MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 594a69724db412ad577ddc13ee0be3f9254c9ef528bb863da49733578191db61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	594a69724db412ad577ddc13ee0be3f9254c9ef528bb863da49733578191db61
SHA3-384 hash:	691f5b873b058cdc9c424b6c68caab7379a03632372a48569192d6a9a1475f68549ebb954a4c8374449412a7de236e79
SHA1 hash:	c8c9c996d2100d5accdd6b23c5061d82416ea852
MD5 hash:	454177682f738a7b97db6c78364b2fd4
humanhash:	foxtrot-bravo-colorado-yellow
File name:	Google meet.zip
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	1'152 bytes
First seen:	2026-02-22 14:08:22 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24:9ai0iAiBreoq+gWiyVwibs+C8Ut5G8NoB6H9sFSRJuB0iST:9aKAAreoq4O+NBceXw
TLSH	T1F121CA0F5D37D277D7462124F502811BC278D03BA588902FAD66F0F19CC60657B97950
Magika	zip
Reporter	juroots
Tags:	ConnectWise zip

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/6be6dd22-4cf9-4017-979c-980bac70a1cf/

Detection(s):

Sanesecurity.Foxhole.JS_Zip_1v.UNOFFICIAL

SecuriteInfo.com.PUA.VBS-in-ZIP.UNOFFICIAL

SecuriteInfo.com.Malware.Dropzip-1.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699b0e128fffa866e3b08a0e

Tags:

dropper virus agent

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive lolbin msiexec wscript

Link:

https://www.filescan.io/uploads/699b0e0e10e80629d4ed3878/reports/f45b86d7-dc2c-4c6f-81a9-e43b27b76b15/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/594a69724db412ad577ddc13ee0be3f9254c9ef528bb863da49733578191db61

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/594a69724db412ad577ddc13ee0be3f9254c9ef528bb863da49733578191db61

Score:

44%

Verdict:

Susipicious

File Type:

Result

Malware family:

n/a

Score:

8/10

Tags:

backdoor discovery persistence privilege_escalation rat revoked_codesign

Link:

https://tria.ge/reports/260222-s4fy2adx2f/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Enumerates connected drives

Checks computer location settings

ConnectWise ScreenConnect remote access tool

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Binary is signed using a ConnectWise certificate revoked for key compromise.

Sets service image path in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ConnectWise

zip 594a69724db412ad577ddc13ee0be3f9254c9ef528bb863da49733578191db61

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3783606/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample