MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c851abe1cc251e2f19c45e8e8a9052f73380f6803be6dff819d286807fa4e1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c851abe1cc251e2f19c45e8e8a9052f73380f6803be6dff819d286807fa4e1e
SHA3-384 hash: bd4907f0f799cafe1921038b172ead738d067e5a6437cfa6ec14ceef91e1b64ac4cb28099da03738686b05e73952c550
SHA1 hash: aed49b76ccee4be84fc4955de9fa7861efc3a00f
MD5 hash: 31f02cf6918422a762cd155b2cff57c6
humanhash: bacon-papa-alaska-washington
File name:5c851abe1cc251e2f19c45e8e8a9052f73380f6803be6dff819d286807fa4e1e
Download: download sample
Signature ConnectWise
Create hunting rule
File size:13'594'624 bytes
First seen:2026-06-12 11:23:30 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:ErnLYG3zDhukO7rnLYG3zlrnLYG3zprnLYG3zxrnLYG3zYrnLYG3zwrnLYG3z:EbDDDgv7bDDlbDDpbDDxbDDYbDDwbDD
Threatray 2'572 similar samples on MalwareBazaar
TLSH T183D6233167FD4A18E1B36774EE3A91E1D1367DA4DF11D18F2264386E68B1E4082A373B
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:ConnectWise frreliny-com msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
IT IT
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
Link:
https://research.acce.ciphertechsolutions.com/results/5d1359c9-770d-4b9c-8453-d2ce997dadaa/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70554/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2bec8da15110463ee4ffd1
Tags:
connectwise shellcode virus msil
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5c851abe1cc251e2f19c45e8e8a9052f73380f6803be6dff819d286807fa4e1e
Verdict:
Adware
File Type:
msi
Link:
https://opentip.kaspersky.com/5c851abe1cc251e2f19c45e8e8a9052f73380f6803be6dff819d286807fa4e1e/results?tab=lookup
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c851abe1cc251e2f19c45e8e8a9052f73380f6803be6dff819d286807fa4e1e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lscrvpq4yji6f4m4ixuorkiff5ztqd3iao7g374btuugqb72jypa._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
2a63dd3034c2a3ac29e60a80e0298415db8b2ccb6ea40811310e530e5278c50a
ConnectWise
3a417084802b5255b332280266442b5a062dd46341ffdb9a7b7c85a521c15a7c
ConnectWise
44ba4692041bf139961ccc5f829111cc4bb7db32e8616630bf561a71256a84f7
ConnectWise
6904ca08e4d7d398db3d54ae22e1f211219499f17f1090d407850a6f8304e47f
ConnectWise
89ff68d2f4790bc23a3cd8860c9aa5c055ef2d133ae4de62d655ab778774f407
ConnectWise
b4e988f97c9b06b35028214b49a0fc67a7e55ee8adf6f980b05c74625a0d8021
ConnectWise
cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066
ConnectWise
eea99f22aca1ebe449b97faafe79fd1d6e71441ccc40315a2e629280f65de0f8
ConnectWise
error
ConnectWise
f13aeee2cdb6680d92946d29d53d63da1dbee30088c47be092ec44b94a93096d
ConnectWise
+ 2'562 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery persistence privilege_escalation ransomware rat revoked_codesign
Link:
https://tria.ge/reports/260612-nh3tfsby9w/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Enumerates connected drives
ConnectWise ScreenConnect remote access tool
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Sets service image path in registry
Signed with revoked ConnectWise certificate
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:win_evilconwi_w0
Create hunting rule
Author:Karsten Hahn @ G DATA CyberDefense
Description:Settings from app.config that hide the connection of the client. These settings are potentially unwanted

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70554/

Comments