MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 26cfe3e982b980ea48dcbfb29897d6602d2f3388485ee09f078db60aec0b650e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
ConnectWise
Vendor detections: 7
| SHA256 hash: | 26cfe3e982b980ea48dcbfb29897d6602d2f3388485ee09f078db60aec0b650e |
|---|---|
| SHA3-384 hash: | fdc2c88b3935895a4afefbbd4d93543de91c9a833ef22a721f2170d7d190800c252c1fc05e5cb55020c10527d52eadb8 |
| SHA1 hash: | 1eb066cd491a8fbf6f5420e8dbbb8f706f0194e8 |
| MD5 hash: | e643b211903346b830f1bf93a8eaa03f |
| humanhash: | potato-cardinal-spaghetti-robert |
| File name: | 26cfe3e982b980ea48dcbfb29897d6602d2f3388485ee09f078db60aec0b650e |
| Download: | download sample |
| Signature | ConnectWise |
| File size: | 3'185'664 bytes |
| First seen: | 2026-06-12 11:24:23 UTC |
| Last seen: | Never |
| File type: |  msi |
| MIME type: | application/x-msi |
| ssdeep | 49152:WrGLq7FVsLBe+1GVxrKlsu11g7GenGwfZVkVjOi8ifyXfKVzh4:Wrn/TYGVxz48GBwRVkGuyXOu |
| Threatray | 2'658 similar samples on MalwareBazaar |
| TLSH | T1D0E5232236F88539E2F72730AE3E91A1D93ABE605F20C54F5358142D5DB1A9097F273B |
| TrID | 86.8% (.MSI) Microsoft Windows Installer (454500/1/170) 11.6% (.MST) Windows SDK Setup Transform script (61000/1/5) 1.5% (.) Generic OLE2 / Multistream Compound (8000/1) |
| Magika | unknown |
| Reporter |  JAMESWT_WT |
| Tags: | ConnectWise frreliny-com msi signed |
Code Signing Certificate
| Organisation: | Sharp Tavyn |
|---|---|
| Issuer: | Microsoft ID Verified CS EOC CA 02 |
| Algorithm: | sha384WithRSAEncryption |
| Valid from: | 2026-03-27T01:29:14Z |
| Valid to: | 2026-03-30T01:29:14Z |
| Serial number: | 330007a2a9a2e81f1d2e3801d200000007a2a9 |
| Cert Graveyard Blocklist: | This certificate is on the Cert Graveyard blocklist |
| Thumbprint Algorithm: | SHA256 |
| Thumbprint: | 00961935025378958410f3f8c16840e63b9c4fa5fa2df8415b092f4be6baa2e0 |
| Source: | This information was brought to you by ReversingLabs A1000 Malware Analysis Platform |
Intelligence
File Origin
# of uploads :
1
# of downloads :
56
Origin country :
ITVendor Threat Intelligence
Malware configuration found for:
MSI
Details
Detection:
n/a
Verdict:
Malicious
Score:
96.5%
Tags:
connectwise shellcode virus msil
Verdict:
Adware
File Type:
msi
Gathering data
Detection(s):
Malicious file
Verdict:
suspicious
Label(s):
admintool_screenconnect
Similar samples:
+ 2'648 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
8/10
Tags:
discovery persistence privilege_escalation ransomware revoked_codesign
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Badlisted process makes network request
Enumerates connected drives
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Sets service image path in registry
Signed with revoked ConnectWise certificate
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | has_telegram_urls |
|---|---|
| Author: | Aaron DeVera<aaron@backchannel.re> |
| Description: | Detects Telegram URLs |
| Rule name: | INDICATOR_RMM_ConnectWise_ScreenConnect |
|---|---|
| Author: | ditekSHen |
| Description: | Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | telebot_framework |
|---|---|
| Author: | vietdx.mb |
| Rule name: | telegram_bot_api |
|---|---|
| Author: | rectifyq |
| Description: | Detects file containing Telegram Bot API |
| Rule name: | win_evilconwi_w0 |
|---|---|
| Author: | Karsten Hahn @ G DATA CyberDefense |
| Description: | Settings from app.config that hide the connection of the client. These settings are potentially unwanted |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.