MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c
SHA3-384 hash: ba45ff0031679a14a1450aad0fe5b5226729259c6b810fb1273baddcf2f5ff57d5004d686b39514d0456495e82709c7d
SHA1 hash: 5d16f16cab4807dc656960c449ecda20975cf81f
MD5 hash: 822c8bdfa497a71b5d9700a8d1a95e76
humanhash: mike-oven-solar-florida
File name:59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c
Download: download sample
Signature ConnectWise
Create hunting rule
File size:11'904'056 bytes
First seen:2026-04-20 08:41:28 UTC
Last seen:2026-04-20 08:46:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (384 x ConnectWise)
ssdeep 196608:nfefPn9Hm9R0AnJZSHm9R0AXHm9R0A/Hm9R0A3:T5ZZmuH
Threatray 2'064 similar samples on MalwareBazaar
TLSH T147C61201B3E565B5E0BF0A38E87A42656A75BC049712C2BF5394B96D3D32BC09E32773
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter JAMESWT_WT
Tags:185-80-234-36 ConnectWise exe instance-hirb01-relay-screenconnect-com signed

Code Signing Certificate

Organisation:ConnectWise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-06-23T00:00:00Z
Valid to:2028-06-22T23:59:59Z
Serial number: 0abbca120c79810a182f72f89c04358f
Intelligence: 211 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b7902a93876909ba13bc23013f2c4239db57bfe742f500766a1673c5199fd1fb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
IT IT
Vendor Threat Intelligence
Malware configuration found for:
ScreenConnect
Details
ScreenConnect
a c2 socket address, RSA public key
Link:
https://research.acce.ciphertechsolutions.com/results/352a0542-de4d-4a9b-a24c-6941827cc9b5/
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-04-20 09:35:10 UTC
Tags:
screenconnect rmm-tool tool remote auto rdp
Link:
https://app.any.run/tasks/4a330928-644c-46a7-b84e-686f7d7fabe5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/62400/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69e5e6fdf68adfe1003ba98a
Tags:
connectwise shellcode dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Gathering data
Verdict:
Malicious
Labled as:
HackTool/ConnectWiseControl.i
Link:
https://www.hybrid-analysis.com/sample/59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c
Verdict:
Adware
File Type:
exe x32
First seen:
2025-09-18T14:20:00Z UTC
Last seen:
2026-04-21T07:35:00Z UTC
Hits:
~100
Detections:
BSS:Trojan.Win32.Generic BSS:Exploit.Win32.Generic.nblk BSS:Exploit.Win32.Generic not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen
Link:
https://opentip.kaspersky.com/59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c/results?tab=lookup
Malware family:
ConnectWise Inc
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a5582463-98c0-4850-a6bb-91a9af76d11e
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c/
Verdict:
Malicious
Threat:
Family.SCREENCONNECT
Link:
https://tip.neiki.dev/file/59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c
Threat name:
Win32.Trojan.Qwexlafiba
Create hunting rule
Status:
Malicious
First seen:
2025-09-18 20:30:35 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lg3vbiosp5hhnbevhsrbrx7mbwyzbxv72tllooygl6zite5mjnoa._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
26fbda92490b8ab92a28b709b11b31361266714200fa8954f91bb0bbc96e9c2a
ConnectWise
4990164c8296288b93e66901737c1840b43a71adc06ad0ab8ab2bb50aaad22a8
ConnectWise
64049e058f3414066b1b68f84306ec307670b4e93543888b6e40d8e18b74b718
ConnectWise
64adb568ceb1d4abb36113bde0ca9bffa423be366262f8a4ec75b1e23aef50ad
ConnectWise
9a40b944c4c7c470a8a958e5ff86e814ba135d04b0c071b856d23f9b1108d81f
ConnectWise
error
ConnectWise
f28a060cd841574451960ddc5f2a706526597e361b1a7eb86245488aaa431014
ConnectWise
+ 2'054 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery persistence privilege_escalation ransomware rat revoked_codesign
Link:
https://tria.ge/reports/260420-klrzksht7s/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Badlisted process makes network request
Enumerates connected drives
Checks computer location settings
ConnectWise ScreenConnect remote access tool
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Sets service image path in registry
Signed with revoked ConnectWise certificate
Unpacked files
SH256 hash:
59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c
MD5 hash:
822c8bdfa497a71b5d9700a8d1a95e76
SHA1 hash:
5d16f16cab4807dc656960c449ecda20975cf81f
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
5f3c1398a870b858717fe96badcdee4c61f7a094f25ae43066b3e89609a131c4
MD5 hash:
1e41e81f3f4bc6a2b55fb553d76ac8be
SHA1 hash:
44450e61462db81e34c3989bffcbb08df956d29f
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
Parent samples :
59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c
bf70651adae1db15cd799bfe05ed0686dfb0a3fc7454cd8836ea4dd2543e4b27
6380418228eeb94248b850f1baa05be12104120dc0e8ef0c50d72891318ab04d
SH256 hash:
8feedfba8746cf5956f3133882fd729691c810bb1a2937a89a3131240ff24a42
MD5 hash:
ca307ae06e61125226304ccc20ca4fc2
SHA1 hash:
b677dc823916d000c59315792d291192240eea01
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
Parent samples :
59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c
bf70651adae1db15cd799bfe05ed0686dfb0a3fc7454cd8836ea4dd2543e4b27
6380418228eeb94248b850f1baa05be12104120dc0e8ef0c50d72891318ab04d
SH256 hash:
adb8466beaddc3cc83193f8782dd62adc42316e1213c0dd7943faec7c9a30bc2
MD5 hash:
89d3742ea995efcb05fbce41c6587905
SHA1 hash:
fd70ddbcfdd4258d91bd074428c84fc67cc7143d
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
c79526ce6eed74a509c7192decb2ce8988578cdbe3400c68b66395f9c2941e40
MD5 hash:
5ca584ff010659ee2c803afab3fe4ee9
SHA1 hash:
4cb4abecd015b1b263de3d5398a52a2fc26ba238
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
eed0d3071becc3f22a1a99c6037052032e80a4cb1cd2091e103a929b97fe3eb2
MD5 hash:
59d9b8ceb5cbd821bf812db45c858a8f
SHA1 hash:
813e791762c4b67a3e3eb58841f01d299d17c085
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
f4852d51c3082276d22df6b4896f6a5b6c89a7e158eb319f1959a740f9239f18
MD5 hash:
3c90c63a14246ce2b17bd550172d3614
SHA1 hash:
2223f473c65487e1b552e781874e3575f09a8a83
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
9a159d701d5647b201b7bf43e75b2a2c1ed4c1bde162a9f75bd2aa6174803fbe
MD5 hash:
9753a27f804f88a41ce9fb765c9bce51
SHA1 hash:
2241e92f5434aa9fe3e014056c870ab6d6014d32
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
Parent samples :
59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c
bf70651adae1db15cd799bfe05ed0686dfb0a3fc7454cd8836ea4dd2543e4b27
6380418228eeb94248b850f1baa05be12104120dc0e8ef0c50d72891318ab04d
SH256 hash:
f8ce6a3afc8c8c0ef5b9c2bb5df84a973e95fb543db0cd85fc3853b56a08410c
MD5 hash:
b7f02f1bdb9f93452ff4e1f37f2d09df
SHA1 hash:
273b0dea19bc839c4a0318be54ad46a542a4e96a
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
cca228d4d04731a91fff3cc4a0551be447090c0e5c87dcc721ca6199bb1f26a9
MD5 hash:
34f64ed503745d618bab39db617bcb93
SHA1 hash:
3652e42387d57399895631d8f44f12dff899bc26
Detections:
SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
Parent samples :
8bf1ac338ce1ff59baea6ffafbe66b105225bde5480c18f9b06bab4270950faf
433ec15200c20d2d70f26f753897dd71c53362814f8fe2966a10b0cfcdb8a4e5
be07912f9798791f9ff3134fc5edecfae4c455588e6306f54eed6e720f38a2ca
59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c
bf70651adae1db15cd799bfe05ed0686dfb0a3fc7454cd8836ea4dd2543e4b27
6380418228eeb94248b850f1baa05be12104120dc0e8ef0c50d72891318ab04d
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
8ebc2702f85fa29a3450e4aa7924b08f16abe5b8886980871cdcd89aa7c156a5
MD5 hash:
9c31249a7179dd0a85a9ef9391521704
SHA1 hash:
c5b9c4adbbdcf08e8ae140a96805adfb7cbf4336
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08
MD5 hash:
5419ff27205d3e5affa3fc18b811b843
SHA1 hash:
cf49072c50456381cd26cd32cb97606c5f5cfd26
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
SH256 hash:
15148976d1df0b7648ff4085ef2da7c32d767be8203542234f86820c7dd7f39c
MD5 hash:
805e62eb10af4e409c75d8a5eb5caef3
SHA1 hash:
f595417cbfe4bbc1fd2bd35db54e374f06161392
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/66dc4161-eaf7-446c-ab5d-6124affbd36e/
Parent samples :
8bf1ac338ce1ff59baea6ffafbe66b105225bde5480c18f9b06bab4270950faf
433ec15200c20d2d70f26f753897dd71c53362814f8fe2966a10b0cfcdb8a4e5
be07912f9798791f9ff3134fc5edecfae4c455588e6306f54eed6e720f38a2ca
59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c
bf70651adae1db15cd799bfe05ed0686dfb0a3fc7454cd8836ea4dd2543e4b27
6380418228eeb94248b850f1baa05be12104120dc0e8ef0c50d72891318ab04d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59b750a1d27f4e7684953ca218dfec0db190debfd4d6b73b065fb28993ac4b5c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/62400/

Comments