MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78fa92bfeef7328387ff3d276112ea4cffbda6358dcec76a5d0b46260c835302. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78fa92bfeef7328387ff3d276112ea4cffbda6358dcec76a5d0b46260c835302
SHA3-384 hash: 3f4ccac94ce5bd1b6ba9d849b06aff38eb83f83282bc388aa33908ef6f72fd3ac302981776828996b6b49aff2dbb0794
SHA1 hash: f7e5725ba3a2f71ce8c12bc48b26eb039ca784d2
MD5 hash: 378d66eaf4c131036a6f8d98dd73c6d2
humanhash: april-quiet-enemy-uranus
File name:ScreenConnect.ClientSetup.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:12'583'352 bytes
First seen:2026-02-02 07:22:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (252 x ConnectWise)
ssdeep 196608:81pfefPLiZJbjFd29WxmgZJbjFd29jZJbjFd29ZZJbjFd299:8l3b29Wwg3b29j3b29Z3b299
Threatray 1'454 similar samples on MalwareBazaar
TLSH T177C61201B3E685B9D0BF0638E87A92666B757C045722D6BF1794792D2E33B808E31377
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter JoulK
Tags:ConnectWise exe screenconnect signed

Code Signing Certificate

Organisation:ConnectWise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-06-23T00:00:00Z
Valid to:2028-06-22T23:59:59Z
Serial number: 0abbca120c79810a182f72f89c04358f
Intelligence: 157 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b7902a93876909ba13bc23013f2c4239db57bfe742f500766a1673c5199fd1fb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
QA QA
Vendor Threat Intelligence
Gathering data
Malware family:
n/a
ID:
1
File name:
ScreenConnect.ClientSetup.exe
Verdict:
Malicious activity
Analysis date:
2026-02-02 07:24:04 UTC
Tags:
screenconnect rmm-tool remote
Link:
https://app.any.run/tasks/e433cee5-db86-4e6b-af9d-874d931d15e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51158/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698050f5848d0f834c8ca8cd
Tags:
connectwise shellcode dropper crypted
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 installer-heuristic microsoft_visual_cc net packed privilege reconnaissance remoteadmin signed unsafe
Link:
https://www.filescan.io/uploads/698050ed930564ff3c82efb0/reports/e201979b-979b-4380-8f51-484c6478be47/overview
Verdict:
Malicious
Labled as:
RemoteAdmin.ConnectWiseControl
Link:
https://www.hybrid-analysis.com/sample/78fa92bfeef7328387ff3d276112ea4cffbda6358dcec76a5d0b46260c835302
Verdict:
Adware
File Type:
exe x32
First seen:
2026-02-02T04:55:00Z UTC
Last seen:
2026-02-02T04:59:00Z UTC
Hits:
~10
Detections:
not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen
Link:
https://opentip.kaspersky.com/78fa92bfeef7328387ff3d276112ea4cffbda6358dcec76a5d0b46260c835302/results?tab=lookup
Malware family:
ConnectWise Inc
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ec374f1b-7644-41e3-b31c-8c1307d94a83
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/78fa92bfeef7328387ff3d276112ea4cffbda6358dcec76a5d0b46260c835302
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net CAB:COMPRESSION:LZX CAB:COMPRESSION:NONE Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.00 SOS: 0.07 SOS: 0.21 SOS: 0.24 SOS: 0.25 SOS: 0.26 SOS: 0.27 SOS: 0.31 SOS: 0.36 SOS: 0.39 Win 32 Exe x86
Link:
https://app.malva.re/file/378d66eaf4c131036a6f8d98dd73c6d2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78fa92bfeef7328387ff3d276112ea4cffbda6358dcec76a5d0b46260c835302/
Verdict:
Malicious
Threat:
Family.SCREENCONNECT
Link:
https://tip.neiki.dev/file/78fa92bfeef7328387ff3d276112ea4cffbda6358dcec76a5d0b46260c835302
Threat name:
Win32.PUA.ConnectWise
Create hunting rule
Status:
Suspicious
First seen:
2026-02-02 07:23:36 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
4 of 38 (10.53%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pd5jfp7o64zihb77hutwcexkjt733jrvrxhmo2s5bndcmdedkmba._file
Verdict:
suspicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
29ef0043dfd8c1e642c559976201c44823757eb8cb2dc9c5e9f6183dd9678883
ConnectWise
5be22549da694e3d6493ca85d0eeba5b0903ad6c98a3770427cd2947962b4bc2
ConnectWise
5e6bcaf5c117205bd6e95bc9da38e3c9d384ec281f8efacb8b1671f4a6d3a1d8
ConnectWise
9f9ba57f3c2425d94a2a2d40886d8582ec75b774814d6eeb9f0069f969c5eb25
ConnectWise
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
ConnectWise
d4099d9a8b3826e55795c4a0c6b1635ae96849518849e99004716785126854c5
ConnectWise
e9e09b3f618eb1a95b2d9d4928f5c59eec3073f3fafe216e9207b0728a8fd2af
ConnectWise
error
ConnectWise
+ 1'444 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery persistence privilege_escalation ransomware rat
Link:
https://tria.ge/reports/260202-h71shaav5e/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Badlisted process makes network request
Enumerates connected drives
ConnectWise ScreenConnect remote access tool
Sets service image path in registry
Unpacked files
SH256 hash:
78fa92bfeef7328387ff3d276112ea4cffbda6358dcec76a5d0b46260c835302
MD5 hash:
378d66eaf4c131036a6f8d98dd73c6d2
SHA1 hash:
f7e5725ba3a2f71ce8c12bc48b26eb039ca784d2
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
1d1c8db8e0b387f244a0461fb6794af70ee88a17f71d8dcc6dd0874a0c8dab7f
MD5 hash:
376e2676392741ad688bc3bf3d83a26a
SHA1 hash:
2e0d280e3427db22a8697afe2e2dd557238f665a
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
29adce52ff944f421dddfc6516fac0e229656b57c1b12630e89d79e6f0ced806
MD5 hash:
e9a0de7488d34737c9e27fc67d2829ec
SHA1 hash:
b0d7b4e392f5fee30d6f4e2f37cc3eda4d803e39
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
4f027dda50c064be1e2840c5b7d46a801162717416ca7889c2b164777942328a
MD5 hash:
e97ca14474db3107336a119fb45e0bda
SHA1 hash:
1a9b34dd4b3a764d242add089c412a3c51c3904d
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
65320237b4fef1095b90e57ec743cf56537b5738f27adfb8576baaa976e0fdc2
MD5 hash:
9dc28d81d5e0f6e1ce457b69961d1ba7
SHA1 hash:
5a5fd4d1454df3ad5871d51440940d3f264a0436
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
c2f3cd5810c1599879d2b6f24650714acb4986ac7313784eaac0143272294760
MD5 hash:
dcf509fd3810fd14deaa89abb0e33e12
SHA1 hash:
776b4ff21dfe0c2105529c4306ab79e063bce520
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
2df3d39b3a9278aca6f23e977be44632a20ca92550ebfd5c787330b368a9651d
MD5 hash:
a702bed561f13af5f211e47c48df76eb
SHA1 hash:
7235f6652642e326c8ec58796226eee4ed79344c
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
0e457a4dea573bd4d98353bc4a196faa4a7ea50dbd87e8910091baaecf002cd0
MD5 hash:
73997173f0b452278dc45cdd9cc3e899
SHA1 hash:
7b2330a1683ce4f3b2aa88f5c872653c374cf936
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
822fdca6cf7cbd50ebc77b9ca455cf0ad140b125de56a93344a12fd06b7762ff
MD5 hash:
e0d16a799e35bd230b63a02436766477
SHA1 hash:
8671fb354a824fa387fe97e47df95bb714dc0dbd
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08
MD5 hash:
5419ff27205d3e5affa3fc18b811b843
SHA1 hash:
cf49072c50456381cd26cd32cb97606c5f5cfd26
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
cb66f750284731758e72043e434ca3249b8f5d1c09b2d0aba3825750bab66001
MD5 hash:
4e476a3acb6ed9c62e5e4258c1a6fbcf
SHA1 hash:
ea7133f41380f645fc0babe45207cffca0d63efe
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
3e2d5ccb71e114e3298dd7bcf35b38f2aabd9a56ab13302cbcf57bf6a207601f
MD5 hash:
24ef893faf727f19b875290897e2066a
SHA1 hash:
f21f216d6e68f004f51244bad23858e09b50f994
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
SH256 hash:
81950e86208234f80609387f180480ac6d9caf568b595a14bacfdaa2d13eefde
MD5 hash:
dbbbc36903b1e8ceec33690d54491435
SHA1 hash:
fe763622343d02030f6c50e199fda0d98446d1dc
Detections:
SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/57ffa1a6-a303-4a27-854e-9b787bc198fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78fa92bfeef7328387ff3d276112ea4cffbda6358dcec76a5d0b46260c835302

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51158/

Comments