MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 6

Intelligence 6 IOCs YARA 8 File information Comments

SHA256 hash:	2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92
SHA3-384 hash:	6831b8e38c609c2d9e5f0ec95fe48a4b9735ca07fcc404164e282529fc51230466a6a56b99de9c6a604d8ce715ef1a42
SHA1 hash:	f597d519a59a5fd809e8a1e097fdd6e0077f72de
MD5 hash:	7099c67fe850d902106c03d07bfb773b
humanhash:	nevada-harry-ten-carbon
File name:	SecuriteInfo.com.Heur.28251.5785
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	1'726'976 bytes
First seen:	2026-06-23 08:38:59 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 61 x CobaltStrike, 44 x JanelaRAT)
ssdeep	24576:aOgPFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTsUTM:PgPJkGYYpT0+TFiH7efP
Threatray	2'423 similar samples on MalwareBazaar
TLSH	T14985AD01E2D365F9D46B047888BF572AAA743C040325CAFB97D4BE366D33BC09A36756
TrID	21.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 21.2% (.EXE) Win64 Executable (generic) (6522/11/2) 16.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 14.6% (.EXE) Win32 Executable (generic) (4504/4/1) 6.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	ConnectWise dll

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/71654/

Detection(s):

YARA.COD3NYM_SUSP_NET_Shellcode_Loader_Indicators_Jan24.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a3a464a86bc95245bf8d8ab

Tags:

n/a

Result

Verdict:

Clean

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm base64 fingerprint overlay packed privilege reconnaissance

Link:

https://www.filescan.io/uploads/6a3a46419799578a6c475f2b/reports/73b1224b-6202-4b25-b7f4-b6830e0c7e76/overview

Verdict:

Malicious

Labled as:

Exploit.MSIL.PrivEsc

Link:

https://www.hybrid-analysis.com/sample/2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92

Verdict:

Clean

File Type:

executable.pe.32.dll

First seen:

2025-02-07T05:41:00Z UTC

Last seen:

2026-06-17T20:45:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92/results?tab=lookup

Malware family:

ConnectWise Inc

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/797930f8-3039-450e-b4ef-46b9fec509d6

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92/

Verdict:

suspicious

Label(s):

admintool_screenconnect

ConnectWise

2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92

ConnectWise

80ea7456faf8688b78fe1b82d534bc6251c70cddb9ec076225adac334ad988ca

ConnectWise

8c8e60afcf9e8896ab78b89c9da45eb2ba466d6d5edec42423b1a91eeb4c2cb4

ConnectWise

9af1432af9e801c7a362502c66778d12dbdb89f5acf1e6c822ada3e9b516a128

ConnectWise

bd12c6d8caeb7e4a473c37878435e812db9a379b435ac1aa66b41e1036eb02eb

ConnectWise

error

ConnectWise

+ 2'413 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260623-kkjltabx6y/

Unpacked files

SH256 hash:

2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92

MD5 hash:

7099c67fe850d902106c03d07bfb773b

SHA1 hash:

f597d519a59a5fd809e8a1e097fdd6e0077f72de

Link:

https://www.unpac.me/results/da893504-e81d-4a46-9fe3-e2630c57f8f9/

Parent samples :

006930b41d4187f382d805989c3f1cc709d626d36a9bb1d6eacd45887c78e815
55a2d2db3cd1b2906f2d5440abdcc758bc5e30ca6343b8492df4c011095666df
56b540efa56fb641d8f5c9705197422bea0259ef5e0517661797d76fe3786b4a
29ada66e00b3836081159768d9ce4e28bae93259227af22ee8052fa0485df9da
0914dbeb1da7d1b16d4886fb2c21109c992bed6dd198caf75984f462ea73c968
1aacc95ca027a01f95496bd89b6d230cfdb319d6efaab93652afa5334daa5cbd
33b2b67b33d1e021d63c507a98bc2cd73c9f888ee81fb9473ede1926992c3a1d
b5f94ce781cca1b6e47491ee86ccea6a5352f1d18158abb307f47c01b3fde0f0
9de042819c9dc1f30ea1fb3865209d1de3d3b1d90206de34fe4b19df52a0ea68
07b0e46ff641660b9864ee1ca46b2d0744bb2493a5d98824050a3b7ca5299350
5ce2b3a958e3c2f0e1d71cfcd553474a126d146d67909c2eb4d11244e789cbf7
67b0c562eb5b9122da536ea86dee4fdb897cd903c4db5cd7902a6c063fc31e6d
0719453ecc8382af1e151b86d483f1c5dc4c49dd860e59125bb1f0cc53851133
e2fb1f47ad7b8eed0d45af953e6fbb93c4171a92267becfc05e88bc189746ea8
929dc73f49dcb6f03b9de070f90b1243f0536e40c2275a9f41faf0b221d5a6ae
2318850b2f87746e8af7fb74578e21fd0ea620c100cad1555074cc26a5ffba7f
ba006900a64d146a3eb87542a8210b3ec2021b3d736f42902c2ed6db71c440d1
c02dc41e95f8b3493cf0643ee99fcf918bcda28e667ad8315dbeeaab73fdf468
1611d11cb2d49a96af4cba5b510ee9e6b72bc0a7fa2c8c380ffaff2221617a72
be6d79a5aa6d5f5d5c0bf12acf9052c3ee7657399c019da250fc860c0ccef911
a4d935e13ad2b0519afe895b7c4348b6610dd90d971e30ac6e553f8e39890811
a4880a2d4ccebee86a3c520a0d6a5671fcd96676277e00391f04d53866e61838

SH256 hash:

ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b

MD5 hash:

723f2aaeeda1d2bb2f49322da349ffc9

SHA1 hash:

ac6ab994beaff69adf8a2dc480a8a628175ff6c8

Link:

https://www.unpac.me/results/da893504-e81d-4a46-9fe3-e2630c57f8f9/

SH256 hash:

808c61a09e220c361cff01e76c30f269e6c037c85069e0811662fd86c137874a

MD5 hash:

80e0336184ee640aa9318b02d255aac1

SHA1 hash:

d6159490c9024d7053241960671aa26a0ccc8579

Link:

https://www.unpac.me/results/da893504-e81d-4a46-9fe3-e2630c57f8f9/

SH256 hash:

289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614

MD5 hash:

48979a1a6d3badea8124bce04b1e01a5

SHA1 hash:

06931bd96343ce167eda796112a30ca8d9fa536a

Link:

https://www.unpac.me/results/da893504-e81d-4a46-9fe3-e2630c57f8f9/

SH256 hash:

9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08

MD5 hash:

5419ff27205d3e5affa3fc18b811b843

SHA1 hash:

cf49072c50456381cd26cd32cb97606c5f5cfd26

Link:

https://www.unpac.me/results/da893504-e81d-4a46-9fe3-e2630c57f8f9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.98

Link:

https://yomi.yoroi.company/submissions/2659f660691d65628d2fcc3bfc334686cd053f162cdb73bf7a0da0ac6449db92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory

Rule name:	SUSP_NET_Shellcode_Loader_Indicators_Jan24 Create hunting rule
Author:	Jonathan Peters
Description:	Detects indicators of shellcode loaders in .NET binaries
Reference:	https://github.com/Workingdaturah/Payload-Generator/tree/main

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/71654/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample