MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24cb773fd21e8ff6126882b218a5a178f41db0f4fdb290ca4b6b4afbfdb4e3a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24cb773fd21e8ff6126882b218a5a178f41db0f4fdb290ca4b6b4afbfdb4e3a4
SHA3-384 hash: d9e0476d1ad18131acb1d7abd83b08f05b24cbb2dcee4bfb24b770112b38c1cd077f1f4d48be96cc085b7fb20f1e3959
SHA1 hash: 770f380b2d9bc32b58e70abaf23e264b72bcc954
MD5 hash: 57afe88e42f3fedabb21e752d40e957d
humanhash: batman-cup-red-november
File name:22.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:5'305'608 bytes
First seen:2022-12-21 13:12:07 UTC
Last seen:2023-09-07 08:26:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 96e03c6bfe932500a28aba3c63f5c7b6 (11 x ConnectWise)
ssdeep 98304:Jh6+6efPBJYV6lVhSxWGIdYdsBDG0uWT5hWOgcp:UefPcVinNGInBphDgG
TLSH T1C336F112F7D581B6D0BF0638E87946669B74BC095322C76F5394BD692D33B809E223B3
TrID 74.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
15.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.9% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter TeamDreier
Tags:ConnectWise exe instance-cmjrni-relay-screenconnect-com signed

Code Signing Certificate

Organisation:Connectwise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-17T00:00:00Z
Valid to:2025-08-15T23:59:59Z
Serial number: 0b9360051bccf66642998998d5ba97ce
Intelligence: 444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
22.exe
Verdict:
Malicious activity
Analysis date:
2022-12-21 13:15:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/038d47b7-4fe9-4325-b1b4-0222ee44a0d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348712/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.11469.1415.10944.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a file
Creating a window
Sending a custom TCP request
Searching for synchronization primitives
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Creating a process from a recently created file
Searching for the window
DNS request
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
60%
Tags:
anti-vm greyware msiexec.exe overlay packed rundll32.exe
Link:
https://www.filescan.io/uploads/63a3065fc5baedacd38c84d8/reports/a32579fa-a6ec-45c4-9a12-66a21eeb94c3/overview
Malware family:
ConnectWise
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bf14d8cd-0634-4e83-90cb-7b35d44af46c
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/1138678
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 771408 Sample: 22.exe Startdate: 21/12/2022 Architecture: WINDOWS Score: 36 13 Multi AV Scanner detection for submitted file 2->13 6 22.exe 3 2->6         started        process3 file4 11 C:\Users\user\AppData\Local\...\22.exe.log, CSV 6->11 dropped 9 msiexec.exe 6->9         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24cb773fd21e8ff6126882b218a5a178f41db0f4fdb290ca4b6b4afbfdb4e3a4/
Threat name:
Win32.Trojan.ConnectWise
Create hunting rule
Status:
Malicious
First seen:
2022-12-14 12:11:02 UTC
File Type:
PE (Exe)
Extracted files:
180
AV detection:
7 of 26 (26.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etfxop6sd2h7metiqkzbrjnbpd2b3mhu7wzjbsslnnfpx7nu4osa._file
Verdict:
malicious
Similar samples:
0ce441304f7c47187c34fdf6d601624ce345c211e21a892328cf2205df7dfb47
ConnectWise
5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a
ConnectWise
6e3a1e4e946e7b6cdf277b39d134cf68cd87b5ff4335e5cc5c8447add9faed23
ConnectWise
73ab66e22bda8d73307bfbe2c6edba30e8f5b94a4d916b5b00b147ca618a080d
ConnectWise
96b00d36a0aa5ba085946ca6e6d0ba344bf03dced35c980487b0871be0c4b6d5
ConnectWise
ed4544f9e5b144199882d21bf0fd0aeed19f3277b2f1a4c0e3be785cf4397d41
ConnectWise
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221221-qf3f1sfd9s/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Registers COM server for autorun
Sets service image path in registry
Unpacked files
SH256 hash:
40e6154b248c5597d90c7ef72ef1a11edf22e8db790ca0da53575981ecfc4bba
MD5 hash:
1e7fad9c7ab2f8b4a7698c5e391aac98
SHA1 hash:
b4c9ec16073525e1708f4bc24b9d4aeded7744db
Link:
https://www.unpac.me/results/cd111541-2b1b-4e9c-88b0-e754df98f55c/
SH256 hash:
58a6e0c7b1e9958bf9637afdac5a33a4e6a645439386c34fc75b634d66adc5be
MD5 hash:
d6e278051f8f42c872dbaf4ebbfa5da4
SHA1 hash:
b1b6e6cc3de9da3afd9b954dc52722555ed95a16
Link:
https://www.unpac.me/results/cd111541-2b1b-4e9c-88b0-e754df98f55c/
SH256 hash:
2a5252878c033d7af4b3ea8c9f47e696288c7d59507c62a25ae49f613d61edf8
MD5 hash:
6343cf5dd4e03484a8300deb3596b11a
SHA1 hash:
9f1b1c5ff512a4198ca73afe19829cf20dd33e78
Link:
https://www.unpac.me/results/cd111541-2b1b-4e9c-88b0-e754df98f55c/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/cd111541-2b1b-4e9c-88b0-e754df98f55c/
SH256 hash:
384a9cad42153fd4485dd4bf20f73ab803ed5a5d6d620d795747d5330ac8de1b
MD5 hash:
38592458c5907179b8be1b2fd31017c5
SHA1 hash:
88d7b00786b54da2bf287b5637a9429205380809
Link:
https://www.unpac.me/results/cd111541-2b1b-4e9c-88b0-e754df98f55c/
SH256 hash:
ac53b034210619c6cfe4f5e1f22e428680d25a8bec27e72754bcf833bfcb9188
MD5 hash:
c68aed4e2c7cace88fc900f16a0d2f04
SHA1 hash:
63ab5c9c8160819f5e28fffd9caf9fb6b55609df
Link:
https://www.unpac.me/results/cd111541-2b1b-4e9c-88b0-e754df98f55c/
SH256 hash:
24cb773fd21e8ff6126882b218a5a178f41db0f4fdb290ca4b6b4afbfdb4e3a4
MD5 hash:
57afe88e42f3fedabb21e752d40e957d
SHA1 hash:
770f380b2d9bc32b58e70abaf23e264b72bcc954
Link:
https://www.unpac.me/results/cd111541-2b1b-4e9c-88b0-e754df98f55c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.17
Link:
https://yomi.yoroi.company/submissions/24cb773fd21e8ff6126882b218a5a178f41db0f4fdb290ca4b6b4afbfdb4e3a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/348712/

Comments