MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 16


Intelligence 16 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
SHA3-384 hash: bd7818cb4b1af479165c7d5f04165120e543923cdb0ea59699485b0c4c272747c1a5c1cdccee10cb207be3f83e5e068c
SHA1 hash: 4da7ae094f297117d37ce3b55fd68ca0b1f3da8e
MD5 hash: 0433046a84ee6a46063ab9e36c80e940
humanhash: wisconsin-west-yellow-mirror
File name:SSA-Update.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:5'347'592 bytes
First seen:2025-04-23 15:23:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (244 x ConnectWise)
ssdeep 98304:Vxwxd/6+6efPCqe9kNDqnS2wdYdstG1f2yrOnTJk7:VxCyefPCq18nlwnzyrOnNM
Threatray 477 similar samples on MalwareBazaar
TLSH T17D36F111B3D581B6D4BF0638D87952669770BC088326D7AF9790BE697D33B808E22377
TrID 61.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
15.5% (.EXE) Win64 Executable (generic) (10522/11/4)
7.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.6% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Anonymous
Tags:ConnectWise exe signed SSA

Code Signing Certificate

Organisation:Connectwise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-17T00:00:00Z
Valid to:2025-08-15T23:59:59Z
Serial number: 0b9360051bccf66642998998d5ba97ce
Intelligence: 444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Anonymous
US Social Security Administration (SSA.gov) masquerading malware

Intelligence

File Origin
# of uploads :
1
# of downloads :
499
Origin country :
US US
Vendor Threat Intelligence
Malware family:
connectwise
Create hunting rule
ID:
1
File name:
SSA-Update.exe
Verdict:
Malicious activity
Analysis date:
2025-04-23 15:26:58 UTC
Tags:
connectwise rmm-tool screenconnect remote
Link:
https://app.any.run/tasks/fe0b0318-2801-4e35-a977-7bbafc349a02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/3718/
Detection(s):
Sanesecurity.Malware.29065.SC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen26.37800.12014.29258.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680907553d067f8483986c12
Tags:
connectwise dropper micro spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a file
Creating a window
Searching for synchronization primitives
Loading a suspicious library
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
DNS request
Moving a file to the Windows subdirectory
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd entropy fingerprint lolbin lolbin microsoft_visual_cc msiexec net obfuscated overlay overlay packed packed packer_detected reconnaissance remote rundll32 signed
Link:
https://www.filescan.io/uploads/680905f2218c4a98adddfd4e/reports/568a4a28-66f9-43e3-b1d3-5dfc3fe98a43/overview
Verdict:
Malicious
Labled as:
RiskWare[RemoteAdmin]/ConnectWise
Link:
https://www.hybrid-analysis.com/sample/3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
Malware family:
ConnectWise
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6f10e166-d85a-4b33-bc2c-a0284260c8f9
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
40 / 100
Link:
https://www.joesandbox.com/analysis/1672211
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Creates files in the system32 config directory
Detected potential unwanted application
Enables network access during safeboot for specific services
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Possible COM Object hijacking
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1672211 Sample: SSA-Update.exe Startdate: 23/04/2025 Architecture: WINDOWS Score: 40 54 pki-goog.l.google.com 2->54 56 docs.e-statements.app 2->56 58 c.pki.goog 2->58 62 Multi AV Scanner detection for submitted file 2->62 64 .NET source code contains potential unpacker 2->64 66 .NET source code references suspicious native API functions 2->66 68 4 other signatures 2->68 8 msiexec.exe 92 48 2->8         started        12 ScreenConnect.ClientService.exe 5 2->12         started        15 SSA-Update.exe 3 2->15         started        signatures3 process4 dnsIp5 34 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->34 dropped 36 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->36 dropped 38 C:\...\ScreenConnect.WindowsClient.exe.config, XML 8->38 dropped 42 8 other files (none is malicious) 8->42 dropped 74 Enables network access during safeboot for specific services 8->74 17 msiexec.exe 8->17         started        19 msiexec.exe 1 8->19         started        21 msiexec.exe 8->21         started        60 docs.e-statements.app 136.0.157.3, 49695, 8041 EGIHOSTINGUS United States 12->60 23 ScreenConnect.WindowsClient.exe 3 12->23         started        26 ScreenConnect.WindowsClient.exe 2 12->26         started        40 C:\Users\user\AppData\...\SSA-Update.exe.log, CSV 15->40 dropped 28 msiexec.exe 6 15->28         started        file6 signatures7 process8 file9 31 rundll32.exe 8 17->31         started        70 Creates files in the system32 config directory 23->70 72 Contains functionality to hide user accounts 23->72 44 C:\Users\user\AppData\Local\...\MSI3477.tmp, PE32 28->44 dropped signatures10 process11 file12 46 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 31->46 dropped 48 C:\...\ScreenConnect.InstallerActions.dll, PE32 31->48 dropped 50 C:\Users\user\...\ScreenConnect.Core.dll, PE32 31->50 dropped 52 Microsoft.Deployme...indowsInstaller.dll, PE32 31->52 dropped
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec/
Threat name:
Win32.PUA.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-04-05 04:51:11 UTC
File Type:
PE (Exe)
Extracted files:
149
AV detection:
9 of 36 (25.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjfnrhowsunzlcqjxmi6vuuypnxmfrlkbf6m4rp4gfakknuz47wa._file
Verdict:
suspicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
ConnectWise
3c9f7ce03483ed8a66ca8105f443c77c9bc49a1d2bf84c86fcc25604c1f09570
ConnectWise
600a380c178cd94762e213c306b55cccdbfcc10b8be060386c0d2b4503ba1d9e
ConnectWise
8b13ae2e374c71ac7e76cdee5faa5cbdca0238e086aa2aa5b98ee18475e81d8e
ConnectWise
90256ffaecaef72d4ea2147a53d2030dd8bcf3cde5fa5e2dc1f09a58f491b740
ConnectWise
925e293f9543126059e4b82806b526a494753255872d7e896246ed8c6432ab14
ConnectWise
error
ConnectWise
+ 467 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250423-ssnvha1xat/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d9811b38-fc4b-4392-a4fe-6a5e4c30ed3a
Unpacked files
SH256 hash:
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
MD5 hash:
0433046a84ee6a46063ab9e36c80e940
SHA1 hash:
4da7ae094f297117d37ce3b55fd68ca0b1f3da8e
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
SH256 hash:
4988e919f011256869e2b7fa82a885e87137f46bbfa251e598ed0720dc831499
MD5 hash:
5822cde544c4214cb6cdda1f83ec2671
SHA1 hash:
c0bf0f9f6542f012b28a3659ff47e0518643cfa7
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
SH256 hash:
05e78416a344f74095e36ff14baa719867e9e163e1ae9a96c29df8615748b0ae
MD5 hash:
254d64388c6c52228d7a921960a03f6b
SHA1 hash:
b023b69348bb06c4b4ad67bee0f55bb9cfb3748c
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
9f7b3fe209ffb2f09bd4484f2dcbd4f821dddd28e5a007e10013836db60f9db3
MD5 hash:
cbc13ed6bfe5af87f7d9bd9f08d56d12
SHA1 hash:
0307dd7aa2b548d27b0312b4f18d45fe93a56919
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
SH256 hash:
3b0c45370ca9295881ef5e9d14402c42dfb45803f54d542e6a7e595a05f365a1
MD5 hash:
6c5d0928642bf37ceed295b984e05be2
SHA1 hash:
46be0d5a7db56cb1ad77274709d0db053a3c0999
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
e1b57dd10c5772d005550396f1aa9cf6e095b494178078596d4d550fce93dbe6
MD5 hash:
75dcf3d46a928ca724d4691034e62236
SHA1 hash:
747c613f6f760567b09b27fc3f9cee16d7e5f337
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
SH256 hash:
022ffc5289123852fd3a43ec6a648c16f9ee1c77a0f01f18d6d292e20f865264
MD5 hash:
e2f28dfc8ad7b8c835c4cb7e91895610
SHA1 hash:
9f5038ab97076ba5d6a1010e2799084f8d8d4e7d
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
1698d7431ab4e0458e8ac84e0851ec813f290e929319dd825257cbbe8f4dade4
MD5 hash:
18c27c1e8686615e17baf01786ba143e
SHA1 hash:
e3ed60202db0c9beb9a8bd821144f729cdde55b0
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/19679f8e-d5e9-492c-a583-c1b19155062f/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect_CERT
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_rat_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic RAT malware
Rule name:win_stealer_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic stealer malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/3718/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments