MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3843b95244d11b8a132ce31fab9859995e27eca7a587edf5db08385dded184ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ScreenConnect


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3843b95244d11b8a132ce31fab9859995e27eca7a587edf5db08385dded184ad
SHA3-384 hash: 4dcf342082e65c881dad7d30582b92e4bc86b6033a1ea3a48466c21df7434184f843f43f62e9ea8ea471e63408cbc97c
SHA1 hash: 0859f107aa081e0d5e79f9abebde3c0292e9081b
MD5 hash: d32f88a8f15bb8efde34407d1a0baed3
humanhash: mountain-december-arizona-mockingbird
File name:Rechnung_Datum_November 24_4065.js
Download: download sample
Signature ScreenConnect
Create hunting rule
File size:10'545 bytes
First seen:2024-11-08 15:02:48 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:CHYkVqIwaacXDtdJmxdq4TsaZT7QFbTZN+WhI4eDj01R4D/:6YIqIwa7TzJEdq4Ts2m9N+iI4ef01mz
Threatray 281 similar samples on MalwareBazaar
TLSH T1F122B9CC39E2B47847A7327B6A0F104BF67DECC1748E8418D994E8E8FC31559D66AD28
Magika javascript
Reporter TeamDreier
Tags:js screenconnect

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
DK DK
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.GT.JS.Backdoor.17.CE33F466.334.29607.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672e285696bcb959b48d7ada
Tags:
connectwise shellcode dropper virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm lolbin msiexec obfuscated packed rundll32
Link:
https://www.filescan.io/uploads/672e282d31d30334737804ee/reports/f92ac002-b286-4e2e-98bd-4bf66dd4a303/overview
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.MalBehav.gen
Link:
https://www.hybrid-analysis.com/sample/3843b95244d11b8a132ce31fab9859995e27eca7a587edf5db08385dded184ad
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1551933
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
JScript performs obfuscated calls to suspicious functions
Modifies security policies related information
Possible COM Object hijacking
Potential obfuscated javascript found
Reads the Security eventlog
Reads the System eventlog
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1551933 Sample: Rechnung_Datum_November 24_... Startdate: 08/11/2024 Architecture: WINDOWS Score: 100 62 server-nix1591fc54-web.screenconnect.com 2->62 64 server-nix1591fc54-relay.screenconnect.com 2->64 66 2 other IPs or domains 2->66 74 .NET source code contains potential unpacker 2->74 76 .NET source code references suspicious native API functions 2->76 78 Contains functionality to hide user accounts 2->78 80 5 other signatures 2->80 8 wscript.exe 2 15 2->8         started        13 msiexec.exe 94 48 2->13         started        15 ScreenConnect.ClientService.exe 17 21 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 68 server-nix1591fc54-web.screenconnect.com 147.28.224.242, 443, 49702 PEERING-RESEARCH-TESTBED-USC-UFMG-AS47065US United States 8->68 50 C:\Users\user\AppData\...\ClientSetup.exe, PE32 8->50 dropped 52 C:\Users\...\ScreenConnect.ClientSetup[1].exe, PE32 8->52 dropped 86 System process connects to network (likely due to code injection or exploit) 8->86 88 Benign windows process drops PE files 8->88 90 JScript performs obfuscated calls to suspicious functions 8->90 92 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->92 19 ClientSetup.exe 5 8->19         started        54 ScreenConnect.Wind...dentialProvider.dll, PE32+ 13->54 dropped 56 C:\...\ScreenConnect.ClientService.exe, PE32 13->56 dropped 58 C:\Windows\Installer\MSI794A.tmp, PE32 13->58 dropped 60 9 other files (none is malicious) 13->60 dropped 94 Enables network access during safeboot for specific services 13->94 96 Modifies security policies related information 13->96 22 msiexec.exe 13->22         started        24 msiexec.exe 1 13->24         started        26 msiexec.exe 13->26         started        70 server-nix1591fc54-relay.screenconnect.com 147.28.224.240, 443, 49709, 49710 PEERING-RESEARCH-TESTBED-USC-UFMG-AS47065US United States 15->70 98 Contains functionality to hide user accounts 15->98 100 Reads the Security eventlog 15->100 102 Reads the System eventlog 15->102 28 ScreenConnect.WindowsClient.exe 2 15->28         started        72 127.0.0.1 unknown unknown 17->72 104 Changes security center settings (notifications, updates, antivirus, firewall) 17->104 30 MpCmdRun.exe 17->30         started        file6 signatures7 process8 signatures9 82 Contains functionality to hide user accounts 19->82 32 msiexec.exe 6 19->32         started        35 rundll32.exe 10 22->35         started        38 conhost.exe 30->38         started        process10 file11 40 C:\Users\user\AppData\Local\...\MSI6B1F.tmp, PE32 32->40 dropped 42 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 35->42 dropped 44 C:\...\ScreenConnect.InstallerActions.dll, PE32 35->44 dropped 46 C:\Users\user\...\ScreenConnect.Core.dll, PE32 35->46 dropped 48 4 other files (none is malicious) 35->48 dropped 84 Contains functionality to hide user accounts 35->84 signatures12
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3843b95244d11b8a132ce31fab9859995e27eca7a587edf5db08385dded184ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3843b95244d11b8a132ce31fab9859995e27eca7a587edf5db08385dded184ad/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-11-08 10:04:46 UTC
File Type:
Text (JavaScript)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbb3suse2enyuezm4mp2xgcztfpcp3fhuwd635o3ba4f3xwrqswq._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
120c4ebc2cc5028cbd1d9a65f4fbd88c0e7f809d5d3bb9304a0ef07585cc3a27
ScreenConnect
1f473e89717a811066269c38eb6a53a9a0ea0e5788190636b45622b74eaa4d53
ScreenConnect
6d7c89f55c50eb63071a1eb0ef8b212a8d87e42aa376fa63d433120b212b4a48
ScreenConnect
934a35f92555d0004e1fb78fd91f6dd33036afa329c0900969adb07305231f74
ScreenConnect
error
ScreenConnect
+ 271 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/241108-se1xxavakf/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Sets service image path in registry
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ScreenConnect

Java Script (JS) js 3843b95244d11b8a132ce31fab9859995e27eca7a587edf5db08385dded184ad

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments