MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53
SHA3-384 hash:	57e319e320e80b271f74f5c9a4b511f634c4d5a7fc3cdf55ee4c75537ead355884e02bf7ad96b7de10a4deba17fb4ad3
SHA1 hash:	ab068a2f4ffd0509213455c79d311f169cd7cab8
MD5 hash:	16c4f1e36895a0fa2b4da3852085547a
humanhash:	yellow-october-nineteen-thirteen
File name:	SecuriteInfo.com.Heur.17908.21875
Download:	download sample
File size:	548'864 bytes
First seen:	2025-03-31 05:44:09 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep	6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
Threatray	523 similar samples on MalwareBazaar
TLSH	T1E7C47E2173AC9A3EC5AE137FF072A558C5F4D905392AE75F2AC1E4BC2E837490D051EA
TrID	35.4% (.EXE) Win64 Executable (generic) (10522/11/4) 22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.1% (.EXE) Win32 Executable (generic) (4504/4/1) 6.9% (.ICL) Windows Icons Library (generic) (2059/9) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	dll

Intelligence

File Origin

# of uploads :

# of downloads :

436

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.29065.SC.UNOFFICIAL

SecuriteInfo.com.Heur.17908.21875.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67ea2e83855e5ec5240aa709

Tags:

connectwise rundll

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Tags:

obfuscated reconnaissance

Link:

https://www.filescan.io/uploads/67ea2be8f274bf2d8e29c7e6/reports/a07830eb-c958-48b4-839b-d11cb4dd8e1b/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/12c19b05-1ae1-4025-b6f4-c05ca0c99f0a

Result

Threat name:

n/a

Detection:

clean

Classification:

n/a

Score:

2 / 100

Link:

https://www.joesandbox.com/analysis/1652515

Behaviour

Behavior Graph:

n/a

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jvf7dgwztat7mpoxize5r5zej7eofezq6tmacoggwzdgbsazbjjq._file

Verdict:

suspicious

Label(s):

admintool_screenconnect

64ca91a2446a8e567b24deea926bbdb34fd2dda221577787bbb62d07cbf0272d

9de042819c9dc1f30ea1fb3865209d1de3d3b1d90206de34fe4b19df52a0ea68

ba8ebcf052ee597ff1adfaab9f2b23353f78585236a79b0e10c56b892ab0ff2f

d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd

error

+ 513 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250331-ge9n9styfz/

Unpacked files

SH256 hash:

4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53

MD5 hash:

16c4f1e36895a0fa2b4da3852085547a

SHA1 hash:

ab068a2f4ffd0509213455c79d311f169cd7cab8

Detections:

INDICATOR_RMM_ConnectWise_ScreenConnect

Link:

https://www.unpac.me/results/fc15dbb9-3562-4ae5-adf9-bb71a0221971/

Parent samples :

1f473e89717a811066269c38eb6a53a9a0ea0e5788190636b45622b74eaa4d53
6d7c89f55c50eb63071a1eb0ef8b212a8d87e42aa376fa63d433120b212b4a48
9fa76b4ab82376d9486f051b2a7f0e2f584243296f94b2b4b30ea24fae05edd3
85276b1893f8307a681f8c8b22c6d7eaa40620afcf987a7a22a4ab39f7300253
64ca91a2446a8e567b24deea926bbdb34fd2dda221577787bbb62d07cbf0272d
d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd
e1a3eb6e1ec31406443bfbe5067c1852706406a824a29c2490c8e1b73fcf0081
58ff97145ad54ff4900f10bedbecd4a926fb847b23cc0c26ad46f1a96c0a34e9
f435f6ed37b03147bc9ea44f2f291afde9a1c303452ecd3c64493a6c7504b03a
b17964f1729c74ab244e0322f3bac392063ae791380fbfa49bdf82a10e4cd7f0
4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	extracted_at_0x44b Create hunting rule
Author:	cb
Description:	sample - file extracted_at_0x44b.exe
Reference:	Internal Research

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample