MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827
SHA3-384 hash: 0887b119fffdf9dcea253a834e50d55b42956f6f8ad43aad2cf0700958c3a98da311f61ad87dd66c88be7005c83b8e51
SHA1 hash: 4852aac6fb2cf4f145b266231c22e44f25afb275
MD5 hash: c2f83d0970a9b801c98285738c13fceb
humanhash: potato-zulu-mike-aspen
File name:Overlay.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:5'302'536 bytes
First seen:2023-04-17 14:04:51 UTC
Last seen:2023-09-07 08:26:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (244 x ConnectWise)
ssdeep 98304:gxwxd/6+6efPCqe9kNDqnS2wdYdstG1f2yrOnTJkF:gxCyefPCq18nlwnzyrOnNG
Threatray 6 similar samples on MalwareBazaar
TLSH T17936F111B3D581B6D4BF0638D87952669770BC088326D7AF9794BE697D33B808E22373
TrID 74.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
15.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.9% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter tech_skeech
Tags:ConnectWise exe instance-bj6uhc-relay-screenconnect-com signed

Code Signing Certificate

Organisation:Connectwise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-17T00:00:00Z
Valid to:2025-08-15T23:59:59Z
Serial number: 0b9360051bccf66642998998d5ba97ce
Intelligence: 444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Overlay.exe
Verdict:
Malicious activity
Analysis date:
2023-04-17 14:05:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7b8e805-35ff-44cf-bcba-d454168e2806

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382820/
Detection(s):
Sanesecurity.Malware.29065.SC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a file
Creating a window
Searching for synchronization primitives
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Creating a process from a recently created file
DNS request
Moving a file to the Windows subdirectory
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80080/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm exploit greyware msiexec.exe net obfuscated overlay packed rundll32.exe
Link:
https://www.filescan.io/uploads/643d5210000396b4e998fbe2/reports/d1d2bd53-6e56-416f-902e-49ed12ed4330/overview
Verdict:
Malicious
Labled as:
RemoteAdmin.ConnectWise
Link:
https://www.hybrid-analysis.com/sample/3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ConnectWise
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f3dab0e8-ed3c-48b3-8694-b40f68c3413d
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1215251
Signature
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848189 Sample: Overlay.exe Startdate: 17/04/2023 Architecture: WINDOWS Score: 48 60 Multi AV Scanner detection for submitted file 2->60 62 .NET source code references suspicious native API functions 2->62 64 Contains functionality to hide user accounts 2->64 7 svchost.exe 2->7         started        10 svchost.exe 2->10         started        12 msiexec.exe 92 46 2->12         started        15 9 other processes 2->15 process3 dnsIp4 66 Changes security center settings (notifications, updates, antivirus, firewall) 7->66 18 MpCmdRun.exe 7->18         started        68 Query firmware table information (likely to detect VMs) 10->68 46 C:\Windows\Installer\MSI1C2A.tmp, PE32 12->46 dropped 48 C:\Windows\Installer\MSI18AE.tmp, PE32 12->48 dropped 50 ScreenConnect.Wind...dentialProvider.dll, PE32+ 12->50 dropped 54 7 other files (none is malicious) 12->54 dropped 20 msiexec.exe 12->20         started        22 msiexec.exe 1 12->22         started        24 msiexec.exe 12->24         started        56 server-nixf3f8fa7a-relay.screenconnect.com 147.28.147.188, 443, 49700, 49701 RGNET-SEARGnetSeattleWestinEE United States 15->56 58 instance-bj6uhc-relay.screenconnect.com 15->58 52 C:\Users\user\AppData\...\Overlay.exe.log, CSV 15->52 dropped 26 msiexec.exe 6 15->26         started        29 ScreenConnect.WindowsClient.exe 2 15->29         started        file5 signatures6 process7 file8 31 conhost.exe 18->31         started        33 rundll32.exe 8 20->33         started        44 C:\Users\user\AppData\Local\Temp\MSI17B.tmp, PE32 26->44 dropped process9 file10 36 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 33->36 dropped 38 C:\...\ScreenConnect.InstallerActions.dll, PE32 33->38 dropped 40 C:\Users\user\...\ScreenConnect.Core.dll, PE32 33->40 dropped 42 Microsoft.Deployme...indowsInstaller.dll, PE32 33->42 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwve3kyulrkn6skzvvppgeoghb5dzv4yj7cb4ftvgxkoxt4ddatq._file
Verdict:
malicious
Similar samples:
0ce441304f7c47187c34fdf6d601624ce345c211e21a892328cf2205df7dfb47
ConnectWise
24cb773fd21e8ff6126882b218a5a178f41db0f4fdb290ca4b6b4afbfdb4e3a4
ConnectWise
60dbc8e2cb2389609132466a2125b832b478e2793db3b68a33ab0c3018f4b47b
ConnectWise
6e3a1e4e946e7b6cdf277b39d134cf68cd87b5ff4335e5cc5c8447add9faed23
ConnectWise
73ab66e22bda8d73307bfbe2c6edba30e8f5b94a4d916b5b00b147ca618a080d
ConnectWise
994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe
ConnectWise
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230417-rdtxjagb4x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Sets service image path in registry
Unpacked files
SH256 hash:
1698d7431ab4e0458e8ac84e0851ec813f290e929319dd825257cbbe8f4dade4
MD5 hash:
18c27c1e8686615e17baf01786ba143e
SHA1 hash:
e3ed60202db0c9beb9a8bd821144f729cdde55b0
Link:
https://www.unpac.me/results/170089cc-d0d6-46a0-8fc6-eb887b70fc58/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
022ffc5289123852fd3a43ec6a648c16f9ee1c77a0f01f18d6d292e20f865264
MD5 hash:
e2f28dfc8ad7b8c835c4cb7e91895610
SHA1 hash:
9f5038ab97076ba5d6a1010e2799084f8d8d4e7d
Link:
https://www.unpac.me/results/170089cc-d0d6-46a0-8fc6-eb887b70fc58/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/170089cc-d0d6-46a0-8fc6-eb887b70fc58/
SH256 hash:
2e577f69c78c7a4513cdf42c10ffbc6c8e8e384c551d3de56b2494586a2f7aa1
MD5 hash:
0659736af9cb07e50b1c914047004204
SHA1 hash:
85137fb6c53d8d5a571f324201ebefe8f8258668
Link:
https://www.unpac.me/results/170089cc-d0d6-46a0-8fc6-eb887b70fc58/
SH256 hash:
3b0c45370ca9295881ef5e9d14402c42dfb45803f54d542e6a7e595a05f365a1
MD5 hash:
6c5d0928642bf37ceed295b984e05be2
SHA1 hash:
46be0d5a7db56cb1ad77274709d0db053a3c0999
Link:
https://www.unpac.me/results/170089cc-d0d6-46a0-8fc6-eb887b70fc58/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
9f7b3fe209ffb2f09bd4484f2dcbd4f821dddd28e5a007e10013836db60f9db3
MD5 hash:
cbc13ed6bfe5af87f7d9bd9f08d56d12
SHA1 hash:
0307dd7aa2b548d27b0312b4f18d45fe93a56919
Link:
https://www.unpac.me/results/170089cc-d0d6-46a0-8fc6-eb887b70fc58/
SH256 hash:
3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827
MD5 hash:
c2f83d0970a9b801c98285738c13fceb
SHA1 hash:
4852aac6fb2cf4f145b266231c22e44f25afb275
Link:
https://www.unpac.me/results/170089cc-d0d6-46a0-8fc6-eb887b70fc58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ConnectWise

Executable exe 3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382820/

Comments