MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60dbc8e2cb2389609132466a2125b832b478e2793db3b68a33ab0c3018f4b47b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	60dbc8e2cb2389609132466a2125b832b478e2793db3b68a33ab0c3018f4b47b
SHA3-384 hash:	5823d7ccde97895af66b487c796b90e8e4fbac3c126ce1f6317b6ccd0fded2e4658b7a1c637e79e0a94ad2f88ae8b8b8
SHA1 hash:	74549c5158313c63ac32779ebca69714c2979236
MD5 hash:	396281762ad34bf94edc704859dff955
humanhash:	mockingbird-alabama-uncle-may
File name:	123.msi
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	5'264'656 bytes
First seen:	2022-12-21 13:12:23 UTC
Last seen:	2023-09-07 08:26:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	96e03c6bfe932500a28aba3c63f5c7b6 (11 x ConnectWise)
ssdeep	98304:GA6+6efPktkz/6dRqf4ZPcZdYdsBGVMTWm3MzDORS1v:QefPMlBKnYaWmP8
TLSH	T10D36F112F3D591B6D0BF0638E87942669B74BC094222C76F9394BD693D33B809E26377
TrID	74.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 15.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.9% (.EXE) Win64 Executable (generic) (10523/12/4) 1.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	TeamDreier
Tags:	ConnectWise exe instance-g15pic-relay-screenconnect-com signed

Code Signing Certificate

Organisation:	Connectwise, LLC
Issuer:	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-08-17T00:00:00Z
Valid to:	2025-08-15T23:59:59Z
Serial number:	0b9360051bccf66642998998d5ba97ce
Intelligence:	444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

123.msi

Verdict:

Malicious activity

Analysis date:

2022-12-21 13:15:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3ac620dd-c905-4d4a-8244-b5d16e505e08

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/348714/

Detection(s):

SecuriteInfo.com.Trojan.Siggen19.11469.1415.10944.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Сreating synchronization primitives

Launching a process

Creating a file

Creating a window

Searching for synchronization primitives

Sending a custom TCP request

Launching a service

Modifying a system file

Creating a file in the Windows subdirectories

Creating a file in the Program Files subdirectories

Creating a service

Creating a process from a recently created file

DNS request

Possible injection to a system process

Enabling autorun with the shell\open\command registry branches

Enabling autorun for a service

Unauthorized injection to a recently created process

Gathering data

Malware family:

ConnectWise

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b8d9f5d7-7670-4713-835c-20d43078eb21

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

n/a

Score:

36 / 100

Link:

https://www.joesandbox.com/analysis/1138677

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/60dbc8e2cb2389609132466a2125b832b478e2793db3b68a33ab0c3018f4b47b/

Threat name:

Win32.Trojan.ConnectWise

Status:

Malicious

First seen:

2022-12-14 12:10:27 UTC

File Type:

PE (Exe)

Extracted files:

180

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mdn4rywleoewbejsizvccjnygk2hrytzhwz3ncrtvmgdaghuwr5q._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/221221-qf3rsacc88/

Behaviour

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Enumerates connected drives

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Registers COM server for autorun

Sets service image path in registry

Unpacked files

SH256 hash:

2d276d9019971396c81376bc1f1e754b5c363893458ed9f3b2ba0eea70e52f4b

MD5 hash:

80fdee5e65147dfd9ee8795e8c031a5a

SHA1 hash:

faf3a0ab9317afe1f0459bd4ec2a238b2b6da9b3

Link:

https://www.unpac.me/results/190302b1-0d7b-453d-8cf8-de0c40f469ed/

SH256 hash:

434eae4dea43171c32509fb4e81ec4ddd0f85fa7cc99510c04d7203ff3ba4e18

MD5 hash:

85cc69cdde88d5c69098929cad086316

SHA1 hash:

e4defd4035f392ffccf618363bb96439ef864ee9

Link:

https://www.unpac.me/results/190302b1-0d7b-453d-8cf8-de0c40f469ed/

SH256 hash:

485d870efda0dbccd6b2c3f32c6b2f8c7ce93ee5afdafa9483acded1d44187f8

MD5 hash:

19c077f34bcd47ea76350bba54ae445c

SHA1 hash:

d788648b4d771f1f2127c38f0b559a3773c282b7

Link:

https://www.unpac.me/results/190302b1-0d7b-453d-8cf8-de0c40f469ed/

SH256 hash:

19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc

MD5 hash:

5fb6074b08ac4709cf2f29fa5b49023e

SHA1 hash:

8bbb78a47c08867c50572f0bd2a27171f91e0454

Link:

https://www.unpac.me/results/190302b1-0d7b-453d-8cf8-de0c40f469ed/

SH256 hash:

e91713a10ae7c56d02319bedf311c694cdb60006c9c98be18f899f71a12f33b4

MD5 hash:

e24fd47456a101cca6595c8172f730b5

SHA1 hash:

6583b40e296bb9f14e9dadcc9007cfb4b0e8093b

Link:

https://www.unpac.me/results/190302b1-0d7b-453d-8cf8-de0c40f469ed/

SH256 hash:

67d34f845b7e8175aa3b80e34243ef4e06261dd7e38fa3c0709bc055514433a0

MD5 hash:

6687006bb1763e529532403e04e4045b

SHA1 hash:

3c39748904e722292fde71844c9154b88541ab25

Link:

https://www.unpac.me/results/190302b1-0d7b-453d-8cf8-de0c40f469ed/

SH256 hash:

f7955081836660f2d3700f847517bc8f3a49d049e3bfad30bfa7c76eca93ef33

MD5 hash:

70d496e691951e8f05d95e54983fff54

SHA1 hash:

3143de2e2d0917ef089d97a88015ff897ca511b0

Link:

https://www.unpac.me/results/190302b1-0d7b-453d-8cf8-de0c40f469ed/

SH256 hash:

60dbc8e2cb2389609132466a2125b832b478e2793db3b68a33ab0c3018f4b47b

MD5 hash:

396281762ad34bf94edc704859dff955

SHA1 hash:

74549c5158313c63ac32779ebca69714c2979236

Link:

https://www.unpac.me/results/190302b1-0d7b-453d-8cf8-de0c40f469ed/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/60dbc8e2cb2389609132466a2125b832b478e2793db3b68a33ab0c3018f4b47b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_DotNET_Encrypted Create hunting rule
Author:	ditekSHen
Description:	Detects encrypted or obfuscated .NET executables

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/348714/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample