MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b371acf222005ea1b34043a9564b71639c6931bb8715895eeadf55d93f5f139. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b371acf222005ea1b34043a9564b71639c6931bb8715895eeadf55d93f5f139
SHA3-384 hash: a0e8214f07632a03a43effb02da4e785f3923081be2df8b8c6789b92fbef37c64af6c9472d7778452b1118da2e14fdcd
SHA1 hash: dedf2318543b53c26563634d04f9e22e9efcf849
MD5 hash: ed103156b3c59b8fdb8835669621df16
humanhash: berlin-failed-kitten-finch
File name:Adobe.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:4'443'552 bytes
First seen:2023-10-20 01:58:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 608505ff1e7e27ff4a42ea9c4e9f4192 (5 x LummaStealer, 3 x NetSupport, 2 x ConnectWise)
ssdeep 49152:QQyV3YBybPP3NSqBfTna5ouw4yAhYVvdEnfZeosfJ5OV/Sm/+fCYyWj1aZeKv1x+:IhxzP3MqBfTluw4yctnfZeosyVtga
Threatray 39 similar samples on MalwareBazaar
TLSH T11A267C31724AC53BD96211B0192C9A9F512DBE390FB255CBB3CC2E6E1BB54C21736E27
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4db292f2d88cb40b (15 x RemcosRAT, 13 x AgentTesla, 7 x NanoCore)
Reporter JAMESWT_WT
Tags:ConnectWise exe instance-a3g6br-relay-screenconnect-com screenconnect signed studioaziende-click

Code Signing Certificate

Organisation:CodeSigningCert
Issuer:CodeSigningCert
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-28T11:15:47Z
Valid to:2025-02-28T11:25:47Z
Serial number: 12e79e88324ccea94e0358ccb4a75075
Intelligence: 14 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0c21b06b3ede50f24284ddb567b4370193279f3e59a9a1bb602d9a9c230b4d28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Adobe.exe
Verdict:
Malicious activity
Analysis date:
2023-10-20 02:00:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2e9696b-416a-4c17-83cc-08dc829e3700

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.27235.24464.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Modifying a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control fingerprint greyware lolbin msiexec overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/6531dee6cd0633254b858b3a/reports/c2add507-6471-48f0-807a-3b66ed633036/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/1b371acf222005ea1b34043a9564b71639c6931bb8715895eeadf55d93f5f139
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd1a7194-78dc-467f-a6c6-b9051bdca053
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1329078
Signature
Antivirus detection for URL or domain
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329078 Sample: Adobe.exe Startdate: 20/10/2023 Architecture: WINDOWS Score: 88 51 studioaziende.click 2->51 57 Multi AV Scanner detection for domain / URL 2->57 59 Antivirus detection for URL or domain 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected Powershell download and execute 2->63 9 wscript.exe 1 2->9         started        12 msiexec.exe 90 49 2->12         started        15 Adobe.exe 42 2->15         started        signatures3 process4 file5 65 Suspicious powershell command line found 9->65 67 Wscript starts Powershell (via cmd or directly) 9->67 69 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->69 17 powershell.exe 8 7 9->17         started        35 C:\Windows\Installer\MSI726A.tmp, PE32 12->35 dropped 37 C:\Users\user\AppData\...\Fattura24.vbs, ASCII 12->37 dropped 39 C:\Windows\Installer\MSI6FF7.tmp, PE32 12->39 dropped 47 5 other files (none is malicious) 12->47 dropped 71 Drops executables to the windows directory (C:\Windows) and starts them 12->71 20 MSI726A.tmp 12->20         started        22 msiexec.exe 12->22         started        24 msiexec.exe 12->24         started        41 C:\Users\user\AppData\...\Fattura24.vbs, ASCII 15->41 dropped 43 C:\Users\user\AppData\Local\...\shi69F7.tmp, PE32+ 15->43 dropped 45 C:\Users\user\AppData\Local\...\MSI6BA0.tmp, PE32 15->45 dropped 49 2 other files (none is malicious) 15->49 dropped 26 msiexec.exe 2 15->26         started        signatures6 process7 signatures8 55 Suspicious powershell command line found 17->55 28 powershell.exe 14 26 17->28         started        31 conhost.exe 17->31         started        process9 dnsIp10 53 studioaziende.click 172.67.207.81, 443, 49746, 49747 CLOUDFLARENETUS United States 28->53 33 powershell.exe 28->33         started        process11
Score:
52%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/1b371acf222005ea1b34043a9564b71639c6931bb8715895eeadf55d93f5f139
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b371acf222005ea1b34043a9564b71639c6931bb8715895eeadf55d93f5f139/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-10 17:43:54 UTC
File Type:
PE (Exe)
Extracted files:
95
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dm3rvtzceac6ugzuaq5jkzfxcy44ney3xbyvrfpovx2v3e7v6e4q._file
Verdict:
unknown
Similar samples:
32579835a3ab3be52dc80ea4a37701c4294ddfb121f84d4ace8bcf3299c1d29c
ConnectWise
510b19e6574cac935d07ee0daaeec1dcef77f75008ff5271ce1b29a0ba723407
ConnectWise
5642fc3dcf35643a38101d36678e09e9f706df94cafe2dafdf44a7e2965bd296
ConnectWise
633124ed8d7af6dd22722ee43abfe9b0ad97798a1d48b951abdc1ad88e83c702
ConnectWise
734871091f713f83cb86b81489ffa8b8820cce9a613b6fba7e5057accabf7753
ConnectWise
76e4962b8ccd2e6fd6972d9c3264ccb6738ddb16066588dfcb223222aaa88f3c
ConnectWise
b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0
ConnectWise
bd9523a1ca548fb43c47de22febb8739f34afcba2843d6577a18759110deecbd
ConnectWise
c9094685ae4851fd5a5b886b73c7b07efd9b47ea0bdae3f823d035cf1b3b9e48
ConnectWise
e041b3eaaed1c0ad37e7f91717ee5b0e12e922b67bbe1e69a4c68c80baf22b4f
ConnectWise
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/231020-ced55seh47/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Blocklisted process makes network request
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
1b371acf222005ea1b34043a9564b71639c6931bb8715895eeadf55d93f5f139
MD5 hash:
ed103156b3c59b8fdb8835669621df16
SHA1 hash:
dedf2318543b53c26563634d04f9e22e9efcf849
Link:
https://www.unpac.me/results/009f5418-caaa-47b1-8150-012ed1ace189/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments