MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a
SHA3-384 hash: fe675d19fe4c7d01742933d13f6e243662b71ca54750802f687d487cb5a9df3e540fd027f32ce929bfbdd93e2effced7
SHA1 hash: c6469f26484a494323df13f09389e1cbffd7b967
MD5 hash: a6472a46e40767cf3be57eb876e19d47
humanhash: artist-nitrogen-summer-dakota
File name:SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.ConnectWise.gen.16209.26246
Download: download sample
Signature ConnectWise
Create hunting rule
File size:4'118'176 bytes
First seen:2024-05-29 10:28:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96e03c6bfe932500a28aba3c63f5c7b6 (11 x ConnectWise)
ssdeep 49152:KKsM23xi963PSumT0+TFiH7efPpjXAoZPpqJVXdCiJfm1ZJwgYZXGuaHuKQ1gvs:KDM2s6+6efPxAopp6VXIV1cG5HzQj
Threatray 33 similar samples on MalwareBazaar
TLSH T13F16E011B3D581B6D0BF0638D87986669774BC048362CB6F9794BD693E32BC09E36372
TrID 43.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
31.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
7.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter SecuriteInfoCom
Tags:ConnectWise exe signed

Code Signing Certificate

Organisation:ConnectWise, LLC
Issuer:DigiCert SHA2 Assured ID Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-10-22T00:00:00Z
Valid to:2022-10-26T12:00:00Z
Serial number: 085dfb7228e907cf98022c52c511bc66
Intelligence: 16 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ebb706d3b57f68c2ddf5639c741b803646e9cb727f6002084b6283a849d6f75e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
408
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a.exe
Verdict:
Malicious activity
Analysis date:
2024-05-29 10:30:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c31503ea-e362-4722-b34b-9c4fa4e972f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.ConnectWise.gen.16209.26246.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665703a25721c8e527178cd0win7simulatehigh_evasion
Tags:
Banker Encryption Static Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a file
Creating a window
Searching for synchronization primitives
Loading a suspicious library
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Creating a process from a recently created file
Searching for the window
DNS request
Moving a recently created file
Connection attempt
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint keylogger lolbin msiexec net obfuscated overlay packed rundll32
Link:
https://www.filescan.io/uploads/66570374ae3ab1fab22c867d/reports/64ea9d2d-6bca-4634-9f59-d11fc34299ed/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ConnectWise
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f1b5a216-c910-4374-b219-0613d0e36654
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/1448806
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (creates a PE file in dynamic memory)
Enables network access during safeboot for specific services
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448806 Sample: SecuriteInfo.com.not-a-viru... Startdate: 29/05/2024 Architecture: WINDOWS Score: 66 53 support.cagboot.com 2->53 59 Multi AV Scanner detection for dropped file 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Detected unpacking (creates a PE file in dynamic memory) 2->63 65 4 other signatures 2->65 8 msiexec.exe 88 47 2->8         started        12 svchost.exe 2->12         started        14 ScreenConnect.ClientService.exe 14 10 2->14         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 43 C:\...\ScreenConnect.ClientService.exe, PE32 8->43 dropped 45 C:\Windows\Installer\MSIC2B0.tmp, PE32 8->45 dropped 47 C:\Windows\Installer\MSIC222.tmp, PE32 8->47 dropped 49 8 other files (none is malicious) 8->49 dropped 67 Enables network access during safeboot for specific services 8->67 19 msiexec.exe 8->19         started        21 msiexec.exe 8->21         started        23 msiexec.exe 1 8->23         started        69 Changes security center settings (notifications, updates, antivirus, firewall) 12->69 25 MpCmdRun.exe 12->25         started        55 support.cagboot.com 103.116.8.148, 49708, 49716, 49717 ADVANCED-AS-APAdvancedInformationCompanyLimitedHK Taiwan; Republic of China (ROC) 14->55 27 ScreenConnect.WindowsClient.exe 2 14->27         started        57 127.0.0.1 unknown unknown 17->57 29 msiexec.exe 6 17->29         started        file6 signatures7 process8 file9 32 rundll32.exe 7 19->32         started        35 conhost.exe 25->35         started        51 C:\Users\user\AppData\Local\...\MSIBBF4.tmp, PE32 29->51 dropped process10 file11 37 C:\...\ScreenConnect.InstallerActions.dll, PE32 32->37 dropped 39 C:\Users\user\...\ScreenConnect.Core.dll, PE32 32->39 dropped 41 Microsoft.Deployme...indowsInstaller.dll, PE32 32->41 dropped
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3feb7ujpet7pjlozdsv7po7i3zuvct4gnyutesrrfifh5jdpbna._file
Verdict:
malicious
Similar samples:
0cccf28998cff9c5045bb8bada430762e9228ba3d753408b1e2528596baca2e5
ConnectWise
0ce441304f7c47187c34fdf6d601624ce345c211e21a892328cf2205df7dfb47
ConnectWise
3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827
ConnectWise
5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a
ConnectWise
6cae53429303d83b6996b7e97fef6c3f4c45fd666ff0bd67f146b869eb660599
ConnectWise
6e3a1e4e946e7b6cdf277b39d134cf68cd87b5ff4335e5cc5c8447add9faed23
ConnectWise
994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe
ConnectWise
d00c32beeab634334c6443755fc998408a1aa8017962cdd46d548053722ba837
ConnectWise
+ 23 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240529-mh8h9scc73/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c0be8eee-8382-4c3d-a5f4-8874a1276f24
Unpacked files
SH256 hash:
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
MD5 hash:
ba84dd4e0c1408828ccc1de09f585eda
SHA1 hash:
e8e10065d479f8f591b9885ea8487bc673301298
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
SH256 hash:
4988e919f011256869e2b7fa82a885e87137f46bbfa251e598ed0720dc831499
MD5 hash:
5822cde544c4214cb6cdda1f83ec2671
SHA1 hash:
c0bf0f9f6542f012b28a3659ff47e0518643cfa7
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
SH256 hash:
6d8a37f84d984df8dbab2d4a69473e8042ae209b34336fdb1aabedbe5ac47617
MD5 hash:
612d979a7bba7b48fb04255bc6c962f3
SHA1 hash:
896d49f1657329bc6d062a1eaa2fdfebaf9c192e
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
SH256 hash:
d9e1d706d37c3482f680598b1704d3b2027c4f1f05de745a484af8fc6ea9126b
MD5 hash:
6d89a568638656cc636d8c1686d90433
SHA1 hash:
85c59714ab2b0b5bb13660d19d135ee9a7536525
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
SH256 hash:
4b0446b59148e76b0a33d50cfcc399917ca6da0fe995cd218b4c6123be69ceac
MD5 hash:
a754ff94615275f70e7fcd45a2ee8a74
SHA1 hash:
855bd04a0ea5909e282e53403ecda63021357251
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
SH256 hash:
14504a6021b15d6d7b90ec6b6f1390531e6a706575b4aa62a36cf62a08aa411a
MD5 hash:
e9743a93e2936119263cca6ef568104b
SHA1 hash:
7f13f1e4ff7d45de8aee0b0fc35eb5eb166cbbf2
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
SH256 hash:
a22dee5fa2ec021b62317f34bc491090cb3acdc8b1f85332fcec42fca838211f
MD5 hash:
5c3695e6439975302bfb3720c68f1e0e
SHA1 hash:
7ef05302e3a9da0a71232141e80cc0fb880cb7ce
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
Parent samples :
9d3291c59ca3cb4f7062df7fb647158acc5a86bc24814ef316f6f78560bb7b93
5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a
SH256 hash:
7881eab79c6d85d7de5d21c73b514328f88ce46dace7cecb4f48b8103bc370b9
MD5 hash:
2b6637165ff9bbefd460529751003376
SHA1 hash:
7d1a418dced35e357c1c723383bf4ec3e7858589
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
SH256 hash:
5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a
MD5 hash:
a6472a46e40767cf3be57eb876e19d47
SHA1 hash:
c6469f26484a494323df13f09389e1cbffd7b967
Detections:
INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b6a5d9f4-c3c6-41ef-bfd8-cdaf2fd40432/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ConnectWise

Executable exe 5eca40fe897927f7a56ec8e55fbddf46f34a8a7c3371499251895053f523785a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2867791/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::SetDllDirectoryW

Comments