MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cd07d76149f8a23e591ac39dea3a6bfce1d3507fdfedeb4cceed87b36488d50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8cd07d76149f8a23e591ac39dea3a6bfce1d3507fdfedeb4cceed87b36488d50
SHA3-384 hash: 5ad613f35e99d903f8d8583ea59fff39a0e3c8ca5dbd7c8f4d8ccffe5f8de66d3e4409b4be142912c0c89c6cd28c1d40
SHA1 hash: 09ec33034f44acdd8d327df25363ee5cc0572599
MD5 hash: b9d65b0053d45eef069a69f2adde621a
humanhash: lake-maryland-mexico-carpet
File name:Documents.js
Download: download sample
Signature ConnectWise
Create hunting rule
File size:1'835 bytes
First seen:2025-03-26 07:16:42 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24:oEu+QzpKTTyBJdHgYivbQPB3qK2JWY5iEHgHrtetb/4Z3MGZhXVQJyZBGWoayKP7:uNWTyBJdpivb1JWYvqetQfXycj+bM
Threatray 590 similar samples on MalwareBazaar
TLSH T19831EE696C1A93A69C331381DF0DF249C7A1A0AF3211D631344EE788BF3111C96B86DF
Magika javascript
Reporter abuse_ch
Tags:ConnectWise js

Intelligence

File Origin
# of uploads :
1
# of downloads :
455
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.25834.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e3aa0012b5dc44da3e2c86
Tags:
connectwise shellcode dropper spawn
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm dropper evasive lolbin msiexec packed rundll32 wscript
Link:
https://www.filescan.io/uploads/67e3a9fe09c39f5498b58a3f/reports/440a5fa3-ef99-45b9-911e-37a417a570c0/overview
Verdict:
Malicious
Labled as:
Exploit.HTML
Link:
https://www.hybrid-analysis.com/sample/8cd07d76149f8a23e591ac39dea3a6bfce1d3507fdfedeb4cceed87b36488d50
Result
Verdict:
MALICIOUS
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1648810
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates files in the system32 config directory
Enables network access during safeboot for specific services
JavaScript file contains suspicious strings
JScript performs obfuscated calls to suspicious functions
Modifies security policies related information
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648810 Sample: Documents.js Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 66 con.wolonman.com 2->66 68 relay.wolonman.com 2->68 70 bg.microsoft.map.fastly.net 2->70 76 Multi AV Scanner detection for dropped file 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 .NET source code contains potential unpacker 2->80 82 7 other signatures 2->82 8 msiexec.exe 94 49 2->8         started        12 wscript.exe 1 15 2->12         started        15 ScreenConnect.ClientService.exe 2 5 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 54 C:\Windows\Installer\MSI59FF.tmp, PE32 8->54 dropped 56 C:\Windows\Installer\MSI554B.tmp, PE32 8->56 dropped 58 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->58 dropped 64 10 other files (3 malicious) 8->64 dropped 86 Enables network access during safeboot for specific services 8->86 88 Modifies security policies related information 8->88 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        72 con.wolonman.com 104.21.77.5, 443, 49693 CLOUDFLARENETUS United States 12->72 60 C:\Users\user\AppData\Local\Temp\orders.exe, PE32 12->60 dropped 62 C:\Users\...\ScreenConnect.ClientSetup[1].exe, PE32 12->62 dropped 90 System process connects to network (likely due to code injection or exploit) 12->90 92 Benign windows process drops PE files 12->92 94 JScript performs obfuscated calls to suspicious functions 12->94 102 2 other signatures 12->102 25 orders.exe 12->25         started        28 orders.exe 6 12->28         started        74 relay.wolonman.com 199.230.105.20, 49696, 8041 SUDJAMUS United States 15->74 96 Reads the Security eventlog 15->96 98 Reads the System eventlog 15->98 30 ScreenConnect.WindowsClient.exe 15->30         started        32 ScreenConnect.WindowsClient.exe 2 15->32         started        100 Changes security center settings (notifications, updates, antivirus, firewall) 17->100 34 MpCmdRun.exe 17->34         started        file6 signatures7 process8 signatures9 36 rundll32.exe 11 19->36         started        104 Multi AV Scanner detection for dropped file 25->104 106 Contains functionality to hide user accounts 25->106 40 msiexec.exe 6 28->40         started        108 Creates files in the system32 config directory 30->108 42 conhost.exe 34->42         started        process10 file11 44 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 36->44 dropped 46 C:\...\ScreenConnect.InstallerActions.dll, PE32 36->46 dropped 48 C:\Users\user\...\ScreenConnect.Core.dll, PE32 36->48 dropped 52 4 other malicious files 36->52 dropped 84 Contains functionality to hide user accounts 36->84 50 C:\Users\user\AppData\Local\...\MSI4423.tmp, PE32 40->50 dropped signatures12
Score:
17%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/8cd07d76149f8a23e591ac39dea3a6bfce1d3507fdfedeb4cceed87b36488d50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8cd07d76149f8a23e591ac39dea3a6bfce1d3507fdfedeb4cceed87b36488d50/
Threat name:
Document-HTML.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-25 16:50:47 UTC
File Type:
Text (Batch)
AV detection:
7 of 24 (29.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rtih25qut6fchzmrvq455i5gx7hb2nih7x7n5ngm53mhwnsirvia._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
21562797103d497b3f17defd8cde542197089e5adfef9cfe73957eec1b8de565
ConnectWise
3c03cf93a80c9fa3a655d0c227429736d7f2bb627ee462fea40cd9da53a6c988
ConnectWise
552d6bc9dd165279c330cf381ceab185b407878ea81393cf2bae437ebecd9dbe
ConnectWise
64ca91a2446a8e567b24deea926bbdb34fd2dda221577787bbb62d07cbf0272d
ConnectWise
6d9442ae6ba5a9f34a47e234b6047f61d8ac129e269199793ebb0bed1ad7e3ba
ConnectWise
9a5fc377ed727b660737357865c7694f60c7735cfcf1652f0a6dfd0121781c38
ConnectWise
a0c8f8770fffd941b3e123023432e275aea210a7ab71a6bce5be890861f054c2
ConnectWise
da77b9cdcfe51d69949f7c7398976908874b4271f414a8b5bb0bedbb890e4c2e
ConnectWise
dd01e65fb09f159502fd2339d3593cb93e6be2b696f5564d65bb0c329094544c
ConnectWise
error
ConnectWise
f93d6ef0b54b5e882d1420339c3083315cc2104ea73c95fea0dca9594913e282
ConnectWise
+ 580 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250326-h4gv8asm14/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Sets service image path in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8cd07d76149f8a23e591ac39dea3a6bfce1d3507fdfedeb4cceed87b36488d50

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments