MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64adb568ceb1d4abb36113bde0ca9bffa423be366262f8a4ec75b1e23aef50ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64adb568ceb1d4abb36113bde0ca9bffa423be366262f8a4ec75b1e23aef50ad
SHA3-384 hash: 8d14405ae1961d1de847f4c641a7c722a086bffcccaa1a298b536fb116f23b8ab394e05a556b8da00d8b8696f012e9a0
SHA1 hash: 767b3cd592f458d0ce41e1f72d004556a0bb37db
MD5 hash: e615a410d9da98046b3632fd93621ba4
humanhash: berlin-delta-georgia-twelve
File name:ex.msi
Download: download sample
Signature ConnectWise
Create hunting rule
File size:13'361'152 bytes
First seen:2025-04-17 00:25:16 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:nWh0cGwuWh0cGxWh0cGcWh0cGrWh0cGYWh0cGrWh0cGJ:nWacQWac4WacnWacMWacNWacgWack
TLSH T1D5D6232523FD405AF8F74A79FD3682E46D72BE64CF21C11E9228B90D2A74D4096727B3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:ConnectWise msi


Avatar
iamaachum
ScreenConnect C2: mail.cloudhelpdesk.cloud

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2589/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68004ef12203b3e10ccfeec7
Tags:
connectwise shellcode spawn virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm evasive expand explorer installer lolbin lolbin packed remote rundll32
Link:
https://www.filescan.io/uploads/68004a9c90767142c3d81813/reports/5fe47777-d2c0-455c-b7d5-3136676e966b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/64adb568ceb1d4abb36113bde0ca9bffa423be366262f8a4ec75b1e23aef50ad
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/64adb568ceb1d4abb36113bde0ca9bffa423be366262f8a4ec75b1e23aef50ad
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1666899
Signature
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Joe Sandbox ML detected suspicious sample
Modifies security policies related information
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1666899 Sample: ex.msi Startdate: 17/04/2025 Architecture: WINDOWS Score: 84 56 mail.cloudhelpdesk.cloud 2->56 64 .NET source code references suspicious native API functions 2->64 66 Contains functionality to hide user accounts 2->66 68 Possible COM Object hijacking 2->68 70 2 other signatures 2->70 8 msiexec.exe 93 51 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 svchost.exe 2->15         started        17 7 other processes 2->17 signatures3 process4 dnsIp5 46 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->46 dropped 48 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->48 dropped 50 C:\...\ScreenConnect.ClientService.exe, PE32 8->50 dropped 54 10 other files (1 malicious) 8->54 dropped 72 Enables network access during safeboot for specific services 8->72 74 Modifies security policies related information 8->74 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        58 mail.cloudhelpdesk.cloud 103.195.101.204, 49681, 8041 RELIABLESITEUS Singapore 12->58 76 Reads the Security eventlog 12->76 78 Reads the System eventlog 12->78 25 ScreenConnect.WindowsClient.exe 3 12->25         started        28 ScreenConnect.WindowsClient.exe 2 12->28         started        80 Changes security center settings (notifications, updates, antivirus, firewall) 15->80 30 MpCmdRun.exe 15->30         started        60 127.0.0.1 unknown unknown 17->60 52 C:\Users\user\AppData\Local\...\MSIE734.tmp, PE32 17->52 dropped file6 signatures7 process8 signatures9 32 rundll32.exe 11 19->32         started        82 Creates files in the system32 config directory 25->82 84 Contains functionality to hide user accounts 25->84 36 conhost.exe 30->36         started        process10 file11 38 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 32->38 dropped 40 C:\...\ScreenConnect.InstallerActions.dll, PE32 32->40 dropped 42 C:\Users\user\...\ScreenConnect.Core.dll, PE32 32->42 dropped 44 4 other files (none is malicious) 32->44 dropped 62 Contains functionality to hide user accounts 32->62 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64adb568ceb1d4abb36113bde0ca9bffa423be366262f8a4ec75b1e23aef50ad/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=msw3k2gowhkkxm3bco66bsu376schprwmjrprjhmowy6eoxpkcwq._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
error
ConnectWise
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250417-aq84jsxwes/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Enumerates connected drives
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5e83f71b-f797-451a-9ae4-9efedd788598
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64adb568ceb1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Formbook

Executable exe de01202c6aac1f0e971e018ef0f592f440f0dd0a62a955f514d27cdf63e5edcd

ConnectWise

Microsoft Software Installer (MSI) msi 64adb568ceb1d4abb36113bde0ca9bffa423be366262f8a4ec75b1e23aef50ad

(this sample)

  
Link
https://tria.ge/250417-amtvfsxwcw/behavioral1
  
Dropped by
SHA256 de01202c6aac1f0e971e018ef0f592f440f0dd0a62a955f514d27cdf63e5edcd
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/2589/
  
Dropped by
MD5 22ebc0313c30af0f2610460f763b56b6

Comments