MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74657366dd7d4c8cfb1580cc19033837d5e3b91cf4e77a111720c01e8fbca489. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 10

Intelligence 10 IOCs YARA 11 File information Comments

SHA256 hash:	74657366dd7d4c8cfb1580cc19033837d5e3b91cf4e77a111720c01e8fbca489
SHA3-384 hash:	dc350a4883c9667f3180ab408aa6044271397968a7ba0ea78b06e3193194c8d1f7746aac103bd8bb70e1e3c575ef28b5
SHA1 hash:	3f8b9931b04e55b6fba127030a75c4a1b91b4164
MD5 hash:	3840e535f2dd406701b0f52280be69a5
humanhash:	indigo-quiet-venus-winter
File name:	3840e535f2dd406701b0f52280be69a5
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	5'385'480 bytes
First seen:	2023-09-07 08:25:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9771ee6344923fa220489ab01239bdfd (246 x ConnectWise)
ssdeep	98304:qaeNO66+6efPPw2Ks9fM8dYdstG1l40Mprh:qa9efPu8nk40Id
Threatray	16 similar samples on MalwareBazaar
TLSH	T1C746F111B3D591B6D07F0638D8794666AB74BC088322CB5F5394BE697D33BC09E223B6
TrID	74.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 15.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.9% (.EXE) Win64 Executable (generic) (10523/12/4) 1.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	JAMESWT_WT
Tags:	ConnectWise exe signed

Code Signing Certificate

Organisation:	Connectwise, LLC
Issuer:	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-08-17T00:00:00Z
Valid to:	2025-08-15T23:59:59Z
Serial number:	0b9360051bccf66642998998d5ba97ce
Intelligence:	444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3840e535f2dd406701b0f52280be69a5

Verdict:

Malicious activity

Analysis date:

2023-09-07 08:31:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e8064c7a-7ffd-4e7b-a521-06c45cc12657

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/446918/

Detection(s):

Sanesecurity.Malware.29065.SC.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Сreating synchronization primitives

Launching a process

Creating a file

Creating a window

Searching for synchronization primitives

Loading a suspicious library

Launching a service

Modifying a system file

Creating a file in the Windows subdirectories

Creating a file in the Program Files subdirectories

Creating a service

Creating a process from a recently created file

DNS request

Possible injection to a system process

Enabling autorun with the shell\open\command registry branches

Enabling autorun for a service

Unauthorized injection to a recently created process

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm greyware lolbin msiexec net obfuscated overlay packed remoteadmin rundll32 virus

Link:

https://www.filescan.io/uploads/64f9891f2a262962b79635f9/reports/137db53f-6aa9-4813-9b4f-cd458ff9915c/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/74657366dd7d4c8cfb1580cc19033837d5e3b91cf4e77a111720c01e8fbca489

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

ConnectWise

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c81c4352-b6f2-4cef-9499-ee2efe548f1d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/74657366dd7d4c8cfb1580cc19033837d5e3b91cf4e77a111720c01e8fbca489/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=orsxgzw5pvgiz6yvqdgbsazyg7k6hoi46ttxueixedab5d54useq._file

Verdict:

malicious

ConnectWise

3a802cefc9627709ac68e229bda3595e657bdf926dde585fd9f606b71d232254

ConnectWise

3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827

ConnectWise

5efb1a07feb64993d6b90b4e70b219ee455c0973b84aaf56a04821066b6421b9

ConnectWise

7bbe675863a8a03339ebd642ce7c9b209dd3505c4970a41da8d76f8bd679e4d2

ConnectWise

994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe

ConnectWise

af5a12a388a7bf416d11b3123251e422f5fd94501e893d11e4fa91de3cb13220

ConnectWise

cf6b7d4d7e917a72ce9b524291aae29568127f1fb1577d897e3d5cfef00ab419

ConnectWise

fa5b511ef1b55546770402f47dcc78b31461b71e4aac7dafe8ef02de732f6ac0

ConnectWise

fdb6a601ff7950aa6a08eccc782c4b9f1f2fafc25219ffa37ac8b4cdbb07f094

ConnectWise

+ 6 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/230907-kbvygsff78/

Behaviour

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Enumerates connected drives

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Sets service image path in registry

Unpacked files

SH256 hash:

db2448a84b95ee9943678669dfdf780387eca163808a166345990ad5487ac827

MD5 hash:

31503bfa04ad00596959fd74d23e4c57

SHA1 hash:

cdcf0d9b55a62707a3f73555eedeeec5e8de0bfc

Link:

https://www.unpac.me/results/22a88e52-d50b-4f63-a197-fb72ee95ef6c/

SH256 hash:

cfec05cbdef70862f237fb505d8fca2ae94a4b8955a5030687815bac2ce908a3

MD5 hash:

b69446f8cc101d89bcb2a2e09c24b228

SHA1 hash:

9bbe4c6100bd27decb02df72adcb42a5e8aea955

Link:

https://www.unpac.me/results/22a88e52-d50b-4f63-a197-fb72ee95ef6c/

SH256 hash:

ab02587ef97fc5dccb96fbfb285b264847b49b8aee95dcdf066ea4bf661defc7

MD5 hash:

b23aee2b0a6da6383410d3e5958ddf68

SHA1 hash:

9a6030f1c3ed3b3b3a08e0899c037ccc67fe6cef

Link:

https://www.unpac.me/results/22a88e52-d50b-4f63-a197-fb72ee95ef6c/

SH256 hash:

19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc

MD5 hash:

5fb6074b08ac4709cf2f29fa5b49023e

SHA1 hash:

8bbb78a47c08867c50572f0bd2a27171f91e0454

Link:

https://www.unpac.me/results/22a88e52-d50b-4f63-a197-fb72ee95ef6c/

SH256 hash:

fc8779db9d45ea6a8a327a8d5a4bac4614f6be48466c6b8e5116ef01e3b91f70

MD5 hash:

d003769d6b0937e7a53e7f27c4f6ea04

SHA1 hash:

59053700274fd618432ccd12c1b0316d6261d792

Link:

https://www.unpac.me/results/22a88e52-d50b-4f63-a197-fb72ee95ef6c/

SH256 hash:

23e016f28fdec7c986d32c5af10308a166caf73b89c123a86552479eed9e13f4

MD5 hash:

a34322bcb3565cd228ffea96d7871942

SHA1 hash:

066e2c6009b441350ec23c676aa40dd48edd1c80

Link:

https://www.unpac.me/results/22a88e52-d50b-4f63-a197-fb72ee95ef6c/

SH256 hash:

30ad686ba96481059ba06059b58b264992a31969ad3f8eefe0243dc101b67ffe

MD5 hash:

3f2ee3a197040f4c01109805b6570e2b

SHA1 hash:

9db6efd7cda0546ecfef53c0e6d868cb78732803

Link:

https://www.unpac.me/results/22a88e52-d50b-4f63-a197-fb72ee95ef6c/

SH256 hash:

74657366dd7d4c8cfb1580cc19033837d5e3b91cf4e77a111720c01e8fbca489

MD5 hash:

3840e535f2dd406701b0f52280be69a5

SHA1 hash:

3f8b9931b04e55b6fba127030a75c4a1b91b4164

Link:

https://www.unpac.me/results/22a88e52-d50b-4f63-a197-fb72ee95ef6c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.01

Link:

https://yomi.yoroi.company/submissions/74657366dd7d4c8cfb1580cc19033837d5e3b91cf4e77a111720c01e8fbca489

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_DotNET_Encrypted Create hunting rule
Author:	ditekSHen
Description:	Detects encrypted or obfuscated .NET executables

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect_CERT Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_OLE_file_magic_number Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	QbotStuff Create hunting rule
Author:	anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/446918/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample