MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16d219bf805b87558798ebff2246de247a010de7baa7fe3058daeaac1ffc3fa7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ScreenConnect


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16d219bf805b87558798ebff2246de247a010de7baa7fe3058daeaac1ffc3fa7
SHA3-384 hash: 500c5d12873bd89fc7a2ec049f6b33d8f3dfef5899236048dceefb3d9329ed9f52f19ad1b1d9cbb5b26159716a3d9230
SHA1 hash: c5930708bc3999e80e52d62d80ede66a4d0d07e8
MD5 hash: 70636e3162809520738cd64eb4820e15
humanhash: johnny-muppet-fanta-salami
File name:NFL-098807723577326YUI-PT12.Vbs
Download: download sample
Signature ScreenConnect
Create hunting rule
File size:1'747 bytes
First seen:2025-11-01 11:27:25 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:4pY9dPRWbEZ9XZeRLl/oLtWLhLNpyLgKvbQL5dZhSQ4PobZuEk6WYp19:F9nZkrTwbSSQxl19
Threatray 530 similar samples on MalwareBazaar
TLSH T18C31118F84E485B02A0711F7A7DA5C188BE10C039948CA565843D6BD29BD2DEDFC6E4B
Magika vba
Reporter smica83
Tags:screenconnect vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34950/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6905eea69942f1282ecb2017
Tags:
connectwise dropper overt sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive expand lolbin lolbin msiexec obfuscated rundll32
Link:
https://www.filescan.io/uploads/6905eeae21d55ed90d4426f2/reports/cbc2d403-1c02-4cbe-9494-0dbfdd924a1d/overview
Verdict:
Malicious
Labled as:
HEUR_TrojanDownloader_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/16d219bf805b87558798ebff2246de247a010de7baa7fe3058daeaac1ffc3fa7
Verdict:
Malicious
File Type:
vbs
First seen:
2025-10-31T11:29:00Z UTC
Last seen:
2025-11-02T23:09:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/16d219bf805b87558798ebff2246de247a010de7baa7fe3058daeaac1ffc3fa7/results?tab=lookup
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1806271
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Joe Sandbox ML detected suspicious sample
Modifies security policies related information
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1806271 Sample: NFL-098807723577326YUI-PT12... Startdate: 01/11/2025 Architecture: WINDOWS Score: 100 61 server-ovh30010035-relay.screenconnect.com 2->61 63 instance-wipwm8-relay.screenconnect.com 2->63 71 Multi AV Scanner detection for submitted file 2->71 73 .NET source code contains potential unpacker 2->73 75 .NET source code references suspicious native API functions 2->75 77 4 other signatures 2->77 8 msiexec.exe 94 58 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 wscript.exe 1 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 53 C:\...\ScreenConnect.ClientService.exe, PE32 8->53 dropped 55 C:\Windows\Installer\MSIFEFC.tmp, PE32 8->55 dropped 57 C:\Windows\Installer\MSIF1.tmp, PE32 8->57 dropped 59 10 other files (none is malicious) 8->59 dropped 83 Enables network access during safeboot for specific services 8->83 85 Modifies security policies related information 8->85 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        67 server-ovh30010035-relay.screenconnect.com 15.204.131.78, 443, 49722 HP-INTERNET-ASUS United States 12->67 87 Reads the Security eventlog 12->87 89 Reads the System eventlog 12->89 23 ScreenConnect.WindowsClient.exe 2 12->23         started        26 ScreenConnect.WindowsClient.exe 2 12->26         started        91 VBScript performs obfuscated calls to suspicious functions 15->91 93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->93 95 Suspicious execution chain found 15->95 28 cmd.exe 1 15->28         started        30 msiexec.exe 15->30         started        69 127.0.0.1 unknown unknown 17->69 97 Changes security center settings (notifications, updates, antivirus, firewall) 17->97 32 MpCmdRun.exe 17->32         started        file6 signatures7 process8 signatures9 34 rundll32.exe 11 19->34         started        81 Contains functionality to hide user accounts 23->81 38 curl.exe 2 28->38         started        41 conhost.exe 28->41         started        43 conhost.exe 32->43         started        process10 dnsIp11 45 C:\Windows\...\ScreenConnect.Windows.dll, PE32 34->45 dropped 47 C:\...\ScreenConnect.InstallerActions.dll, PE32 34->47 dropped 49 C:\Windows\...\ScreenConnect.Core.dll, PE32 34->49 dropped 51 4 other files (none is malicious) 34->51 dropped 79 Contains functionality to hide user accounts 34->79 65 149.28.37.109, 49712, 80 AS-CHOOPAUS United States 38->65 file12 signatures13
Score:
51%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/16d219bf805b87558798ebff2246de247a010de7baa7fe3058daeaac1ffc3fa7
Verdict:
Malware
YARA:
1 match(es)
Tags:
VBScript
Link:
https://app.malva.re/file/70636e3162809520738cd64eb4820e15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16d219bf805b87558798ebff2246de247a010de7baa7fe3058daeaac1ffc3fa7/
Verdict:
Malicious
Threat:
Trojan-Downloader.Script
Link:
https://tip.neiki.dev/file/16d219bf805b87558798ebff2246de247a010de7baa7fe3058daeaac1ffc3fa7
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-31 18:47:51 UTC
File Type:
Text (VBS)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c3jbtp4alodvlb4y5p7serw6er5acdphxkt74mcy3lvkyh74h6tq._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
02f9c24b8b65fb02f6040e867822f7a013daa6ac1ed2664ac8a21f7a8511d31d
ScreenConnect
3395bb897abb4315adc2f4de84f8586e488de531433c82b3208b84e65a161617
ScreenConnect
3736f158f14a152920163270add0c7b202650ea3524ab584e3ce91088e1bccb0
ScreenConnect
433ec15200c20d2d70f26f753897dd71c53362814f8fe2966a10b0cfcdb8a4e5
ScreenConnect
464b3f10df5c6353b2c84ff3191726de03bcb56642471b0898fb0cb8cffa7fb2
ScreenConnect
77ea13f76b8c9f4e67f4d149ca5cce7d9937e8fe0497dfd76520d870a84dae2e
ScreenConnect
7856c9af45bbcfebb3ef585019bf16331e5b01265455e4559473bfaa3a6fe492
ScreenConnect
aae9aeae9cad1d3f39698f3e63f06ea1158d59ba9d076ce82591b21600ee91c3
ScreenConnect
e6964593d509e8b2fe5750d8443a93dd1b393796783936532323c5895eb5798c
ScreenConnect
error
ScreenConnect
+ 520 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery persistence privilege_escalation rat
Link:
https://tria.ge/reports/251101-nkngjsds8b/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Badlisted process makes network request
Enumerates connected drives
Checks computer location settings
ConnectWise ScreenConnect remote access tool
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Sets service image path in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/16d219bf805b87558798ebff2246de247a010de7baa7fe3058daeaac1ffc3fa7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34950/

Comments