MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5be22549da694e3d6493ca85d0eeba5b0903ad6c98a3770427cd2947962b4bc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5be22549da694e3d6493ca85d0eeba5b0903ad6c98a3770427cd2947962b4bc2
SHA3-384 hash: c70f1983a6bf731f7089c51bb6cdf328aae5a745f4b8551c4087c6ab013c6b2e5f04c240e373008154a5b12649025478
SHA1 hash: b7301a8e6d702e9dc01f4978bc8c176e810f2305
MD5 hash: 63d44d7fccdf666da22a775a1b72cd6e
humanhash: beryllium-island-march-pizza
File name:NFCeEmissor.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:12'572'728 bytes
First seen:2025-11-27 12:46:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (247 x ConnectWise)
ssdeep 196608:VRefefPVF1+sPlEFFUdq4ypH1+sPlEFFU11+sPlEFFU/1+sPlEFFUx:VDPNSF8qtpVPNSFAPNSFsPNSFo
TLSH T11AC61202B3E58675D1BF0B38E83996656631BC149722C3AF5794B96D2D32BC08E36373
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter johnk3r
Tags:banco-blogdns-org ConnectWise departamentofinanceiro-org exe rmm signed

Code Signing Certificate

Organisation:ConnectWise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-06-23T00:00:00Z
Valid to:2028-06-22T23:59:59Z
Serial number: 0abbca120c79810a182f72f89c04358f
Intelligence: 62 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b7902a93876909ba13bc23013f2c4239db57bfe742f500766a1673c5199fd1fb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NFCeEmissor.exe
Verdict:
Malicious activity
Analysis date:
2025-11-27 12:49:07 UTC
Tags:
screenconnect rmm-tool tool remote
Link:
https://app.any.run/tasks/42bfa798-4666-4791-8ab4-f3ff39646a0e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41635/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692848556cb1dcd577818a16
Tags:
connectwise shellcode dropper virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 installer-heuristic microsoft_visual_cc net packed privilege reconnaissance signed
Link:
https://www.filescan.io/uploads/69284852d0d5e7288b4dd216/reports/88f4ee84-bd46-4129-a759-db5aa11b6e43/overview
Verdict:
Malicious
Labled as:
RemoteAdmin.ConnectWiseControl
Link:
https://www.hybrid-analysis.com/sample/5be22549da694e3d6493ca85d0eeba5b0903ad6c98a3770427cd2947962b4bc2
Verdict:
Adware
File Type:
exe x32
First seen:
2025-11-27T06:59:00Z UTC
Last seen:
2025-11-29T10:47:00Z UTC
Hits:
~100
Detections:
not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen
Link:
https://opentip.kaspersky.com/5be22549da694e3d6493ca85d0eeba5b0903ad6c98a3770427cd2947962b4bc2/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fe0bf37e-237c-408e-afc5-265f0c853620
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1821736
Signature
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Joe Sandbox ML detected suspicious sample
Modifies security policies related information
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1821736 Sample: NFCeEmissor.exe Startdate: 27/11/2025 Architecture: WINDOWS Score: 84 61 instance-jrildx-relay.screenconnect.com 2->61 63 server-ovh30020015-relay.screenconnect.com 2->63 67 Multi AV Scanner detection for submitted file 2->67 69 .NET source code references suspicious native API functions 2->69 71 Contains functionality to hide user accounts 2->71 73 2 other signatures 2->73 8 msiexec.exe 94 48 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 NFCeEmissor.exe 6 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 49 C:\...\ScreenConnect.ClientService.exe, PE32 8->49 dropped 51 C:\Windows\Installer\MSI4C22.tmp, PE32 8->51 dropped 53 C:\Windows\Installer\MSI4991.tmp, PE32 8->53 dropped 57 9 other files (none is malicious) 8->57 dropped 77 Enables network access during safeboot for specific services 8->77 79 Modifies security policies related information 8->79 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        65 server-ovh30020015-relay.screenconnect.com 15.204.43.250, 443, 49727 HP-INTERNET-ASUS United States 12->65 81 Reads the Security eventlog 12->81 83 Reads the System eventlog 12->83 25 ScreenConnect.WindowsClient.exe 2 12->25         started        28 ScreenConnect.WindowsClient.exe 12->28         started        55 C:\Users\user\AppData\...55FCeEmissor.exe.log, ASCII 15->55 dropped 85 Contains functionality to hide user accounts 15->85 30 msiexec.exe 6 15->30         started        87 Changes security center settings (notifications, updates, antivirus, firewall) 17->87 33 MpCmdRun.exe 17->33         started        file6 signatures7 process8 file9 35 rundll32.exe 11 19->35         started        89 Contains functionality to hide user accounts 25->89 59 C:\Users\user\AppData\Local\...\MSI4105.tmp, PE32 30->59 dropped 39 conhost.exe 33->39         started        signatures10 process11 file12 41 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 35->41 dropped 43 C:\...\ScreenConnect.InstallerActions.dll, PE32 35->43 dropped 45 C:\Users\user\...\ScreenConnect.Core.dll, PE32 35->45 dropped 47 4 other files (none is malicious) 35->47 dropped 75 Contains functionality to hide user accounts 35->75 signatures13
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5be22549da694e3d6493ca85d0eeba5b0903ad6c98a3770427cd2947962b4bc2
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net CAB:COMPRESSION:LZX CAB:COMPRESSION:NONE Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.00 SOS: 0.07 SOS: 0.21 SOS: 0.24 SOS: 0.25 SOS: 0.26 SOS: 0.27 SOS: 0.31 SOS: 0.36 SOS: 0.39 Win 32 Exe x86
Link:
https://app.malva.re/file/63d44d7fccdf666da22a775a1b72cd6e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5be22549da694e3d6493ca85d0eeba5b0903ad6c98a3770427cd2947962b4bc2/
Verdict:
Malicious
Threat:
RemoteAdmin.Win32.ConnectWise
Link:
https://tip.neiki.dev/file/5be22549da694e3d6493ca85d0eeba5b0903ad6c98a3770427cd2947962b4bc2
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lprckso2nfhd2zetzkc5b3v2lmeqhllmtcrxobbhzuuupfrljpba._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
error
ConnectWise
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery persistence privilege_escalation ransomware rat
Link:
https://tria.ge/reports/251127-p1bclawpdx/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Authentication Package
Checks computer location settings
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Badlisted process makes network request
Enumerates connected drives
ConnectWise ScreenConnect remote access tool
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c9f47038-ec78-4005-ba91-33628950102e
Unpacked files
SH256 hash:
5be22549da694e3d6493ca85d0eeba5b0903ad6c98a3770427cd2947962b4bc2
MD5 hash:
63d44d7fccdf666da22a775a1b72cd6e
SHA1 hash:
b7301a8e6d702e9dc01f4978bc8c176e810f2305
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
4f176105e5ccb4325fbc62c1097bda7a2afe4d012ddd717d68e72ad3658641ee
MD5 hash:
941e9e77a3767b6ea7cada56bda8695e
SHA1 hash:
81bc4260a3ee264243dae6d1ceb0fd963dbcb2dc
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
50d7b8308782136bfdb33082f60c0c1904af7f54d4c7abe1326a19aca1d7d9c8
MD5 hash:
7e7db820576f019ac6e969f150cc6f3a
SHA1 hash:
009bbb8ab4de6023f7226cc3655fdd77418bcb54
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
5e75f0c40f801531788598079e1459861493d323942246268738c03acbe3a08f
MD5 hash:
f9eebc3e3ed1dc30dd22dd8641b55042
SHA1 hash:
44128bd7f02e006f0d071087f69fcef86517e683
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
6783c07fe3dae1edb14578927e530ba9ee966d3edd4ad7ea4733208420fd4e17
MD5 hash:
7e057261e5a8f5a5684bc210f44cb2b6
SHA1 hash:
f1970193325980d8827c2e82545f8b7a26aea4c9
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
c620701ec9c3b4467136bc7874408ea7df0e089c1ae6e9a1d01a18677850d5bc
MD5 hash:
7894e9fb93fbc919bd880c9a14634a06
SHA1 hash:
c55a6474ea1ac45f2cac29d0d8acbda61bbea999
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
e7b71aaaaf9635b3a6b14ed48ad567cfbe5c2516b0ffac726006a11ecc70af5b
MD5 hash:
4b0315d1a7deb6f9d66a6d85078e59cc
SHA1 hash:
49fd3fcc387c62751d36a837cdc9491bb1e338bf
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
c49e5ccb0fd1149618ce7d8f6fc152c2f96162171487a1c7742b06f6096790b1
MD5 hash:
8f13d8784d665015bd8f01b30b89ca45
SHA1 hash:
afa32b1c7392d4a6387cd821b768a02ca6adaf29
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08
MD5 hash:
5419ff27205d3e5affa3fc18b811b843
SHA1 hash:
cf49072c50456381cd26cd32cb97606c5f5cfd26
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
97b16d92304c032fcb72da94b776f2daddbe5898157524b04414897cdd6ef60e
MD5 hash:
5aba51616bd173fb0a1cd4cccf3f7f0a
SHA1 hash:
d29f48f265a9fd7ed78578b15230860e1db6e2b9
Detections:
SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
d8382c6eac4beb6e78901d1515eab49b48eeba6e368badb1e29fb5157947f033
MD5 hash:
f449fbe8578f5426d60da932a678d690
SHA1 hash:
e26cbfa3a120cc9efafa4075c2be0522ce7a800a
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
5bc4c0655d1d506eeca667c6f8a651ce81a1e1bd8510dd33bf8a236619fa489b
MD5 hash:
795ee855e28b788c0cb57bad1f7769d2
SHA1 hash:
f54524f3ffc458a8b1187da98b5d04031c11064b
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
SH256 hash:
b121de45d3c77fc18da81f50a17e581ad5b831811e643ef09ab4acff9c05be2d
MD5 hash:
7d725a1d6e8d6560f63f638308cf3685
SHA1 hash:
fa282bbe3c4f418932fec4e4101aafba9eabe1e7
Link:
https://www.unpac.me/results/97859490-f3bb-4784-9c8c-248ed49297a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5be22549da694e3d6493ca85d0eeba5b0903ad6c98a3770427cd2947962b4bc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/41635/

Comments