MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5642fc3dcf35643a38101d36678e09e9f706df94cafe2dafdf44a7e2965bd296. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5642fc3dcf35643a38101d36678e09e9f706df94cafe2dafdf44a7e2965bd296
SHA3-384 hash: 0d2e35a067b9a97d3b882652e078b9a7c689f336b32bc2a62b639864eddb291cea41ea8a28e1249873545b71ce096213
SHA1 hash: 70aef9ca7d0fcee126c56a365fb356ada27f9f47
MD5 hash: ae1b8d8eee78a569a9dd8e70f9852086
humanhash: kilo-artist-aspen-grey
File name:5642fc3dcf35643a38101d36678e09e9f706df94cafe2dafdf44a7e2965bd296.bin
Download: download sample
Signature ConnectWise
Create hunting rule
File size:4'416'612 bytes
First seen:2023-09-11 07:19:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21314122cd4542a6b9b297f52a87acbe (3 x GuLoader, 2 x LummaStealer, 2 x ConnectWise)
ssdeep 49152:DWtfl3xiDZjSPQaLOpU0dpBYYZFfsqWGXwuO6Bpp5+TRXYpnF4tk11zppI04zmH6:Ktfl0kYax0dMiNsqWGXwtyyTRl1+F+N
Threatray 63 similar samples on MalwareBazaar
TLSH T1EA165C21B146C82BDD6303B11A3D9A9B5429BE750BB154CFB2CC3E2E5BB75C21236E17
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 993d2d0d37434d0f (3 x ConnectWise)
Reporter JAMESWT_WT
Tags:247info-click ConnectWise exe screenconnect

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5642fc3dcf35643a38101d36678e09e9f706df94cafe2dafdf44a7e2965bd296.bin
Verdict:
Malicious activity
Analysis date:
2023-09-11 07:20:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea2c2f9f-eb65-47d3-8902-6f1b4572a77a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447837/
Detection(s):
SecuriteInfo.com.Malicious_Behavior.SB.24660.9532.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Launching a process
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Moving a recently created file
Replacing files
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Downloader.Banload
Link:
https://www.hybrid-analysis.com/sample/5642fc3dcf35643a38101d36678e09e9f706df94cafe2dafdf44a7e2965bd296
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a50901ce-d6b3-4f38-a6cb-c855c20d6d11
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1307076
Signature
Antivirus detection for URL or domain
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307076 Sample: PZnqcoHM4q.exe Startdate: 11/09/2023 Architecture: WINDOWS Score: 48 33 Antivirus detection for URL or domain 2->33 6 msiexec.exe 96 46 2->6         started        9 PZnqcoHM4q.exe 45 2->9         started        process3 file4 17 C:\Windows\Installer\MSI4C7C.tmp, PE32 6->17 dropped 19 C:\Windows\Installer\MSI4B22.tmp, PE32 6->19 dropped 21 C:\Windows\Installer\MSI496A.tmp, PE32 6->21 dropped 31 5 other files (none is malicious) 6->31 dropped 11 msiexec.exe 2 6->11         started        13 msiexec.exe 6->13         started        23 C:\Users\user\AppData\Local\...\shi3FE0.tmp, PE32+ 9->23 dropped 25 C:\Users\user\AppData\Local\...\MSI4215.tmp, PE32 9->25 dropped 27 C:\Users\user\AppData\Local\...\MSI41D6.tmp, PE32 9->27 dropped 29 C:\Users\user\AppData\Local\...\MSI40CB.tmp, PE32 9->29 dropped 15 msiexec.exe 2 9->15         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5642fc3dcf35643a38101d36678e09e9f706df94cafe2dafdf44a7e2965bd296/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-29 17:51:04 UTC
File Type:
PE (Exe)
Extracted files:
97
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzbpypopgvsduoaqdu3gpdqj5h3qnx4uzl7c3l67ist6ffs32kla._file
Verdict:
unknown
Similar samples:
5bcc5718b11d0e933930934805ea3f1dcb888dd19eb9dd75574ef425e704d799
ConnectWise
a69e7a0ef0e1cbd6f95b5fbea1a9c297d49bac80bc158b0016b8381081015def
ConnectWise
b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0
ConnectWise
bbce6e4e32e181468d77eaf31f1d6929194ea3631977367fb6aa678d8f66344f
ConnectWise
bd043af859a796897462ed7a5aadb1c4a145f67f01a00c49b45a4b80564da6bb
ConnectWise
bd3ae41147c48bcea273f742ae19c229ad76c4a75895253e01a58bd4f3c2b9d1
ConnectWise
bd9523a1ca548fb43c47de22febb8739f34afcba2843d6577a18759110deecbd
ConnectWise
c9094685ae4851fd5a5b886b73c7b07efd9b47ea0bdae3f823d035cf1b3b9e48
ConnectWise
e6ca97018621d4cab0eca8eeda2a5df23b4b35ac544a6e39a19207b847874c59
ConnectWise
+ 53 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230911-h535vaeb8z/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Unpacked files
SH256 hash:
5642fc3dcf35643a38101d36678e09e9f706df94cafe2dafdf44a7e2965bd296
MD5 hash:
ae1b8d8eee78a569a9dd8e70f9852086
SHA1 hash:
70aef9ca7d0fcee126c56a365fb356ada27f9f47
Link:
https://www.unpac.me/results/f875bcd1-95c6-4bbe-8f0a-b74234286716/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5642fc3dcf35643a38101d36678e09e9f706df94cafe2dafdf44a7e2965bd296

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/447837/

Comments