MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ce441304f7c47187c34fdf6d601624ce345c211e21a892328cf2205df7dfb47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	0ce441304f7c47187c34fdf6d601624ce345c211e21a892328cf2205df7dfb47
SHA3-384 hash:	23dc791ca8f1610b3cad370919560511ad424a9e9eda0ea0f4117d929b76fb6d0236ca39150ec5a3e704f088710d110a
SHA1 hash:	8b13cdcb41cf009b86196b87c51d978bee6ffa5e
MD5 hash:	8082e3fff2fe9a6fbc90b8a9676af9e3
humanhash:	william-robert-coffee-thirteen
File name:	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.ConnectWise.gen.28592.12556
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	4'889'192 bytes
First seen:	2022-10-10 17:22:59 UTC
Last seen:	2023-09-07 08:26:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	96e03c6bfe932500a28aba3c63f5c7b6 (11 x ConnectWise)
ssdeep	98304:ZCzOj6+6efPtirqtOeBC4h0n9GbDrza+k9i1I:gnefPrtOih0WruoI
Threatray	6 similar samples on MalwareBazaar
TLSH	T11136F111B3D581BAD0BF0538D97A56669774BC095222CBAF93D4BD692D33BC08E32372
TrID	74.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 15.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.9% (.EXE) Win64 Executable (generic) (10523/12/4) 1.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	ConnectWise exe instance-ymp7rj-relay-screenconnect-com signed

Code Signing Certificate

Organisation:	ConnectWise, LLC
Issuer:	DigiCert SHA2 Assured ID Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2019-10-22T00:00:00Z
Valid to:	2022-10-26T12:00:00Z
Serial number:	085dfb7228e907cf98022c52c511bc66
Intelligence:	16 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	ebb706d3b57f68c2ddf5639c741b803646e9cb727f6002084b6283a849d6f75e
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

319

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/318602/

Detection(s):

SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.ConnectWise.gen.28592.12556.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Launching a process

Creating a file

Creating a window

Searching for synchronization primitives

Launching a service

Modifying a system file

Creating a file in the Windows subdirectories

Creating a file in the Program Files subdirectories

Creating a service

Creating a process from a recently created file

Searching for the window

DNS request

Moving a recently created file

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Possible injection to a system process

Enabling autorun with the shell\open\command registry branches

Enabling autorun for a service

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/42326/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

80%

Tags:

anti-vm greyware msiexec.exe overlay packed rundll32.exe

Link:

https://www.filescan.io/uploads/634454f71ddf36bcc3f443a6/reports/835c2326-c82e-49de-b11f-9d022aaae293/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

ConnectWise

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/bd184657-3fea-4749-8249-28dfc79b59a5

Result

Threat name:

Unknown

Detection:

clean

Classification:

n/a

Score:

4 / 100

Link:

https://www.joesandbox.com/analysis/1087087

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0ce441304f7c47187c34fdf6d601624ce345c211e21a892328cf2205df7dfb47/

Threat name:

Win32.Trojan.ConnectWise

Status:

Malicious

First seen:

2022-10-10 17:24:33 UTC

File Type:

PE (Exe)

Extracted files:

182

AV detection:

5 of 26 (19.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=btsecmcpprdrq7bu7x3nmalcjtrulqqr4inisiziz4ralx357ndq._file

Verdict:

malicious

ConnectWise

5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a

ConnectWise

6e3a1e4e946e7b6cdf277b39d134cf68cd87b5ff4335e5cc5c8447add9faed23

ConnectWise

96b00d36a0aa5ba085946ca6e6d0ba344bf03dced35c980487b0871be0c4b6d5

ConnectWise

ed4544f9e5b144199882d21bf0fd0aeed19f3277b2f1a4c0e3be785cf4397d41

ConnectWise

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/221010-vx44dscfc2/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Enumerates connected drives

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0ce441304f7c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0ce441304f7c47187c34fdf6d601624ce345c211e21a892328cf2205df7dfb47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_DotNET_Encrypted Create hunting rule
Author:	ditekSHen
Description:	Detects encrypted or obfuscated .NET executables

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/318602/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample