MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c6c3fb40ded613933d00a87000b065649322eec736018493bc607ce72c76017. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c6c3fb40ded613933d00a87000b065649322eec736018493bc607ce72c76017
SHA3-384 hash: 16be9e4d57119b5d17a0e946c2d703899bf564995c20f88e4e829f41efa007d83509863602c095021d177506cd678610
SHA1 hash: 9ebe2e5fab3e8c4670f32873572b14ff9fc5927c
MD5 hash: 671a415b70981898a6a51d0fd2f9322b
humanhash: beer-double-xray-winner
File name:Adobe_Acrobat_Reader_DC_Updater_Windows_installer_Win11_x86_x64_Win10-Win11_x64.vbs
Download: download sample
Signature ConnectWise
Create hunting rule
File size:236'028 bytes
First seen:2026-06-20 20:41:55 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:hDSQ/iWRROPtw3D+dDQtNHPTVMBvQ/8m4bCpgkLhzpw:MQ/RwPtwK1aNHPTVYvQkPOyMTw
Threatray 2'514 similar samples on MalwareBazaar
TLSH T14234436E3283D90A6F768E4C429D8BC826F5E64DC5DF69C4C38094B5E7D84D720983BE
Magika vba
Reporter smica83
Tags:ConnectWise vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71384/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a36fb3786bc95245bf81a30
Tags:
shellcode spawn hype
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive expand fingerprint lolbin msiexec obfuscated rundll32
Link:
https://www.filescan.io/uploads/6a36fb3490632a45f72ee88f/reports/1f6f9bef-960a-4edb-a638-3d275fe06876/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4c6c3fb40ded613933d00a87000b065649322eec736018493bc607ce72c76017
Verdict:
Malicious
File Type:
vbs
First seen:
2026-06-19T00:45:00Z UTC
Last seen:
2026-06-22T11:15:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Downloader.Script.Generic BSS:Trojan.Win32.Generic.nblk PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb BSS:Trojan.Win32.Generic Trojan-Downloader.JS.SLoad.sb HEUR:Trojan.Script.Generic BSS:HackTool.Win32.Yzon.a not-a-virus:RemoteAdmin.MSIL.ConnectWise.d not-a-virus:RemoteAdmin.MSIL.ConnectWise.c not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen RemoteAdmin.ConnectWise.HTTP.C&C not-a-virus:RemoteAdmin.MSIL.ConnectWise.b not-a-virus:RemoteAdmin.MSIL.ConnectWise.a not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen
Link:
https://opentip.kaspersky.com/4c6c3fb40ded613933d00a87000b065649322eec736018493bc607ce72c76017/results?tab=lookup
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1931384
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Joe Sandbox ML detected suspicious sample
Modifies security policies related information
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Writes registry values via WMI
WScript reads language and country specific registry keys (likely country aware script)
Yara detected Generic JS Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1931384 Sample: Adobe_Acrobat_Reader_DC_Upd... Startdate: 20/06/2026 Architecture: WINDOWS Score: 100 66 schoolbooks345.online 2->66 70 Antivirus detection for URL or domain 2->70 72 Yara detected Generic JS Downloader 2->72 74 .NET source code references suspicious native API functions 2->74 76 4 other signatures 2->76 8 msiexec.exe 93 53 2->8         started        12 wscript.exe 2 2->12         started        14 ScreenConnect.ClientService.exe 2 5 2->14         started        16 7 other processes 2->16 signatures3 process4 dnsIp5 52 C:\Windows\Installer\MSIF2F4.tmp, PE32 8->52 dropped 54 C:\Windows\Installer\MSIF11E.tmp, PE32 8->54 dropped 56 C:\Windows\Installer\MSIED63.tmp, PE32 8->56 dropped 60 10 other files (8 malicious) 8->60 dropped 80 Enables network access during safeboot for specific services 8->80 82 Modifies security policies related information 8->82 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        58 C:\Users\user\...\ScreenConnect_Install.log, ASCII 12->58 dropped 84 VBScript performs obfuscated calls to suspicious functions 12->84 86 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->86 88 WScript reads language and country specific registry keys (likely country aware script) 12->88 96 2 other signatures 12->96 23 wscript.exe 3 12->23         started        90 Reads the Security eventlog 14->90 92 Reads the System eventlog 14->92 28 ScreenConnect.WindowsClient.exe 2 14->28         started        30 ScreenConnect.WindowsClient.exe 2 14->30         started        64 127.0.0.1 unknown unknown 16->64 94 Changes security center settings (notifications, updates, antivirus, firewall) 16->94 32 MpCmdRun.exe 16->32         started        file6 signatures7 process8 dnsIp9 34 rundll32.exe 11 19->34         started        68 schoolbooks345.online 216.250.249.97, 49683, 49692, 80 MAJESTIC-HOSTING-01-MajesticHostingSolutionsLLCUS United States 23->68 62 56BSSW3K0000_10POJ...3B4_windows_x64.msi, Composite 23->62 dropped 98 System process connects to network (likely due to code injection or exploit) 23->98 100 Windows Scripting host queries suspicious COM object (likely to drop second stage) 23->100 102 WScript reads language and country specific registry keys (likely country aware script) 23->102 38 WmiPrvSE.exe 1 23->38         started        40 msiexec.exe 23->40         started        104 Contains functionality to hide user accounts 28->104 42 conhost.exe 32->42         started        file10 signatures11 process12 file13 44 C:\Windows\...\ScreenConnect.Windows.dll, PE32 34->44 dropped 46 C:\...\ScreenConnect.InstallerActions.dll, PE32 34->46 dropped 48 C:\Windows\...\ScreenConnect.Core.dll, PE32 34->48 dropped 50 4 other malicious files 34->50 dropped 78 Contains functionality to hide user accounts 34->78 signatures14
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4c6c3fb40ded613933d00a87000b065649322eec736018493bc607ce72c76017
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/671a415b70981898a6a51d0fd2f9322b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c6c3fb40ded613933d00a87000b065649322eec736018493bc607ce72c76017/
Verdict:
Malicious
Threat:
Family.CONNECTWISE
Link:
https://tip.neiki.dev/file/4c6c3fb40ded613933d00a87000b065649322eec736018493bc607ce72c76017
Threat name:
Win32.Trojan.ScamSConnect
Create hunting rule
Status:
Malicious
First seen:
2026-06-16 01:36:53 UTC
File Type:
Text (VBS)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jrwd7nan5vqtsm6qbkdqacygkzetelxmonqbqsj3yyd444whmalq._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
046a308ce6f588c842234d66c1bd770176419465a7769df9c98b0834e3fa02c7
ConnectWise
28c74cdea827d157d53e31cd347b04e9df88424d184e7d47d0f7bc742bd2f655
ConnectWise
69a16f5949b183de2eb06686ab5588d50e711ba80e8af95bdaccc2dcd0355b2b
ConnectWise
96144a4b38ac3b83fb802b46ab2223c1c61121bd8b8e407b7bd00e503ea05dba
ConnectWise
a48397a17606f701f5be19960eb1a3a84c8939f838d294672f85ca9a906b2d11
ConnectWise
acaa6d40c3adbd7079e1411de4e33782ebd5c118baca2ab01562e7f2220e8eab
ConnectWise
b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f
ConnectWise
c725aba2c38b06191c4fbb9337713ff3b8dcc8a4cabf0b4ecf089b12d89aa6c5
ConnectWise
cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066
ConnectWise
error
ConnectWise
fc7ee0a9cffabfd03e1b972bcbfd4504289482f86c83c391165ebe5253995ef9
ConnectWise
+ 2'504 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware backdoor discovery persistence privilege_escalation ransomware rat revoked_codesign spyware
Link:
https://tria.ge/reports/260620-zg85maav9x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Enumerates connected drives
ConnectWise ScreenConnect remote access tool
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Boot or Logon Autostart Execution: Active Setup
Sets service image path in registry
Signed with revoked ConnectWise certificate
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c6c3fb40ded613933d00a87000b065649322eec736018493bc607ce72c76017

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71384/

Comments