MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f5c833dc7b2aedccbdc734198ebcd06a77f8c61c55cbfd3c0bca40fa68d8110. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f5c833dc7b2aedccbdc734198ebcd06a77f8c61c55cbfd3c0bca40fa68d8110
SHA3-384 hash: 4c65f0430613d850fd189584a06399bf3f486b73c02a54fe9d2dc2aa2f32bb50bcfd59baba5eec91b6d89fa7a708fab5
SHA1 hash: 5b3b5e6f82e04e9a13766470d34c23309781dd6c
MD5 hash: 01762ed1edede10ed75c6603dded3a66
humanhash: ten-nitrogen-saturn-july
File name:3f5c833dc7b2aedccbdc734198ebcd06a77f8c61c55cbfd3c0bca40fa68d8110.bin
Download: download sample
Signature ConnectWise
Create hunting rule
File size:2'923'463 bytes
First seen:2023-09-06 11:41:58 UTC
Last seen:2023-09-07 09:03:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash aac51396886833dc961fcd7aab7711e4 (11 x NetSupport, 7 x DCRat, 4 x njrat)
ssdeep 49152:BgCFbEcEZAZMtsdAAyTdAefjvJG/tZzdVHzigwqNRk6tm7Cw:BPCPbts0hAeftmVHzl06Uz
Threatray 151 similar samples on MalwareBazaar
TLSH T1A3D52303BED98471D172047BC73A7B21993CBE602A65C7DBA3C05AAAAF714C0E731765
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 64ccc4d4e8e0d4cc (6 x Formbook, 5 x AgentTesla, 2 x GuLoader)
Reporter JAMESWT_WT
Tags:247info-click ConnectWise exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
267
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3f5c833dc7b2aedccbdc734198ebcd06a77f8c61c55cbfd3c0bca40fa68d8110.bin
Verdict:
Malicious activity
Analysis date:
2023-09-06 11:44:54 UTC
Tags:
screenconnect remote policy
Link:
https://app.any.run/tasks/2b21f1e3-317e-4c4e-ba81-dd4435530067

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446536/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.Azorult.1690.11500.26808.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Launching a process
Sending a custom TCP request
Creating a file
Loading a suspicious library
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Creating a process from a recently created file
DNS request
Moving a file to the Windows subdirectory
Using the Windows Management Instrumentation requests
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm control expand greyware lolbin lolbin masquerade overlay packed remote replace rundll32 setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/64f8658b67511af1a1b545a1/reports/b50da95e-5a60-4023-b064-682035231c63/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3f5c833dc7b2aedccbdc734198ebcd06a77f8c61c55cbfd3c0bca40fa68d8110
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f677c3b5-f6de-4a64-9213-d4c3e46fa0ee
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1304239
Signature
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1304239 Sample: kSWf9QrxMR.exe Startdate: 06/09/2023 Architecture: WINDOWS Score: 68 86 Antivirus detection for URL or domain 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 Contains functionality to hide user accounts 2->90 9 ScreenConnect.ClientService.exe 17 13 2->9         started        12 svchost.exe 2->12         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 process3 dnsIp4 76 server-nix9ad61b99-relay.screenconnect.com 147.75.70.116, 443, 49727, 49728 PACKETUS Switzerland 9->76 78 instance-m73xwc-relay.screenconnect.com 9->78 20 ScreenConnect.WindowsClient.exe 9->20         started        94 Changes security center settings (notifications, updates, antivirus, firewall) 12->94 23 MpCmdRun.exe 12->23         started        96 Query firmware table information (likely to detect VMs) 15->96 52 C:\Windows\Installer\MSI1A0E.tmp, PE32 17->52 dropped 54 C:\Windows\Installer\MSI148D.tmp, PE32 17->54 dropped 56 ScreenConnect.Wind...dentialProvider.dll, PE32+ 17->56 dropped 58 7 other files (none is malicious) 17->58 dropped 25 cmd.exe 3 2 17->25         started        27 msiexec.exe 17->27         started        29 msiexec.exe 1 17->29         started        31 msiexec.exe 17->31         started        file5 signatures6 process7 signatures8 92 Contains functionality to hide user accounts 20->92 33 conhost.exe 23->33         started        35 chrome.exe 16 25->35         started        38 msiexec.exe 6 25->38         started        41 conhost.exe 25->41         started        43 rundll32.exe 8 27->43         started        process9 dnsIp10 70 192.168.2.1 unknown unknown 35->70 72 192.168.2.7 unknown unknown 35->72 74 239.255.255.250 unknown Reserved 35->74 45 chrome.exe 35->45         started        48 AcroRd32.exe 15 42 35->48         started        60 C:\Users\user\AppData\Local\...\MSIFEF1.tmp, PE32 38->60 dropped 62 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 43->62 dropped 64 C:\...\ScreenConnect.InstallerActions.dll, PE32 43->64 dropped 66 C:\Users\user\...\ScreenConnect.Core.dll, PE32 43->66 dropped 68 Microsoft.Deployme...indowsInstaller.dll, PE32 43->68 dropped file11 process12 dnsIp13 80 www.google.com 142.250.217.196, 443, 49724, 49756 GOOGLEUS United States 45->80 82 accounts.google.com 142.250.217.205, 443, 49720 GOOGLEUS United States 45->82 84 3 other IPs or domains 45->84 50 RdrCEF.exe 48->50         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f5c833dc7b2aedccbdc734198ebcd06a77f8c61c55cbfd3c0bca40fa68d8110/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-06-08 15:28:49 UTC
File Type:
PE (Exe)
Extracted files:
184
AV detection:
16 of 38 (42.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5oigpohwkxnzs64onazr26na2tx7ddbyvol7u6axssa7junqeia._file
Verdict:
malicious
Similar samples:
2529d502cf503a0bae7e810151fd215385a26ed5cb513fd082ca52770a05e6d5
ConnectWise
30f91a9f411187ee24ea1a19d9043c4065707e7c6754c96a8c7ad1fb18ce0d67
ConnectWise
36194d07ea9897f2276215a1361291ba8e32843caf3056b4f096c213b1bfadb3
ConnectWise
594c356abf2b649f2df38a25ca6f3d43b43e842644ce90e3417ee0233a1d8a0c
ConnectWise
8525d0bc1e38bb74d592de9be2615da94ec0b81e611b0e456b3a51c40ab5baa3
ConnectWise
af5a12a388a7bf416d11b3123251e422f5fd94501e893d11e4fa91de3cb13220
ConnectWise
bfbe18d15b02ca49b998ced257354495d126513f86e26b8ad6dbe1db9cd568bf
ConnectWise
c83dfb98c699c0fae247c3634435626f573da90c0d5496b8113360eacc34539a
ConnectWise
cb876d17714563ab91449a20ca5c8dc8887b88cdc173067239c34805a096a237
ConnectWise
+ 141 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230906-ntz7psfa68/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Sets service image path in registry
Unpacked files
SH256 hash:
49320d00522b28d99709d8960ac8d724e6971f20f2ebb42f4d8ba1c1049ae9fd
MD5 hash:
e1969a80978630217ccb5a85d2d556bd
SHA1 hash:
180c40d52c64ee19d54aa90a7577c7f98e57c3e8
Link:
https://www.unpac.me/results/56f348f3-dacd-49c7-9fe2-cc632a55d9ae/
SH256 hash:
3f5c833dc7b2aedccbdc734198ebcd06a77f8c61c55cbfd3c0bca40fa68d8110
MD5 hash:
01762ed1edede10ed75c6603dded3a66
SHA1 hash:
5b3b5e6f82e04e9a13766470d34c23309781dd6c
Link:
https://www.unpac.me/results/56f348f3-dacd-49c7-9fe2-cc632a55d9ae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f5c833dc7b2aedccbdc734198ebcd06a77f8c61c55cbfd3c0bca40fa68d8110

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446536/

Comments