MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d24c3d7ceaa81767cef0649a8800bff1e3a905812447ab6b15248c761414b42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d24c3d7ceaa81767cef0649a8800bff1e3a905812447ab6b15248c761414b42
SHA3-384 hash: 2ed8a1908451174ec53ab4936f419626c227e7a74feb284f5c3d56477bdfe3d4307f3f80629baace5a2a15373230be73
SHA1 hash: 7ea82a1f60a53c9e30d4d5b74e9553608438ed9d
MD5 hash: 8364ed9f0d16bb8496aef92b2c5e88de
humanhash: sad-ack-lamp-finch
File name:8364ed9f0d16bb8496aef92b2c5e88de
Download: download sample
Signature ConnectWise
Create hunting rule
File size:5'298'440 bytes
First seen:2023-09-07 08:26:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (245 x ConnectWise)
ssdeep 98304:wxwxd/6+6efPCqe9kNDqnS2wdYdstG1f2yrOnTJk3:wxCyefPCq18nlwnzyrOnNE
Threatray 20 similar samples on MalwareBazaar
TLSH T1E436F111B3D581B6D4BF0638D87952669770BC088326D7AF9794BE697D33B808E22373
TrID 74.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
15.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.9% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:ConnectWise exe signed

Code Signing Certificate

Organisation:Connectwise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-17T00:00:00Z
Valid to:2025-08-15T23:59:59Z
Serial number: 0b9360051bccf66642998998d5ba97ce
Intelligence: 444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8364ed9f0d16bb8496aef92b2c5e88de
Verdict:
Malicious activity
Analysis date:
2023-09-07 08:40:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/596af7c7-7030-42ae-ba6d-efc1314040b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446920/
Detection(s):
Sanesecurity.Malware.29065.SC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a file
Creating a window
Searching for synchronization primitives
Loading a suspicious library
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Creating a service
Creating a process from a recently created file
DNS request
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware lolbin msiexec net obfuscated overlay packed remoteadmin rundll32 virus
Link:
https://www.filescan.io/uploads/64f98957560864d1b677040a/reports/7578f3e0-150e-4486-a8ea-5b04e014f894/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1d24c3d7ceaa81767cef0649a8800bff1e3a905812447ab6b15248c761414b42
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ConnectWise
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bd1b7ffb-c8d7-4282-a4b7-511d9f604f14
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
45 / 100
Link:
https://www.joesandbox.com/analysis/1305068
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1305068 Sample: IgH1KQTrbH.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 45 54 Multi AV Scanner detection for submitted file 2->54 56 .NET source code contains potential unpacker 2->56 58 .NET source code references suspicious native API functions 2->58 60 Contains functionality to hide user accounts 2->60 7 ScreenConnect.ClientService.exe 17 2 2->7         started        10 msiexec.exe 92 45 2->10         started        13 IgH1KQTrbH.exe 3 2->13         started        15 svchost.exe 2->15         started        process3 dnsIp4 50 instance-bj6uhc-relay.screenconnect.com 7->50 17 ScreenConnect.WindowsClient.exe 2 7->17         started        32 C:\Windows\Installer\MSI8571.tmp, PE32 10->32 dropped 34 C:\Windows\Installer\MSI8232.tmp, PE32 10->34 dropped 36 ScreenConnect.Wind...dentialProvider.dll, PE32+ 10->36 dropped 38 7 other files (none is malicious) 10->38 dropped 20 msiexec.exe 10->20         started        22 msiexec.exe 1 10->22         started        24 msiexec.exe 10->24         started        26 msiexec.exe 6 13->26         started        file5 process6 file7 52 Contains functionality to hide user accounts 17->52 29 rundll32.exe 8 20->29         started        40 C:\Users\user\AppData\Local\...\MSI787D.tmp, PE32 26->40 dropped signatures8 process9 file10 42 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 29->42 dropped 44 C:\...\ScreenConnect.InstallerActions.dll, PE32 29->44 dropped 46 C:\Users\user\...\ScreenConnect.Core.dll, PE32 29->46 dropped 48 Microsoft.Deployme...indowsInstaller.dll, PE32 29->48 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d24c3d7ceaa81767cef0649a8800bff1e3a905812447ab6b15248c761414b42/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-10 22:57:10 UTC
File Type:
PE (Exe)
Extracted files:
180
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dusmhv6ovkaxm7hpaze2raal74pdvecycjchvnvrkjemoykbjnba._file
Verdict:
malicious
Similar samples:
0ce441304f7c47187c34fdf6d601624ce345c211e21a892328cf2205df7dfb47
ConnectWise
24cb773fd21e8ff6126882b218a5a178f41db0f4fdb290ca4b6b4afbfdb4e3a4
ConnectWise
3a802cefc9627709ac68e229bda3595e657bdf926dde585fd9f606b71d232254
ConnectWise
3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827
ConnectWise
60dbc8e2cb2389609132466a2125b832b478e2793db3b68a33ab0c3018f4b47b
ConnectWise
994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe
ConnectWise
a619326275abbcb797c469378a1a3f11f67e3f0ba01570c8358c395dff5dd967
ConnectWise
af5a12a388a7bf416d11b3123251e422f5fd94501e893d11e4fa91de3cb13220
ConnectWise
ec67af31e0d4ca7f7b449a52468f8b206f5ac0703f5d745499b4e863c4816607
ConnectWise
fa5b511ef1b55546770402f47dcc78b31461b71e4aac7dafe8ef02de732f6ac0
ConnectWise
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230907-kceynaff83/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Sets service image path in registry
Unpacked files
SH256 hash:
f758771452d36c7d706dc8c4f2f406603d5293748b693400e682a2c1f97cdf46
MD5 hash:
93414709110ced5dd5607fd8c7c511e4
SHA1 hash:
f7ea60b3bd221afc907c718faafc7a8dfac21fcb
Link:
https://www.unpac.me/results/b2371a7f-5bf1-4fae-8211-30ecd804d96a/
SH256 hash:
1698d7431ab4e0458e8ac84e0851ec813f290e929319dd825257cbbe8f4dade4
MD5 hash:
18c27c1e8686615e17baf01786ba143e
SHA1 hash:
e3ed60202db0c9beb9a8bd821144f729cdde55b0
Link:
https://www.unpac.me/results/b2371a7f-5bf1-4fae-8211-30ecd804d96a/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
022ffc5289123852fd3a43ec6a648c16f9ee1c77a0f01f18d6d292e20f865264
MD5 hash:
e2f28dfc8ad7b8c835c4cb7e91895610
SHA1 hash:
9f5038ab97076ba5d6a1010e2799084f8d8d4e7d
Link:
https://www.unpac.me/results/b2371a7f-5bf1-4fae-8211-30ecd804d96a/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/b2371a7f-5bf1-4fae-8211-30ecd804d96a/
SH256 hash:
3b0c45370ca9295881ef5e9d14402c42dfb45803f54d542e6a7e595a05f365a1
MD5 hash:
6c5d0928642bf37ceed295b984e05be2
SHA1 hash:
46be0d5a7db56cb1ad77274709d0db053a3c0999
Link:
https://www.unpac.me/results/b2371a7f-5bf1-4fae-8211-30ecd804d96a/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
9f7b3fe209ffb2f09bd4484f2dcbd4f821dddd28e5a007e10013836db60f9db3
MD5 hash:
cbc13ed6bfe5af87f7d9bd9f08d56d12
SHA1 hash:
0307dd7aa2b548d27b0312b4f18d45fe93a56919
Link:
https://www.unpac.me/results/b2371a7f-5bf1-4fae-8211-30ecd804d96a/
SH256 hash:
05e78416a344f74095e36ff14baa719867e9e163e1ae9a96c29df8615748b0ae
MD5 hash:
254d64388c6c52228d7a921960a03f6b
SHA1 hash:
b023b69348bb06c4b4ad67bee0f55bb9cfb3748c
Link:
https://www.unpac.me/results/b2371a7f-5bf1-4fae-8211-30ecd804d96a/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
1d24c3d7ceaa81767cef0649a8800bff1e3a905812447ab6b15248c761414b42
MD5 hash:
8364ed9f0d16bb8496aef92b2c5e88de
SHA1 hash:
7ea82a1f60a53c9e30d4d5b74e9553608438ed9d
Link:
https://www.unpac.me/results/b2371a7f-5bf1-4fae-8211-30ecd804d96a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/1d24c3d7ceaa81767cef0649a8800bff1e3a905812447ab6b15248c761414b42

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect_CERT
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446920/

Comments