MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b3006b181e2b12f611638000e355e0fda59c62930c3188739d029892188de34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b3006b181e2b12f611638000e355e0fda59c62930c3188739d029892188de34
SHA3-384 hash: c45f5c8166a52a171d7892d43e60174aad6d4ea1ece92536e33aaf8aa4a39d1e4c40de3abcf622d777e7a28fcb8348df
SHA1 hash: e3314f52cc88a147d354253eeea8f7d18b16db73
MD5 hash: 6935c7ed2531dd753ab52781b0913441
humanhash: fruit-charlie-ack-artist
File name:AdobeReader.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:11'195'704 bytes
First seen:2023-10-20 14:15:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 608505ff1e7e27ff4a42ea9c4e9f4192 (5 x LummaStealer, 3 x NetSupport, 2 x ConnectWise)
ssdeep 196608:L/PdfTUHNthhoevTAoU/Jz0coKsy3VpUOP6td8ecB6Q:L/VfTKnb4RzxIy3MM6tZcM
Threatray 31 similar samples on MalwareBazaar
TLSH T107B6E131724AC53BDA6211B0192C9A9F512DBE790FB215CBB3CC2E6E1BB54C21736E17
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4db292f2d88cb40b (15 x RemcosRAT, 13 x AgentTesla, 7 x NanoCore)
Reporter JAMESWT_WT
Tags:ConnectWise exe instance-a3g6br-relay-screenconnect-com screenconnect signed studioaziende-click

Code Signing Certificate

Organisation:CodeSigningCert
Issuer:CodeSigningCert
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-28T11:15:47Z
Valid to:2025-02-28T11:25:47Z
Serial number: 12e79e88324ccea94e0358ccb4a75075
Intelligence: 14 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0c21b06b3ede50f24284ddb567b4370193279f3e59a9a1bb602d9a9c230b4d28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AdobeReader.exe
Verdict:
Malicious activity
Analysis date:
2023-10-20 14:18:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5adc31f3-4b60-4430-94e2-9f70c86af4bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.ConnectWise.gen.21514.12756.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Launching a process
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Loading a suspicious library
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/2b3006b181e2b12f611638000e355e0fda59c62930c3188739d029892188de34
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/eeab0c37-7418-4aed-824a-884156319ed6
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1329331
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1329331 Sample: AdobeReader.exe Startdate: 20/10/2023 Architecture: WINDOWS Score: 76 59 instance-a3g6br-relay.screenconnect.com 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Detected unpacking (creates a PE file in dynamic memory) 2->65 67 3 other signatures 2->67 8 msiexec.exe 180 86 2->8         started        11 AdobeReader.exe 42 2->11         started        13 ScreenConnect.ClientService.exe 2->13         started        signatures3 process4 file5 33 C:\Windows\Installer\MSI2C3D.tmp, PE32 8->33 dropped 35 C:\Windows\Installer\MSI2C0D.tmp, PE32 8->35 dropped 37 C:\Windows\Installer\MSI2BCE.tmp, PE32 8->37 dropped 45 14 other files (5 malicious) 8->45 dropped 15 msiexec.exe 8->15         started        17 AdobeAcrobat.exe 3 8->17         started        19 msiexec.exe 8->19         started        26 3 other processes 8->26 39 C:\Users\user\AppData\...\AdobeAcrobat.exe, PE32 11->39 dropped 41 C:\Users\user\AppData\...\AdobeAcrobat.exe, PE32 11->41 dropped 43 C:\Users\user\AppData\Local\...\shi2458.tmp, PE32+ 11->43 dropped 47 3 other files (none is malicious) 11->47 dropped 21 msiexec.exe 2 11->21         started        23 ScreenConnect.WindowsClient.exe 13->23         started        process6 signatures7 28 rundll32.exe 8 15->28         started        31 msiexec.exe 7 17->31         started        69 Contains functionality to hide user accounts 23->69 process8 file9 49 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 28->49 dropped 51 C:\...\ScreenConnect.InstallerActions.dll, PE32 28->51 dropped 53 C:\Users\user\...\ScreenConnect.Core.dll, PE32 28->53 dropped 55 Microsoft.Deployme...indowsInstaller.dll, PE32 28->55 dropped 57 C:\Users\user\AppData\Local\...\MSI3B2C.tmp, PE32 31->57 dropped
Score:
34%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/2b3006b181e2b12f611638000e355e0fda59c62930c3188739d029892188de34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b3006b181e2b12f611638000e355e0fda59c62930c3188739d029892188de34/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-10-10 16:53:00 UTC
File Type:
PE (Exe)
Extracted files:
455
AV detection:
8 of 22 (36.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fmyanmmb4kys6yiwhaaa4nk6b7nftrrjgdbrrbzz2auysimi3y2a._file
Verdict:
malicious
Similar samples:
74657366dd7d4c8cfb1580cc19033837d5e3b91cf4e77a111720c01e8fbca489
ConnectWise
7bbe675863a8a03339ebd642ce7c9b209dd3505c4970a41da8d76f8bd679e4d2
ConnectWise
af5a12a388a7bf416d11b3123251e422f5fd94501e893d11e4fa91de3cb13220
ConnectWise
bbd33603cc5f11a1570f93ed1af4076d6a704902cc0eff305792c7cfb0a84d15
ConnectWise
cf6b7d4d7e917a72ce9b524291aae29568127f1fb1577d897e3d5cfef00ab419
ConnectWise
ea7d9798c925b0ec1d02108eada571ca7267c172f9bc338faaa0ff8586068fb6
ConnectWise
fdb6a601ff7950aa6a08eccc782c4b9f1f2fafc25219ffa37ac8b4cdbb07f094
ConnectWise
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/231020-rk5bvacc7y/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Blocklisted process makes network request
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Sets service image path in registry
Unpacked files
SH256 hash:
4c79c935dd8906bceb119db5657a7dbe2567d4889159cfb21f75e2bf2df9befc
MD5 hash:
828da1dc33f942efdaf222fccdd7154c
SHA1 hash:
f77a3d63f375477f201de1f1eb9cff2f59aa88b3
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
SH256 hash:
2604e4330bbed01271ebbeb20b5716513104e1ebf0a97f2a87513ae5c54b79a9
MD5 hash:
6f75ba07edea9c7627bb1eec36bceb50
SHA1 hash:
eca9f99a65781faa38abc7289e085ba1e279089f
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
SH256 hash:
26648cff2a7f0789080266215b982c922560cb0094f152e644996cc1507778bb
MD5 hash:
bda4d3129c1b132f51868653befaaa4b
SHA1 hash:
ec744231add10f636dc25e28a82797fc08ba706e
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
SH256 hash:
1a8a01e8734f88b7ce9d6199aa5eddc5b29b75571c106f76a75ba19f6f6f0fe6
MD5 hash:
0fc6f6534aa76718e9172f815a813592
SHA1 hash:
de1b8048b960ed2291845b7c420c8765972ccc23
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
SH256 hash:
4988e919f011256869e2b7fa82a885e87137f46bbfa251e598ed0720dc831499
MD5 hash:
5822cde544c4214cb6cdda1f83ec2671
SHA1 hash:
c0bf0f9f6542f012b28a3659ff47e0518643cfa7
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
SH256 hash:
d558486de384ddb404052ec46e71986e7ec86e9a9fbbb4c5170d6eeaeb4574f8
MD5 hash:
49480bbc08c60e64f4cee520b565bdce
SHA1 hash:
bc73d95f9ba0598727b9b1f09b291c95cbe43398
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
SH256 hash:
9902e71a3857491565e4faa8404668a0cfa52eb334f92e79288ad504007fa9e2
MD5 hash:
bfc6b65dee2fae2e2a5a2921d0a18bd3
SHA1 hash:
a7fea5ed4045eb1a95ed116a091b3be69d5ed895
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
SH256 hash:
6538c1340ec161fa72046811bee54d610c7e4963c7efa2bf2e201e8481c1e69b
MD5 hash:
ed940ab7590f0cb8af5ca5b4630f6146
SHA1 hash:
53623fe3e21ff6341eb39c777aec90dadc3914e3
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
SH256 hash:
2b3006b181e2b12f611638000e355e0fda59c62930c3188739d029892188de34
MD5 hash:
6935c7ed2531dd753ab52781b0913441
SHA1 hash:
e3314f52cc88a147d354253eeea8f7d18b16db73
Link:
https://www.unpac.me/results/b819b20a-33cd-42db-9993-4e65d2cb0d2e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b3006b181e2b12f611638000e355e0fda59c62930c3188739d029892188de34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments