI) Microsoft Windows Installer (454500/1/170) 10.7% (.MST) Windows SDK Setup Transform script (61000/1/5) 7.8% (.MSP) Windows Installer Patch (44509/10/5) 1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	msi
Reporter	JAMESWT_WT
Tags:	ConnectWise msi www-machelp-cloud

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/12619/

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686b7d85c9eb974737674fd3

Tags:

connectwise shellcode virus spawn

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/02559d7b5aa2ea2e2a333d7abdf553d079cfd5e32fef9f1e6bcc23d2aabb53cc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/02559d7b5aa2ea2e2a333d7abdf553d079cfd5e32fef9f1e6bcc23d2aabb53cc/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/02559d7b5aa2ea2e2a333d7abdf553d079cfd5e32fef9f1e6bcc23d2aabb53cc

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2025-06-22 05:07:56 UTC

AV detection:

4 of 24 (16.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ajkz2622ulvc4krthv5l35kt2b447vpdf7xz6htlzqr5fkv3kpga._file

Verdict:

suspicious

Label(s):

admintool_screenconnect

ConnectWise

64adb568ceb1d4abb36113bde0ca9bffa423be366262f8a4ec75b1e23aef50ad

ConnectWise

6d9442ae6ba5a9f34a47e234b6047f61d8ac129e269199793ebb0bed1ad7e3ba

ConnectWise

830820219b3fd28b80ed8c6ba530cef5c28531105cee910e24f20519fc36f881

ConnectWise

9a5fc377ed727b660737357865c7694f60c7735cfcf1652f0a6dfd0121781c38

ConnectWise

a0c8f8770fffd941b3e123023432e275aea210a7ab71a6bce5be890861f054c2

ConnectWise

error

ConnectWise

f93d6ef0b54b5e882d1420339c3083315cc2104ea73c95fea0dca9594913e282

ConnectWise

+ 781 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery persistence privilege_escalation ransomware

Link:

https://tria.ge/reports/250707-jser6aar2z/

Behaviour

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Event Triggered Execution: Component Object Model Hijacking

Enumerates connected drives

Sets service image path in registry

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3df010a0-e025-46a7-b62b-7b1bca55c52d

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/02559d7b5aa2ea2e2a333d7abdf553d079cfd5e32fef9f1e6bcc23d2aabb53cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)