MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cae53429303d83b6996b7e97fef6c3f4c45fd666ff0bd67f146b869eb660599. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 10


Intelligence 10 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cae53429303d83b6996b7e97fef6c3f4c45fd666ff0bd67f146b869eb660599
SHA3-384 hash: 868654164ea28c80f109383731e07b360d753ad4032de32095c77b2697634f8422a56c6d8ae340d5338d33438b482cb4
SHA1 hash: a2868b87ba193054aeef8a74cbd07dc9ac3232f0
MD5 hash: 70b15164335801aff3d49c8b24ad20e2
humanhash: nuts-illinois-sweet-lemon
File name:70b15164335801aff3d49c8b24ad20e2
Download: download sample
Signature ConnectWise
Create hunting rule
File size:4'152'528 bytes
First seen:2023-09-07 08:26:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96e03c6bfe932500a28aba3c63f5c7b6 (11 x ConnectWise)
ssdeep 49152:6cXSUX/mi963PSumT0+TFiH7efPKXeyqkXSPkYYb1rSuRlUaXGHpYLgSL1g0nt:6HOj6+6efPiSPkYYb1rSuE+GJY0gbt
Threatray 13 similar samples on MalwareBazaar
TLSH T10116D011B3E582B5D0BB0638D87952669B74BC084356C7AF97D4BE692D73BC08E22373
TrID 74.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
15.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.9% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:ConnectWise exe signed

Code Signing Certificate

Organisation:ConnectWise, LLC
Issuer:DigiCert SHA2 Assured ID Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-10-22T00:00:00Z
Valid to:2022-10-26T12:00:00Z
Serial number: 085dfb7228e907cf98022c52c511bc66
Intelligence: 16 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ebb706d3b57f68c2ddf5639c741b803646e9cb727f6002084b6283a849d6f75e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
70b15164335801aff3d49c8b24ad20e2
Verdict:
Malicious activity
Analysis date:
2023-09-07 08:34:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/044074b0-739b-4fd5-8a6b-164ff0d3c03a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446923/
Detection(s):
SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.ConnectWise.gen.13634.20316.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a file
Creating a window
Searching for synchronization primitives
Loading a suspicious library
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Searching for the window
Creating a service
DNS request
Moving a recently created file
Sending a custom TCP request
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Unauthorized injection to a recently created process
Enabling autorun for a service
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware keylogger lolbin msiexec net obfuscated overlay packed remoteadmin rundll32
Link:
https://www.filescan.io/uploads/64f9895b67511af1a1b5ca9a/reports/a9969370-2efe-41b2-9376-786001c4249d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6cae53429303d83b6996b7e97fef6c3f4c45fd666ff0bd67f146b869eb660599
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ConnectWise
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ccee483d-6b55-4bd5-831c-b4934714cdba
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
suspicious
Classification:
evad
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/1305065
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1305065 Sample: U9R56DMUcE.exe Startdate: 07/09/2023 Architecture: WINDOWS Score: 36 58 .NET source code contains potential unpacker 2->58 60 .NET source code references suspicious native API functions 2->60 8 msiexec.exe 87 45 2->8         started        11 ScreenConnect.ClientService.exe 17 16 2->11         started        14 U9R56DMUcE.exe 3 2->14         started        16 svchost.exe 2->16         started        process3 dnsIp4 38 C:\Windows\Installer\MSIEECC.tmp, PE32 8->38 dropped 40 C:\Windows\Installer\MSIEC97.tmp, PE32 8->40 dropped 42 C:\Windows\Installer\MSIEC58.tmp, PE32 8->42 dropped 44 7 other files (none is malicious) 8->44 dropped 18 msiexec.exe 8->18         started        20 ScreenConnect.WindowsClient.exe 2 8->20         started        22 msiexec.exe 8->22         started        24 msiexec.exe 8->24         started        54 server-nix2c74bcf2-relay.screenconnect.com 145.40.105.172, 443, 49727, 49728 BREEDBANDDELFTNL Netherlands 11->54 56 instance-ymp7rj-relay.screenconnect.com 11->56 26 ScreenConnect.WindowsClient.exe 11->26         started        28 msiexec.exe 6 14->28         started        file5 process6 file7 31 rundll32.exe 7 18->31         started        34 ScreenConnect.WindowsClient.exe 2 20->34         started        46 C:\Users\user\AppData\Local\...\MSIE2FF.tmp, PE32 28->46 dropped process8 file9 48 C:\...\ScreenConnect.InstallerActions.dll, PE32 31->48 dropped 50 C:\Users\user\...\ScreenConnect.Core.dll, PE32 31->50 dropped 52 Microsoft.Deployme...indowsInstaller.dll, PE32 31->52 dropped 36 ScreenConnect.ClientService.exe 1 1 34->36         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cae53429303d83b6996b7e97fef6c3f4c45fd666ff0bd67f146b869eb660599/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nsxfgqutapmdw2mww7ux733mh5gel7lgn7yl2z7ri24gt23gawmq._file
Verdict:
malicious
Similar samples:
0cccf28998cff9c5045bb8bada430762e9228ba3d753408b1e2528596baca2e5
ConnectWise
0ce441304f7c47187c34fdf6d601624ce345c211e21a892328cf2205df7dfb47
ConnectWise
3a802cefc9627709ac68e229bda3595e657bdf926dde585fd9f606b71d232254
ConnectWise
3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827
ConnectWise
6e3a1e4e946e7b6cdf277b39d134cf68cd87b5ff4335e5cc5c8447add9faed23
ConnectWise
7ff6a3fcbed316b6d900789a7dfdd482017eb502bdebd6db59179dc2a5b6d5fe
ConnectWise
994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe
ConnectWise
af5a12a388a7bf416d11b3123251e422f5fd94501e893d11e4fa91de3cb13220
ConnectWise
d00c32beeab634334c6443755fc998408a1aa8017962cdd46d548053722ba837
ConnectWise
fa5b511ef1b55546770402f47dcc78b31461b71e4aac7dafe8ef02de732f6ac0
ConnectWise
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230907-kce9esff85/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852
MD5 hash:
ba84dd4e0c1408828ccc1de09f585eda
SHA1 hash:
e8e10065d479f8f591b9885ea8487bc673301298
Link:
https://www.unpac.me/results/90d7c86e-4dbe-43b2-b3a1-c6896bd0cb52/
SH256 hash:
4db65e3c8392d319ca69a138d36428de97299a3d026323d57bb7da9428cd14ec
MD5 hash:
f610f978eb9c039722f0ffabc3a9a744
SHA1 hash:
e021b08715a64f0c468e7f22ebc08aac7dbf0bce
Link:
https://www.unpac.me/results/90d7c86e-4dbe-43b2-b3a1-c6896bd0cb52/
SH256 hash:
4988e919f011256869e2b7fa82a885e87137f46bbfa251e598ed0720dc831499
MD5 hash:
5822cde544c4214cb6cdda1f83ec2671
SHA1 hash:
c0bf0f9f6542f012b28a3659ff47e0518643cfa7
Link:
https://www.unpac.me/results/90d7c86e-4dbe-43b2-b3a1-c6896bd0cb52/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/90d7c86e-4dbe-43b2-b3a1-c6896bd0cb52/
SH256 hash:
2df8a700b56c55c7ca9a5ca6af5fb93256535bb289f30fbd10fda3129e089c0a
MD5 hash:
a53152ac9c665db310fa5f60cc503ac6
SHA1 hash:
97517b17ede5ea897f42b0f71e7642db42748a6b
Link:
https://www.unpac.me/results/90d7c86e-4dbe-43b2-b3a1-c6896bd0cb52/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/90d7c86e-4dbe-43b2-b3a1-c6896bd0cb52/
SH256 hash:
dba25d80c0d0a28a98b811502c3b24eab1b2095fe6ae52c1bd15481f9d5aeaa0
MD5 hash:
41f36e209b07cf125dc74dfdce1646a7
SHA1 hash:
40252161eba2a80e88b86c44f8bdf88005362e9d
Link:
https://www.unpac.me/results/90d7c86e-4dbe-43b2-b3a1-c6896bd0cb52/
SH256 hash:
bad512370d834969316c6c7f8f2daac776155ce99a3652958e0ca7ccd70b556d
MD5 hash:
2ea40c0e098d9799aa23127fe9653b9e
SHA1 hash:
1d2c9fafa9c1d53876a16cae092a7a6e428ee3fe
Link:
https://www.unpac.me/results/90d7c86e-4dbe-43b2-b3a1-c6896bd0cb52/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/90d7c86e-4dbe-43b2-b3a1-c6896bd0cb52/
SH256 hash:
b4b966fc770aef0a7953b3e656c3f306da969ff6c549df02d877d65e0fb0c328
MD5 hash:
9c6eb820b00a35cffb31b2b92491271c
SHA1 hash:
04a0f89226759aa0014d73de736ea31caa95ee5f
Link:
https://www.unpac.me/results/90d7c86e-4dbe-43b2-b3a1-c6896bd0cb52/
SH256 hash:
6cae53429303d83b6996b7e97fef6c3f4c45fd666ff0bd67f146b869eb660599
MD5 hash:
70b15164335801aff3d49c8b24ad20e2
SHA1 hash:
a2868b87ba193054aeef8a74cbd07dc9ac3232f0
Link:
https://www.unpac.me/results/90d7c86e-4dbe-43b2-b3a1-c6896bd0cb52/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cae53429303d83b6996b7e97fef6c3f4c45fd666ff0bd67f146b869eb660599

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/446923/

Comments