MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 7


Intelligence 7 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3
SHA3-384 hash: 40a03471179e748dbcd72db6874e5abdd194546cbf533930a3f567cdb6f41b4c34df1a41ef2a0a1412d54fc1c2458ba9
SHA1 hash: 3cf97b5207e51a1ae8e640450279abef204f0466
MD5 hash: 752a7188f2bab1926a63254e29f3108a
humanhash: blossom-hawaii-arizona-mexico
File name:OneDriveServer.zip
Download: download sample
Signature ConnectWise
Create hunting rule
File size:1'801'298 bytes
First seen:2026-04-14 19:19:29 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 49152:xVN9Mu/qTBHt+CBJqbe9BkitnoDfqfTurHUezJ/T:xVI+uBHtFqbUkiNWfCTo0ed
TLSH T1C08533F7AEA65EFA183DC41CE60789812013376EED92FC43A971541116F8B925BFB2C4
Magika zip
Reporter smica83
Tags:ConnectWise zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
HU HU
File Archive Information

This file archive contains 12 file(s), sorted by their relevance:

File name:ScreenConnect.WindowsClient.exe.config
File size:266 bytes
SHA256 hash: 87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077
MD5 hash: 728175e20ffbceb46760bb5e1112f38b
MIME type:text/xml
Signature ConnectWise
File name:ScreenConnect.WindowsClient.exe
File size:618'552 bytes
SHA256 hash: 7cd74f5e0fb8b9cdf3275a03ac29f25c88a2adea7afa1a1a0e719a54be9d9e2b
MD5 hash: f4f235efd9873261762b4d940972d756
MIME type:application/x-dosexec
Signature ConnectWise
File name:Client.en-US.resources
File size:66'330 bytes
SHA256 hash: efdb0b4fcc38b52cbf72336bd107a814db8454003f3495de21e2026a148823ea
MD5 hash: 92232708774febf9a4a464bbeda36215
MIME type:application/octet-stream
Signature ConnectWise
File name:ScreenConnect.Core.dll
File size:550'400 bytes
SHA256 hash: 9a1f0f3a87ee881d118234fe467b7dc7edee33cc67735380d60134d522b38fc6
MD5 hash: 5506ccec11c6e686d88bb3b929891659
MIME type:application/x-dosexec
Signature ConnectWise
File name:ScreenConnect.ClientService.exe
File size:95'288 bytes
SHA256 hash: ecd5ed16975d556d1d17bc980f248f8a5262bed11df9d9cf999efd9c273c11df
MD5 hash: fcb58cddda40825616c70c93b312a79a
MIME type:application/x-dosexec
Signature ConnectWise
File name:ScreenConnect.WindowsFileManager.exe
File size:81'464 bytes
SHA256 hash: 0fdc044e6e6be34d0654bc7858e10d022bd8c115c16cdd157184aca08715e45b
MD5 hash: 8a42171f41094a13b86a2b4fda8c3920
MIME type:application/x-dosexec
Signature ConnectWise
File name:ScreenConnect.Windows.dll
File size:1'742'392 bytes
SHA256 hash: cea1d85967d2c456fccecae3a70ff2adfe4c113aacf9d18c35906c2ed24ca9b4
MD5 hash: cdc55f204dd2d7e2240d5b785250e68d
MIME type:application/x-dosexec
Signature ConnectWise
File name:ScreenConnect.WindowsBackstageShell.exe
File size:60'984 bytes
SHA256 hash: 4a5ab50d7c2b63271dc1972f996b1af87d4ab9143a9df10d858ca7134afebc5e
MD5 hash: 5b86dbd8a8a9693958f720550e07924d
MIME type:application/x-dosexec
Signature ConnectWise
File name:Client.resources
File size:6'327 bytes
SHA256 hash: bd34378ad99f7609fa0c7c8edde6337c738a61d288863015629329806a1cc728
MD5 hash: 1e863134f29bcabe1ee571c91ac4fbe6
MIME type:application/octet-stream
Signature ConnectWise
File name:app.config
File size:508 bytes
SHA256 hash: 779c074d07a35de132ade25762da935077cf6a7da2c3812cc4f432d5dad73394
MD5 hash: 7b5bfce1109ea50893d85f908066f4eb
MIME type:text/xml
Signature ConnectWise
File name:ScreenConnect.ClientService.dll
File size:80'440 bytes
SHA256 hash: 881377643cc610e41a458b2797ac8ca4f018d3f39a1effd40b521ebb52c5e7af
MD5 hash: 4ec378ab38ad1512899de74ed30da605
MIME type:application/x-dosexec
Signature ConnectWise
File name:ScreenConnect.Client.dll
File size:408'632 bytes
SHA256 hash: c24f3f38cbad5591ca72bd3688b3bcc67b311143e3418905752a88887c649c12
MD5 hash: 73f5f4033295f0cb4fe0347f677f7ba6
MIME type:application/x-dosexec
Signature ConnectWise
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/3ebdaffc-b4be-48c9-8500-37ce40496837/
Detection(s):
SecuriteInfo.com.TrojanPSW.Stealer.22662.24507.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29065.SC.UNOFFICIAL
Create hunting rule

YARA.COD3NYM_SUSP_NET_Shellcode_Loader_Indicators_Jan24.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69de934845787c53e539b95c
Tags:
connectwise micro
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Adware
File Type:
zip
First seen:
2026-03-21T00:00:00Z UTC
Last seen:
2026-03-21T00:16:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3/results?tab=lookup
Score:
3%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=plp7yhalh7olurxi2cubea6jkwlw2txttcj4tdilfw73xdlkr3bq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/260414-ymzbyaet5t/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
Author:Jonathan Peters
Description:Detects indicators of shellcode loaders in .NET binaries
Reference:https://github.com/Workingdaturah/Payload-Generator/tree/main
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ConnectWise

PowerShell (PS) ps1 ee3d776cdaf82335e4293e19ee313cc35eee49cde9963b96766a8f9c89d44a79

ConnectWise

zip 7adffc1c0b3fdcba46e8d0a81203c955976d4ef39893c98d0b2dbfbb8d6a8ec3

(this sample)

  
Dropped by
MD5 a40e6ca64bbeaf7e42100371defa2c51
  
Dropped by
SHA256 ee3d776cdaf82335e4293e19ee313cc35eee49cde9963b96766a8f9c89d44a79
  
URLhaus
https://urlhaus.abuse.ch/url/3821612/
  
Delivery method
Distributed via web download

Comments