MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f2de9f29834ca7fb64dc53ac7415e9903b1cfb23e52b1b0a28dc08798c2f790. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f2de9f29834ca7fb64dc53ac7415e9903b1cfb23e52b1b0a28dc08798c2f790
SHA3-384 hash: 2bacea1c3901cf20ef4b2c9cc5b4e74768ce72daa5fbf3b941d1b2a6bcc12e4fb055cda62a1239cf000a0395256e9233
SHA1 hash: 9df02a107eb5b05420d29100409833243746e3d1
MD5 hash: 92d606c247f974c5419ed9ac461618a8
humanhash: bacon-finch-ohio-golf
File name:MSTeamsInstaller.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:330'400 bytes
First seen:2026-01-08 08:58:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f4d1e4cd7416ef83f79f7c6a038875b3 (1 x ConnectWise)
ssdeep 6144:jJ7B8JB00cyP8PxOv2ZgZhZyZZZZZZZZZ0bzNZlZDZdZe0Ut62gDlIYCAX:JBw002ZgZhZyZZZZZZZZZ0bzNZlZDZd5
Threatray 6 similar samples on MalwareBazaar
TLSH T178648CF2960200F0DC255E3142712DB796AF5EBCEDCAB24B9AA438A6DD378C1453F15B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 6767663b36363637 (1 x ConnectWise)
Reporter smica83
Tags:ConnectWise exe signed

Code Signing Certificate

Organisation:Joyce Baloyi
Issuer:Certum Code Signing 2021 CA
Algorithm:sha256WithRSAEncryption
Valid from:2026-01-07T12:12:50Z
Valid to:2027-01-07T12:12:49Z
Serial number: 0ff41d3867f0498a308ab24792f3358f
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: dfc4955201186a11307f0c98b4083367864e20b5ee331030ef23e7f28323a4bf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
NSIS
Details
NSIS
extracted archive contents
Link:
https://research.acce.ciphertechsolutions.com/results/e6f21c41-92bd-4597-a33b-eb3145b41593/
Malware family:
n/a
ID:
1
File name:
_3f2de9f29834ca7fb64dc53ac7415e9903b1cfb23e52b1b0a28dc08798c2f790.exe
Verdict:
Malicious activity
Analysis date:
2026-01-08 08:59:57 UTC
Tags:
evasion ip-check ims-api generic screenconnect tool rmm-tool remote telegram loader rat
Link:
https://app.any.run/tasks/35173d0d-8efd-4de6-a90f-29533376245b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48161/
Detection(s):
Sanesecurity.Malware.25834.JsHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Telegrambot-21.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695f71f69922425f92feb736
Tags:
trojandownloader shellcode phishing html
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Creating a file in the Windows subdirectories
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
Modifying a system file
Loading a suspicious library
Creating a file
Creating a file in the Program Files subdirectories
Creating a service
Launching a service
Searching for synchronization primitives
Moving a file to the Windows subdirectory
Using the Windows Management Instrumentation requests
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic mingw nsis packed signed
Link:
https://www.filescan.io/uploads/695f71f287e75cdd5af881b8/reports/fad7e9f8-1dd5-473c-a106-5e65a7c3313d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3f2de9f29834ca7fb64dc53ac7415e9903b1cfb23e52b1b0a28dc08798c2f790
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-08T05:10:00Z UTC
Last seen:
2026-01-09T11:35:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.JS.SLoad.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Downloader.Script.SLoad.gen UDS:DangerousObject.Multi.Generic RemoteAdmin.ConnectWise.HTTP.C&C NetTool.TelegramSendMessage.HTTP.C&C
Link:
https://opentip.kaspersky.com/3f2de9f29834ca7fb64dc53ac7415e9903b1cfb23e52b1b0a28dc08798c2f790/results?tab=lookup
Malware family:
ConnectWise Inc
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/90fbf872-bf3d-4518-b2de-6420262b29ec
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1846521
Signature
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Found malware configuration
Joe Sandbox ML detected suspicious sample
Modifies security policies related information
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1846521 Sample: MSTeamsInstaller.exe Startdate: 08/01/2026 Architecture: WINDOWS Score: 64 53 api.telegram.org 2->53 55 app.zyabozadpap.top 2->55 57 2 other IPs or domains 2->57 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Yara detected Telegram RAT 2->71 75 7 other signatures 2->75 8 msiexec.exe 94 53 2->8         started        12 MSTeamsInstaller.exe 9 2->12         started        14 ScreenConnect.ClientService.exe 2 5 2->14         started        signatures3 73 Uses the Telegram API (likely for C&C communication) 53->73 process4 dnsIp5 35 C:\...\ScreenConnect.ClientService.exe, PE32 8->35 dropped 37 C:\Windows\Installer\MSIFC1C.tmp, PE32 8->37 dropped 39 C:\Windows\Installer\MSIF0.tmp, PE32 8->39 dropped 43 10 other files (none is malicious) 8->43 dropped 83 Enables network access during safeboot for specific services 8->83 85 Modifies security policies related information 8->85 17 msiexec.exe 8->17         started        19 msiexec.exe 1 8->19         started        41 C:\Users\user\AppData\Local\Temp\agent.js, ASCII 12->41 dropped 87 Wscript called in batch mode (surpress errors) 12->87 21 wscript.exe 2 12->21         started        65 relays.zyabozadpap.top 147.124.214.220, 49696, 8041 AC-AS-1US United States 14->65 89 Reads the Security eventlog 14->89 91 Reads the System eventlog 14->91 25 ScreenConnect.WindowsClient.exe 2 14->25         started        27 ScreenConnect.WindowsClient.exe 2 14->27         started        file6 signatures7 process8 dnsIp9 29 rundll32.exe 11 17->29         started        59 185.182.187.151, 49693, 80 QUICKPACKETUS Germany 21->59 61 app.zyabozadpap.top 104.21.58.120, 443, 49695 CLOUDFLARENETUS United States 21->61 63 2 other IPs or domains 21->63 77 System process connects to network (likely due to code injection or exploit) 21->77 79 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->79 33 msiexec.exe 21->33         started        81 Contains functionality to hide user accounts 25->81 signatures10 process11 file12 45 C:\Windows\...\ScreenConnect.Windows.dll, PE32 29->45 dropped 47 C:\...\ScreenConnect.InstallerActions.dll, PE32 29->47 dropped 49 C:\Windows\...\ScreenConnect.Core.dll, PE32 29->49 dropped 51 4 other files (none is malicious) 29->51 dropped 93 Contains functionality to hide user accounts 29->93 signatures13
Score:
10%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/3f2de9f29834ca7fb64dc53ac7415e9903b1cfb23e52b1b0a28dc08798c2f790
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/92d606c247f974c5419ed9ac461618a8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f2de9f29834ca7fb64dc53ac7415e9903b1cfb23e52b1b0a28dc08798c2f790/
Verdict:
Malicious
Threat:
Family.SCREENCONNECT
Link:
https://tip.neiki.dev/file/3f2de9f29834ca7fb64dc53ac7415e9903b1cfb23e52b1b0a28dc08798c2f790
Threat name:
Win32.Downloader.SLoad
Create hunting rule
Status:
Suspicious
First seen:
2026-01-08 08:59:36 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
5 of 24 (20.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h4w6t4uygtfh7nsnyu5moqk6teb3dt5shzjldmfcrxaipggc66ia._file
Verdict:
suspicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
04fafb4515532c6a91a0d0955b54c8fcf2e6ddd043f14545749fc6d50f799645
ConnectWise
3f2de9f29834ca7fb64dc53ac7415e9903b1cfb23e52b1b0a28dc08798c2f790
ConnectWise
5d3e68d15490e52e3cb5d386658ab60d13af3459aa1286e46000a5cea8dcec88
ConnectWise
ac442d3c43342a80e0311e6a7da3072ee4b9242c39dd194d262c87ee68afc912
ConnectWise
error
ConnectWise
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery execution persistence privilege_escalation rat revoked_codesign
Link:
https://tria.ge/reports/260108-kx1e4aez3a/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Authentication Package
Checks computer location settings
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Enumerates connected drives
Looks up external IP address via web service
ConnectWise ScreenConnect remote access tool
Badlisted process makes network request
Binary is signed using a ConnectWise certificate revoked for key compromise.
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/09e656a5-e45e-47fc-8cc8-f1ef52f5bff3
Unpacked files
SH256 hash:
3f2de9f29834ca7fb64dc53ac7415e9903b1cfb23e52b1b0a28dc08798c2f790
MD5 hash:
92d606c247f974c5419ed9ac461618a8
SHA1 hash:
9df02a107eb5b05420d29100409833243746e3d1
Link:
https://www.unpac.me/results/b90e644b-1920-47ef-8b68-86f5feb71b1c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/48161/

Comments