MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20160e27904a71a77b26aeb6edb37aedc6ed18aaffb5f7eb3fbbab035ab3c458. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 12


Intelligence 12 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20160e27904a71a77b26aeb6edb37aedc6ed18aaffb5f7eb3fbbab035ab3c458
SHA3-384 hash: 4795212d5a53c681f64860d7f9d4c493d2425eb1b4440386fca37f80dd70e467dc8fd6c8cdee400cec1da3ca2fa0ed87
SHA1 hash: a136cb341ae29b97ce6cb1d980bc8c793d85d8bd
MD5 hash: ca4f85f75f459c4963f7e3eb4e295394
humanhash: beer-mirror-south-happy
File name:ScreenConnect.ClientSetup.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:11'624'136 bytes
First seen:2026-06-28 15:33:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (573 x ConnectWise)
ssdeep 196608:f1TfefPqYQyiixtMjbZ1jhlrwUvQyiixtMjoQyiixtMjXQyiixtMjCQyiixtMjX:fhPnjbrrYPnj5PnjgPnjbPnjX
Threatray 2'797 similar samples on MalwareBazaar
TLSH T18CC61201B3D689B5D0BF0638D87A56665A34BC049712C7BF5798B96E2E32BC04E32377
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter BlinkzSec
Tags:ConnectWise signed

Code Signing Certificate

Organisation:ScreenConnect Client
Issuer:ScreenConnect Client Root
Algorithm:sha256WithRSAEncryption
Valid from:2023-04-01T00:00:00Z
Valid to:2038-01-01T00:00:00Z
Serial number: 00
Intelligence: 336 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: ee8a35c20fa4588cb9847f7026c293f4a1b03677f3cded5e83f1ae0ede21cf20
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
ScreenConnect
Details
Link:
https://research.acce.ciphertechsolutions.com/results/a5f52622-e64f-49c3-bdeb-a839f5b2b5d9/
Malware family:
n/a
ID:
1
File name:
_20160e27904a71a77b26aeb6edb37aedc6ed18aaffb5f7eb3fbbab035ab3c458.exe
Verdict:
No threats detected
Analysis date:
2026-06-28 15:36:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1263a6d4-b587-43af-95b4-dbdd49842faf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72295/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a413edd86bc95245bfa4629
Tags:
connectwise shellcode dropper crypted
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Loading a suspicious library
Deleting a recently created file
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Enabling autorun with the shell\open\command registry branches
Verdict:
Malicious
Labled as:
Trojan.MultiInjector.dd
Link:
https://www.hybrid-analysis.com/sample/20160e27904a71a77b26aeb6edb37aedc6ed18aaffb5f7eb3fbbab035ab3c458
Verdict:
Adware
File Type:
exe x32
First seen:
2026-06-28T14:35:00Z UTC
Last seen:
2026-06-28T17:53:00Z UTC
Hits:
~10
Detections:
not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen
Link:
https://opentip.kaspersky.com/20160e27904a71a77b26aeb6edb37aedc6ed18aaffb5f7eb3fbbab035ab3c458/results?tab=lookup
Malware family:
ConnectWise Inc
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9f4ae4b5-84de-4b04-84d6-c87c089fd7b8
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/20160e27904a71a77b26aeb6edb37aedc6ed18aaffb5f7eb3fbbab035ab3c458
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20160e27904a71a77b26aeb6edb37aedc6ed18aaffb5f7eb3fbbab035ab3c458/
Verdict:
Malicious
Threat:
Family.SCREENCONNECT
Link:
https://tip.neiki.dev/file/20160e27904a71a77b26aeb6edb37aedc6ed18aaffb5f7eb3fbbab035ab3c458
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eala4j4qjjy2o6zgv23o3m325xdo2gfk7627p2z7xovqgwvtyrma._file
Verdict:
suspicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
09f9d5761ddd83f5830852c9958b35c2f379dbdb1f2ad8a35a8a442911726c28
ConnectWise
20160e27904a71a77b26aeb6edb37aedc6ed18aaffb5f7eb3fbbab035ab3c458
ConnectWise
29065f6b2ad4d908eacc6dec0b82549a469e13068012b990bcb3f8ed19c94aa5
ConnectWise
3493902764f84195c46355a65d2f81675a508f0ca42eaaac53f6ae6c6eb05584
ConnectWise
86ae2681e12d21f7ea7525f893fd8466f57eae4c83be415b462c147aa845c8d0
ConnectWise
e9e09b3f618eb1a95b2d9d4928f5c59eec3073f3fafe216e9207b0728a8fd2af
ConnectWise
error
ConnectWise
+ 2'787 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery ransomware
Link:
https://tria.ge/reports/260628-szjjcshz3x/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Badlisted process makes network request
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
20160e27904a71a77b26aeb6edb37aedc6ed18aaffb5f7eb3fbbab035ab3c458
MD5 hash:
ca4f85f75f459c4963f7e3eb4e295394
SHA1 hash:
a136cb341ae29b97ce6cb1d980bc8c793d85d8bd
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
0fdc044e6e6be34d0654bc7858e10d022bd8c115c16cdd157184aca08715e45b
MD5 hash:
8a42171f41094a13b86a2b4fda8c3920
SHA1 hash:
cb348ed6424fd169ae190d1d249bef5fd27f3b24
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
4a5ab50d7c2b63271dc1972f996b1af87d4ab9143a9df10d858ca7134afebc5e
MD5 hash:
5b86dbd8a8a9693958f720550e07924d
SHA1 hash:
4969ce6ffac0c73f82c20bfd6deed43d7bce361a
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
7cd74f5e0fb8b9cdf3275a03ac29f25c88a2adea7afa1a1a0e719a54be9d9e2b
MD5 hash:
f4f235efd9873261762b4d940972d756
SHA1 hash:
9a329c0692f3159113ebbd5daab0e11647415bce
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
881377643cc610e41a458b2797ac8ca4f018d3f39a1effd40b521ebb52c5e7af
MD5 hash:
4ec378ab38ad1512899de74ed30da605
SHA1 hash:
06324f0f48c51d97fca0222d3ab2a9f1a84561b9
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
c24f3f38cbad5591ca72bd3688b3bcc67b311143e3418905752a88887c649c12
MD5 hash:
73f5f4033295f0cb4fe0347f677f7ba6
SHA1 hash:
c1fe83c93d7c3ed97a8405a2c75317dd4c80eead
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
368a99cda6a46e9907d4a1136edcebcc7c4b08905766ea8828839e20d1f12202
MD5 hash:
f2e6d57236f712db23b7fc4a59a5a643
SHA1 hash:
02cc64d4175e13c6309c3fe47cb60f625c40085a
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
3fd9c0df614e24a07b99aa8b79ac0374ff276c4e7df4d83a0d0cb861d4a47436
MD5 hash:
493178fda79ecf45c49758ed51b9a679
SHA1 hash:
18a9294c6820632a58ff35d7a820f4797a51ff75
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
1e8e45428b5f71c2cce22319276fec805422dc72572308016d7791d815e73274
MD5 hash:
9507c125eb0375e1b61a7db790a4a487
SHA1 hash:
21b65f815c2872ad80ad4e2fc0f32c7c4ff367bb
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
1d20eb214c00f45c4abb0154486888896c5ddb9873bebfe2c2bb55a315ba4594
MD5 hash:
15837f08da22d1238b7826c61265b76b
SHA1 hash:
85d1ed1b28ffc8a6bf05f77f6b0e7dff2aaf7b10
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08
MD5 hash:
5419ff27205d3e5affa3fc18b811b843
SHA1 hash:
cf49072c50456381cd26cd32cb97606c5f5cfd26
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
637c730a28969b12f906109ab2d6670cdf230901eb9060f51c103d7ce37e3766
MD5 hash:
b6a18c19bb09fb084f0280fa7ac4a27c
SHA1 hash:
d0dd121fc155c3a8cb9db32f728c912ef234728c
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
SH256 hash:
0969c5cacbf8586893f041bd7e44f8549442e8b68d1c3e6b278a6a6cc300c5eb
MD5 hash:
eb46b8bcb6b578c69cf34dde16c1a5b7
SHA1 hash:
e2fda7cce77effd3c6f51860d3f342cdc7ba8a6c
Link:
https://www.unpac.me/results/54900062-7899-41b7-8eba-86136a8bff31/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20160e27904a71a77b26aeb6edb37aedc6ed18aaffb5f7eb3fbbab035ab3c458

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/72295/

Comments