MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 15


Intelligence 15 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33
SHA3-384 hash: e87f7e48c1d51a95acb157fd3b8d29205b555038afccc24b63702454fa6d9c67a163d3947867951dfaa049d8ce37c892
SHA1 hash: 9936aff2f3df1286f67bb3853c045d9674b99d5c
MD5 hash: 220276c76c19a3f01b9fa8f172b96407
humanhash: mike-montana-robert-washington
File name:Index001.ClientSetup.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:3'138'840 bytes
First seen:2025-11-02 14:28:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e4c14112c0f4c3c784dd28246e56fe5 (20 x ConnectWise)
ssdeep 49152:XjET0+TL3Z0Mi963PSuArmh69eWbVypVCTgGu/aYmn1gC:Tb16Co69eWb0pnGpYmnx
TLSH T1EAE5EF01B3E44136D5BF0635DDBA66229B75BC190364C7AF57C879A92E737C08A323A3
TrID 40.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
23.0% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
17.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.8% (.EXE) Win64 Executable (generic) (10522/11/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
Reporter aachum
Tags:ConnectWise dropped-by-Stealc exe signed

Code Signing Certificate

Organisation:ScreenConnect Software
Issuer:COMODO RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2016-02-02T00:00:00Z
Valid to:2019-02-01T23:59:59Z
Serial number: 04a03dbce32c5a34420a419fb740aa1a
Intelligence: 19 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 13d9a6cfc0f321b47cd391eaeb23b4b7c840c8d41b6ac4292f18a4ad321707e7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
iamaachum
https://chaaftan.com/wp-t/Index001.ClientSetup.exe

ConnectWise C2: hire.hometrendoo.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Index001.ClientSetup.exe
Verdict:
Malicious activity
Analysis date:
2025-11-02 14:32:01 UTC
Tags:
screenconnect rmm-tool tool remote
Link:
https://app.any.run/tasks/6e8f8c32-8330-4d5b-8c9f-9c8c291633e6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35002/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69076ad19942f1282ecb66ae
Tags:
connectwise micro spawn virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Loading a suspicious library
DNS request
Connection attempt
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Sending a custom TCP request
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 crypt expired-cert fingerprint keylogger microsoft_visual_cc net overlay overlay packed privilege reconnaissance revoked-cert signed
Link:
https://www.filescan.io/uploads/69076acda3d16310952883cc/reports/649883e7-be60-4c53-a434-449f0354bd86/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33
Verdict:
Adware
File Type:
exe x32
First seen:
2025-10-16T16:15:00Z UTC
Last seen:
2025-11-03T19:54:00Z UTC
Hits:
~10
Detections:
BSS:Exploit.Win32.Generic BSS:Trojan.Win32.Generic BSS:Exploit.Win32.Generic.nblk not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen not-a-virus:HEUR:RemoteAdmin.Win32.ConnectScreen.gen
Link:
https://opentip.kaspersky.com/5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/efbf7750-be65-472d-a2b4-129ee0e826a3
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1806511
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious PE digital signature
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1806511 Sample: Index001.ClientSetup.exe Startdate: 02/11/2025 Architecture: WINDOWS Score: 80 58 hire.hometrendoo.com 2->58 62 Multi AV Scanner detection for submitted file 2->62 64 .NET source code contains potential unpacker 2->64 66 .NET source code references suspicious native API functions 2->66 68 3 other signatures 2->68 8 msiexec.exe 88 48 2->8         started        12 ScreenConnect.ClientService.exe 2 2->12         started        15 svchost.exe 2->15         started        17 Index001.ClientSetup.exe 3 2->17         started        signatures3 process4 dnsIp5 48 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->48 dropped 50 C:\...\ScreenConnect.ClientService.exe, PE32 8->50 dropped 52 C:\...\ScreenConnect.WindowsClient.exe.config, XML 8->52 dropped 56 9 other files (none is malicious) 8->56 dropped 70 Enables network access during safeboot for specific services 8->70 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        60 hire.hometrendoo.com 91.92.241.160, 49694, 8041 THEZONEBG Bulgaria 12->60 25 ScreenConnect.WindowsClient.exe 3 12->25         started        28 ScreenConnect.WindowsClient.exe 2 12->28         started        72 Changes security center settings (notifications, updates, antivirus, firewall) 15->72 30 MpCmdRun.exe 15->30         started        54 C:\Users\...\Index001.ClientSetup.exe.log, CSV 17->54 dropped 32 msiexec.exe 6 17->32         started        file6 signatures7 process8 file9 35 rundll32.exe 7 19->35         started        74 Creates files in the system32 config directory 25->74 38 conhost.exe 30->38         started        40 C:\Users\user\AppData\Local\...\MSI862E.tmp, PE32 32->40 dropped signatures10 process11 file12 42 C:\...\ScreenConnect.InstallerActions.dll, PE32 35->42 dropped 44 C:\Users\user\...\ScreenConnect.Core.dll, PE32 35->44 dropped 46 Microsoft.Deployme...indowsInstaller.dll, PE32 35->46 dropped
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33
Verdict:
inconclusive
YARA:
8 match(es)
Tags:
.Net CAB:COMPRESSION:LZX Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump) SOS: 0.00 SOS: 0.07 SOS: 0.21 SOS: 0.22 SOS: 0.30 SOS: 0.32 SOS: 0.33 Win 32 Exe x86
Link:
https://app.malva.re/file/220276c76c19a3f01b9fa8f172b96407
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33/
Verdict:
Malicious
Threat:
RemoteAdmin.Win32.ConnectScreen
Link:
https://tip.neiki.dev/file/5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lu34cvisnbpvddrixdyqssyrf2htz73btvxqw3xxjwd7pfdg7izq._file
Verdict:
suspicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
error
ConnectWise
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery ransomware
Link:
https://tria.ge/reports/251102-rttayabw4c/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3c993afc-a01b-407d-b580-59b33524318d
Unpacked files
SH256 hash:
5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33
MD5 hash:
220276c76c19a3f01b9fa8f172b96407
SHA1 hash:
9936aff2f3df1286f67bb3853c045d9674b99d5c
Detections:
win_evilconwi_w0
Create hunting rule
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
d386568a06df99986ed0489ff26010c0aa1e35981cd3c6bef4f5eef77452204b
MD5 hash:
b1c6abe5a49a67c5e3e5d54430d99b6f
SHA1 hash:
225293bb686d60594568f6c51743b4449b1e8cf1
Detections:
INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
4988e919f011256869e2b7fa82a885e87137f46bbfa251e598ed0720dc831499
MD5 hash:
5822cde544c4214cb6cdda1f83ec2671
SHA1 hash:
c0bf0f9f6542f012b28a3659ff47e0518643cfa7
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
db1d333919a20b01c16b51a378f83cf31edba0ccac93aa070a5ebe1c5d7af3df
MD5 hash:
0ff3393d9b08d98437b7b84c4a5064e4
SHA1 hash:
596e1d45bb252a43dcbd609bc2a9a41260622463
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
8db4ab7783be34868a96673b75424d39ce437a6919d910eb61eed3469c95b5db
MD5 hash:
e0d9150c385d5cf460bf1ae3831c39b7
SHA1 hash:
33a65f135e434a74b5e30cb3c203771641017573
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
Parent samples :
2ca0dc3544cb47fe391f5203ab0325ed4584255914280ca2377d5aa3ae58c5eb
0d8c786fe82440d3de583ef72197dc2354c7c399ccc9e449f48d96d78a1a5210
55ae2ce1f1fd51a8896b38ca5b82d61f67c46523ee83c612a169d1735786933a
cf0cee4a57aaf725341d760883d5dfb71bb83d1b3a283b54161403099b8676ec
63e8536873d823d60195808c783464109a423b9851e6ba3b7dae838b6b0c632c
75010da01904bbd5f99c6907389138c81d2cd3963a3b966ff1ff806497e96195
6342a6b2c991d7953d24c2787fcfc63cc00b120d235abd700aecdf11b0fe0b73
5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33
SH256 hash:
7881eab79c6d85d7de5d21c73b514328f88ce46dace7cecb4f48b8103bc370b9
MD5 hash:
2b6637165ff9bbefd460529751003376
SHA1 hash:
7d1a418dced35e357c1c723383bf4ec3e7858589
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
MD5 hash:
ba84dd4e0c1408828ccc1de09f585eda
SHA1 hash:
e8e10065d479f8f591b9885ea8487bc673301298
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
14504a6021b15d6d7b90ec6b6f1390531e6a706575b4aa62a36cf62a08aa411a
MD5 hash:
e9743a93e2936119263cca6ef568104b
SHA1 hash:
7f13f1e4ff7d45de8aee0b0fc35eb5eb166cbbf2
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
410541de79520a6aaefc5969a9b16b9c43a6117bfe6e0d731f2e3f9aad17d9e7
MD5 hash:
68611c4381634e34a74d88e33de8b274
SHA1 hash:
6978b810b44f500582c3fb329882d096f049ba6d
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
Parent samples :
2ca0dc3544cb47fe391f5203ab0325ed4584255914280ca2377d5aa3ae58c5eb
0d8c786fe82440d3de583ef72197dc2354c7c399ccc9e449f48d96d78a1a5210
55ae2ce1f1fd51a8896b38ca5b82d61f67c46523ee83c612a169d1735786933a
cf0cee4a57aaf725341d760883d5dfb71bb83d1b3a283b54161403099b8676ec
63e8536873d823d60195808c783464109a423b9851e6ba3b7dae838b6b0c632c
75010da01904bbd5f99c6907389138c81d2cd3963a3b966ff1ff806497e96195
6342a6b2c991d7953d24c2787fcfc63cc00b120d235abd700aecdf11b0fe0b73
5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
18d41ab18390afb3cfbc0a872cd89565e7c21ec32237ae5be8a7f113e8015420
MD5 hash:
2c1ba8086db22178601b26f7b048605b
SHA1 hash:
28e39ea43bc26437f02f77a6d70a812cee231fac
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
Parent samples :
2ca0dc3544cb47fe391f5203ab0325ed4584255914280ca2377d5aa3ae58c5eb
0d8c786fe82440d3de583ef72197dc2354c7c399ccc9e449f48d96d78a1a5210
55ae2ce1f1fd51a8896b38ca5b82d61f67c46523ee83c612a169d1735786933a
cf0cee4a57aaf725341d760883d5dfb71bb83d1b3a283b54161403099b8676ec
63e8536873d823d60195808c783464109a423b9851e6ba3b7dae838b6b0c632c
75010da01904bbd5f99c6907389138c81d2cd3963a3b966ff1ff806497e96195
6342a6b2c991d7953d24c2787fcfc63cc00b120d235abd700aecdf11b0fe0b73
5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33
SH256 hash:
cb251c6d21d5c1551288382cee25c0e14d6dbdd6ad67982b412dbb43477f9420
MD5 hash:
beabb8eab313925fdbc5ac053a9fb78e
SHA1 hash:
8bec9c3aa4be1cfac983232f1f24564c83c3e085
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
fc92f5b065051dba85e1658b16cd76a077e775ef2ba44e94ed24eb0fcce528f2
MD5 hash:
8b995f64d6e2cce63311e2f98af77a08
SHA1 hash:
9cc8bc4582967a5098787a64cf4431cc83473198
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
3a50c0da27fa69997e59bfac31a2c88132f5ab2b87c4e854b5f2a0b3f2c03c00
MD5 hash:
882a770068a37bfb7e419621390aa795
SHA1 hash:
9f398e030e96a84c52d28ce1317bdb7c6265c50e
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
576ff6a53ac21ae7dd9b3d890a18bcda13942ce41eab4866ffb9d8ad64c8b8a6
MD5 hash:
bb654b27cfed9ce6a5a3c5bb931bef66
SHA1 hash:
e81e267cb6539ee8a646896ca9f1c600c2a2c2d2
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
2b9d28408e14b46575d9a4b90ffd0138febcd0ba82b7af83140949d8b45c88d5
MD5 hash:
25d2c8aeb31ca38ae832637d5cffdae3
SHA1 hash:
db68ce6b49ee0190b89e402b91bedd60b39031db
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
SH256 hash:
6912ec0106943706b5e80446ffef04de058bf3a2e3bd10c67abd35c4d2bd788d
MD5 hash:
a2f1df83d94fd909a2a47b0713161093
SHA1 hash:
f3d4317c8f991d8be7290ca407281a918cc41a12
Link:
https://www.unpac.me/results/349b5c0a-7fad-429e-ae8b-e3dace91ad3a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_Submitting
Create hunting rule
Author:NCSC-CH / GovCERT
Description:Detects login forms in HTML content
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:win_evilconwi_w0
Create hunting rule
Author:Karsten Hahn @ G DATA CyberDefense
Description:Settings from app.config that hide the connection of the client. These settings are potentially unwanted
Rule name:win_stealer_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic stealer malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ConnectWise

Executable exe 5d37c15512685f518e28b8f1094b112e8f3cff619d6f0b6ef74d87f79466fa33

(this sample)

  
Dropped by
Stealc
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/35002/

Comments