MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e6bcaf5c117205bd6e95bc9da38e3c9d384ec281f8efacb8b1671f4a6d3a1d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e6bcaf5c117205bd6e95bc9da38e3c9d384ec281f8efacb8b1671f4a6d3a1d8
SHA3-384 hash: d0112f593c0765f183668c6169f465a58fb12fc268e4b740ba3f5d25c62c14349751c8db67e58666b52ab89eb5a57fd7
SHA1 hash: 13dd9e6126e8bde4885961ff48bd70dfc8ef073d
MD5 hash: 3149eebbe0f4e441fc9a686a55b12bf7
humanhash: oregon-ink-diet-berlin
File name:ScreenConnect.ClientSetup.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:14'686'264 bytes
First seen:2025-12-15 16:08:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (247 x ConnectWise)
ssdeep 196608:sHfefPVdsuCcGaDplmcYMDAsuCcGaDpZsuCcGaDp9suCcGaDpKsuCcGaDpI:SuGthMDvuGjuGzuGiuG1
Threatray 783 similar samples on MalwareBazaar
TLSH T114E61201B3D59575D1BB0639E83A92656B35BC149712C7BF1398B9692E33BC08E323B3
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Anonymous
Tags:ConnectWise exe signed

Code Signing Certificate

Organisation:ConnectWise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-06-23T00:00:00Z
Valid to:2028-06-22T23:59:59Z
Serial number: 0abbca120c79810a182f72f89c04358f
Intelligence: 62 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b7902a93876909ba13bc23013f2c4239db57bfe742f500766a1673c5199fd1fb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
US US
Vendor Threat Intelligence
Malware configuration found for:
ScreenConnect
Details
ScreenConnect
a c2 socket address, RSA public key
Link:
https://research.acce.ciphertechsolutions.com/results/1d1f2751-15ee-4f7a-9bbc-cf1aa2349f76/
Malware family:
n/a
ID:
1
File name:
ScreenConnect.ClientSetup.exe
Verdict:
Malicious activity
Analysis date:
2025-12-15 16:10:48 UTC
Tags:
screenconnect tool rmm-tool remote
Link:
https://app.any.run/tasks/87dadf27-5f27-4043-9ef1-0b8038898dfd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45110/
Detection(s):
Sanesecurity.Malware.29065.SC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen26.37800.12014.29258.UNOFFICIAL
Create hunting rule

PUA.Win.Tool.ScreenConnect-10058263-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694032d3cacd1005450d801b
Tags:
connectwise shellcode dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a file
DNS request
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Loading a suspicious library
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Moving a file to the Windows subdirectory
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 installer-heuristic microsoft_visual_cc net packed privilege reconnaissance remoteadmin signed unsafe
Link:
https://www.filescan.io/uploads/694032ad3f8fdbf8e9469f13/reports/ab0e579b-e7f7-4189-9028-308310cf4044/overview
Verdict:
Malicious
Labled as:
RemoteAdmin.ConnectWiseControl
Link:
https://www.hybrid-analysis.com/sample/5e6bcaf5c117205bd6e95bc9da38e3c9d384ec281f8efacb8b1671f4a6d3a1d8
Verdict:
Adware
File Type:
exe x32
First seen:
2025-12-15T13:18:00Z UTC
Last seen:
2025-12-15T13:51:00Z UTC
Hits:
~10
Detections:
not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen
Link:
https://opentip.kaspersky.com/5e6bcaf5c117205bd6e95bc9da38e3c9d384ec281f8efacb8b1671f4a6d3a1d8/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0e8469e9-e51e-4e38-b9ee-46238bdfd907
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5e6bcaf5c117205bd6e95bc9da38e3c9d384ec281f8efacb8b1671f4a6d3a1d8
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net CAB:COMPRESSION:LZX CAB:COMPRESSION:NONE Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.00 SOS: 0.07 SOS: 0.21 SOS: 0.24 SOS: 0.25 SOS: 0.26 SOS: 0.27 SOS: 0.31 SOS: 0.36 SOS: 0.39 Win 32 Exe x86
Link:
https://app.malva.re/file/3149eebbe0f4e441fc9a686a55b12bf7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e6bcaf5c117205bd6e95bc9da38e3c9d384ec281f8efacb8b1671f4a6d3a1d8/
Verdict:
Malicious
Threat:
Win32.Ransomware.Heuristic
Link:
https://tip.neiki.dev/file/5e6bcaf5c117205bd6e95bc9da38e3c9d384ec281f8efacb8b1671f4a6d3a1d8
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzv4v5obc4qfxvxjlpe5uohdzhjyj3bid6hpvs4lczy7jjwtuhma._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
29ef0043dfd8c1e642c559976201c44823757eb8cb2dc9c5e9f6183dd9678883
ConnectWise
5be22549da694e3d6493ca85d0eeba5b0903ad6c98a3770427cd2947962b4bc2
ConnectWise
5e6bcaf5c117205bd6e95bc9da38e3c9d384ec281f8efacb8b1671f4a6d3a1d8
ConnectWise
9f9ba57f3c2425d94a2a2d40886d8582ec75b774814d6eeb9f0069f969c5eb25
ConnectWise
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
ConnectWise
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
ConnectWise
error
ConnectWise
+ 773 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery persistence privilege_escalation ransomware rat
Link:
https://tria.ge/reports/251215-tlxdqsyjgm/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Authentication Package
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Enumerates connected drives
ConnectWise ScreenConnect remote access tool
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d6e09168-922e-42b1-80f6-2f85f64e1cdf
Unpacked files
SH256 hash:
5e6bcaf5c117205bd6e95bc9da38e3c9d384ec281f8efacb8b1671f4a6d3a1d8
MD5 hash:
3149eebbe0f4e441fc9a686a55b12bf7
SHA1 hash:
13dd9e6126e8bde4885961ff48bd70dfc8ef073d
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
54e693ce780f45dbed9ee4eb54e33d9ff3bbb16403431e433eb762cc540cfbdc
MD5 hash:
03fc0c98d24fef160d4cc49e71819b7f
SHA1 hash:
64b4353e5a2e444756a2ca12af764e2c34fddb50
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
8fee0d45becac2193c051caaf2c32877ec5dfaad2a22c3eb78d1a55fe3173751
MD5 hash:
c1420c61d20566d22ecb8f4a5e50dfdd
SHA1 hash:
d754c7b709d8a4f0d7582806bf5cce908141edb1
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
c5737f9f9e56bba91002244214d4251c8b4553dec225b88be15ed1f70673f4fc
MD5 hash:
6ab77922584249a5997d93e1ce96e12f
SHA1 hash:
8c1bb25d14d96d45320e8ec5c158c32832b3fbc3
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
d4514e348a8441ccbe7c20be83b56527459f20d1914a967982e86a489cb18689
MD5 hash:
acea4e610335c3e5c235c71cf3aee758
SHA1 hash:
cf234d604bfbd1e8277c8136e866a38efd66e78b
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
ef2492bf1abb19772694c9c933dff1d6ec9c8bf9a7b360a6715f0ec01c62fdba
MD5 hash:
5c55e4da6f1a4e2c3ab99ea590e39960
SHA1 hash:
616804dbc37309513bb3503f1c7cdc2b2eb4eb1a
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
775cb3ef0cfd3d5abf51bf4b46052c34bd5552db2bab0d4c0f6674aa74ed0d1a
MD5 hash:
8db032a3f8818ee2e6a627be831be4f2
SHA1 hash:
0c9d0cceba2024a7256545b40460d9d739612fb2
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
a88f6525ceee42c1c36f85c7f0365e6d6f784e78c54e781033f6fbba5b288e49
MD5 hash:
ebf7fa9f59b368f041c6f4c80c3da775
SHA1 hash:
55c8a880a4918d28d3999d25f0283ddb1e5de275
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
2d17707ddf3f7e62cd1c05a0c24754b239eb2f3fe8982fc7ddc6504576afb41b
MD5 hash:
b577c861c910560bca1b40c77bc2a77b
SHA1 hash:
8ee9a4a25ab6ecd5be7e1dfa3f5046706651c071
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
0674a743c28a375eb237441f29576f2868cfa384bdd0fbb17b6ff18c777f8f39
MD5 hash:
ebf9f7b3a5b896972178856058ce0f8f
SHA1 hash:
c9ab0ad2252446b902ac9b9b45fcdfe791b01d1f
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08
MD5 hash:
5419ff27205d3e5affa3fc18b811b843
SHA1 hash:
cf49072c50456381cd26cd32cb97606c5f5cfd26
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
7de7d2ae21d48a5b8019ebc03cf490e4c783a2eb02f353fc48127bf0faa4b0ee
MD5 hash:
38974162916a6ca799d0db75120fd026
SHA1 hash:
d28392944e26b558dff6d223342d3fb13d60dd7d
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
SH256 hash:
29d6495186ad750cc241a5bf82d328b4ce184be729466b9fc1a68e20f4c0d421
MD5 hash:
5d332329ba433ed64e8cb8e546dc74a9
SHA1 hash:
d7d454aa276a8bb4e99343dd5ae7a36cd41e3696
Detections:
SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/91d26fe7-c3a5-4ef0-bd91-634b3beee790/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e6bcaf5c117205bd6e95bc9da38e3c9d384ec281f8efacb8b1671f4a6d3a1d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45110/

Comments