MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12717a6aac4c9c631d45ef45d6407c1bd8239917110f7d9713ea8060daff09b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12717a6aac4c9c631d45ef45d6407c1bd8239917110f7d9713ea8060daff09b1
SHA3-384 hash: bc7be13d8f8d7399083fea212a988afab6456d9e1269bb62b797331cc8ce568a8b48726b8217a3444ba701d0aa1439a0
SHA1 hash: cde957a5abfac8d44d36f99709260bbc4fc8c31e
MD5 hash: 81924079dbf87e3ee2a3b956266435ef
humanhash: juliet-alaska-maine-mars
File name:81924079dbf87e3ee2a3b956266435ef
Download: download sample
Signature ConnectWise
Create hunting rule
File size:5'387'016 bytes
First seen:2023-09-07 08:25:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (244 x ConnectWise)
ssdeep 98304:W0sHN6+6efPDD+wRsNJQpC0FodYds1vGuLAvy5LvGUd+:W07efPDD3ONeCeon1Zsq5ju
Threatray 15 similar samples on MalwareBazaar
TLSH T11846F112F3E585B5E0BF0A38D87A46669774BC084622C76F5394BD696D33BC08E26373
TrID 74.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
15.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.9% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:ConnectWise exe signed

Code Signing Certificate

Organisation:Connectwise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-17T00:00:00Z
Valid to:2025-08-15T23:59:59Z
Serial number: 0b9360051bccf66642998998d5ba97ce
Intelligence: 444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
81924079dbf87e3ee2a3b956266435ef
Verdict:
Malicious activity
Analysis date:
2023-09-07 08:26:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf46d6ff-442d-4085-ab9e-1504dbeb2cea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446917/
Detection(s):
Sanesecurity.Malware.29065.SC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a file
Creating a window
Searching for synchronization primitives
Loading a suspicious library
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Creating a process from a recently created file
DNS request
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware lolbin msiexec net obfuscated overlay packed rundll32
Link:
https://www.filescan.io/uploads/64f9891e26412fcb9d99a1a3/reports/10a37916-4787-444c-873f-6c2fedfbb7a7/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/12717a6aac4c9c631d45ef45d6407c1bd8239917110f7d9713ea8060daff09b1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ConnectWise
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b2fc99bb-a349-451f-814f-044b94e17f92
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
suspicious
Classification:
evad
Score:
32 / 100
Link:
https://www.joesandbox.com/analysis/1305060
Signature
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1305060 Sample: TdZZn3j7ut.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 32 57 Multi AV Scanner detection for submitted file 2->57 59 .NET source code references suspicious native API functions 2->59 61 Contains functionality to hide user accounts 2->61 7 ScreenConnect.ClientService.exe 17 2 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 2->13         started        15 8 other processes 2->15 process3 dnsIp4 55 instance-m73xwc-relay.screenconnect.com 7->55 65 Contains functionality to hide user accounts 7->65 18 ScreenConnect.WindowsClient.exe 2 7->18         started        67 Changes security center settings (notifications, updates, antivirus, firewall) 11->67 21 MpCmdRun.exe 11->21         started        69 Query firmware table information (likely to detect VMs) 13->69 47 C:\Windows\Installer\MSI802B.tmp, PE32 15->47 dropped 49 C:\Windows\Installer\MSI7C22.tmp, PE32 15->49 dropped 51 ScreenConnect.Wind...dentialProvider.dll, PE32+ 15->51 dropped 53 7 other files (none is malicious) 15->53 dropped 23 msiexec.exe 15->23         started        25 msiexec.exe 6 15->25         started        28 msiexec.exe 1 15->28         started        30 msiexec.exe 15->30         started        file5 signatures6 process7 file8 63 Contains functionality to hide user accounts 18->63 32 conhost.exe 21->32         started        34 rundll32.exe 8 23->34         started        45 C:\Users\user\AppData\Local\...\MSI6B38.tmp, PE32 25->45 dropped signatures9 process10 file11 37 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 34->37 dropped 39 C:\...\ScreenConnect.InstallerActions.dll, PE32 34->39 dropped 41 C:\Users\user\...\ScreenConnect.Core.dll, PE32 34->41 dropped 43 Microsoft.Deployme...indowsInstaller.dll, PE32 34->43 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12717a6aac4c9c631d45ef45d6407c1bd8239917110f7d9713ea8060daff09b1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjyxu2vmjsogghkf55c5mqd4dpmchgixcehx3fyt5kagbwx7bgyq._file
Verdict:
malicious
Similar samples:
3a802cefc9627709ac68e229bda3595e657bdf926dde585fd9f606b71d232254
ConnectWise
3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827
ConnectWise
5efb1a07feb64993d6b90b4e70b219ee455c0973b84aaf56a04821066b6421b9
ConnectWise
7bbe675863a8a03339ebd642ce7c9b209dd3505c4970a41da8d76f8bd679e4d2
ConnectWise
994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe
ConnectWise
af5a12a388a7bf416d11b3123251e422f5fd94501e893d11e4fa91de3cb13220
ConnectWise
cf6b7d4d7e917a72ce9b524291aae29568127f1fb1577d897e3d5cfef00ab419
ConnectWise
ec67af31e0d4ca7f7b449a52468f8b206f5ac0703f5d745499b4e863c4816607
ConnectWise
fa5b511ef1b55546770402f47dcc78b31461b71e4aac7dafe8ef02de732f6ac0
ConnectWise
fdb6a601ff7950aa6a08eccc782c4b9f1f2fafc25219ffa37ac8b4cdbb07f094
ConnectWise
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230907-kbvygsff6y/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Sets service image path in registry
Unpacked files
SH256 hash:
aab06800a820b9155385fbaa0e9d4b40f6098b46a160a1520edcfb34f70f80d9
MD5 hash:
d5cc115129329a1cbbe1951edf9ec319
SHA1 hash:
c31f4bb7d2de5d24663036cd38a82c866f8e4bd3
Link:
https://www.unpac.me/results/4cc875f3-b0da-4c52-990a-9117ba066599/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/4cc875f3-b0da-4c52-990a-9117ba066599/
SH256 hash:
4aad551395add083deedb974fcfda9d0ad300b173ed5fefa3787fe9f837ad721
MD5 hash:
e4b93271dc4d6b80b85ed0179865c16c
SHA1 hash:
53201e30871f55d8bf421b26d43201f7538a93cd
Link:
https://www.unpac.me/results/4cc875f3-b0da-4c52-990a-9117ba066599/
SH256 hash:
9db112db7bd99c8fdd7b296271273ae06309fa8e265258b9884530a2a440db9f
MD5 hash:
5c2411f17ed4cbb455adbe137af086c7
SHA1 hash:
2bcf8f2fb16fe625681feb05420e44b0a04280ce
Link:
https://www.unpac.me/results/4cc875f3-b0da-4c52-990a-9117ba066599/
SH256 hash:
67e32ec249a1823eba7d5697fbd7d40ed654a234536c22d347909088a74f432b
MD5 hash:
afa0eac4e6fc35ba741acf829bd17d65
SHA1 hash:
0d6730f9c0e92c4eb16186035942a1271a00ce41
Link:
https://www.unpac.me/results/4cc875f3-b0da-4c52-990a-9117ba066599/
SH256 hash:
b21c82f49bf817bbfc3d159dac4f6afe96eac3fc3a2e98bbddec97a8e28b2c0f
MD5 hash:
eb33a6536485adeb8faf9e88635ec899
SHA1 hash:
06c1e13ed4d1460133021d8f4e797876f1e5e52b
Link:
https://www.unpac.me/results/4cc875f3-b0da-4c52-990a-9117ba066599/
SH256 hash:
1364742bdad982caa8fb9e7fe7a926a44a65b7ee6ac6e5a15290f24912499f12
MD5 hash:
63a89ec6bbbeebc66bc5a676f0f5d583
SHA1 hash:
2baa8bd8f52c1faf8710e5f7b3cffff806b100a8
Link:
https://www.unpac.me/results/4cc875f3-b0da-4c52-990a-9117ba066599/
SH256 hash:
12717a6aac4c9c631d45ef45d6407c1bd8239917110f7d9713ea8060daff09b1
MD5 hash:
81924079dbf87e3ee2a3b956266435ef
SHA1 hash:
cde957a5abfac8d44d36f99709260bbc4fc8c31e
Link:
https://www.unpac.me/results/4cc875f3-b0da-4c52-990a-9117ba066599/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12717a6aac4c9c631d45ef45d6407c1bd8239917110f7d9713ea8060daff09b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect_CERT
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446917/

Comments