MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f19d0c3444439ed0550153d6c8943ca343154706e473cd7f3458f7f82880c7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	8f19d0c3444439ed0550153d6c8943ca343154706e473cd7f3458f7f82880c7d
SHA3-384 hash:	9314794e4b2416c1544da8aa23ab5e5c2032807c8bcc16cb3863b2ef48795bb95ebbbba5949b8fda30cd0e5ffa6a844f
SHA1 hash:	5119e5699c192172734ffd38925a9f2a425a4b93
MD5 hash:	041dc98d117f09e98218f2e0a9cfb0a1
humanhash:	fruit-bakerloo-twenty-eleven
File name:	ZoomWorkspace.vbs
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	6'034 bytes
First seen:	2025-12-12 14:15:43 UTC
Last seen:	2025-12-12 14:16:05 UTC
File type:	vbs
MIME type:	text/plain
ssdeep	96:IazT41mGBg6lNBXmUjhivcVV/ic34M7p/+1aC/imi2w6/f42dD/Km/Jcy4pj:1zTWlIoV/iDYp/+p/df/goD/Km/w
Threatray	1'093 similar samples on MalwareBazaar
TLSH	T133C1300FBD0BA63069335337965B7D1DEAA1645312120C25B9DE8187DF31658F7212EB
Magika	vba
Reporter	juroots
Tags:	ConnectWise vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44430/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693c23b1a675b653bd1078d7

Tags:

shellcode phishing dropper spawn

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

dnschanger expand lolbin lolbin msiexec rundll32 wscript

Link:

https://www.filescan.io/uploads/693c23afcf690d27f3dddd61/reports/970b1e6a-1b23-48fd-8ba8-df5023aabcdc/overview

Verdict:

Malicious

Labled as:

Trojan.Script.DNSChanger

Link:

https://www.hybrid-analysis.com/sample/8f19d0c3444439ed0550153d6c8943ca343154706e473cd7f3458f7f82880c7d

Verdict:

Malicious

File Type:

vbs

First seen:

2025-12-11T07:40:00Z UTC

Last seen:

2025-12-14T12:08:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Trojan-Downloader.JS.SLoad.sb HEUR:Trojan.Script.Generic RemoteAdmin.ConnectWise.HTTP.C&C

Link:

https://opentip.kaspersky.com/8f19d0c3444439ed0550153d6c8943ca343154706e473cd7f3458f7f82880c7d/results?tab=lookup

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/8f19d0c3444439ed0550153d6c8943ca343154706e473cd7f3458f7f82880c7d

Verdict:

Malware

YARA:

2 match(es)

Tags:

ADODB.Stream Batch Command DeObfuscated MSXML2.XMLHTTP PowerShell PowerShell Call Scripting.FileSystemObject Shell.Application VBScript WinHttp.WinHttpRequest.5.1 WScript.Shell

Link:

https://app.malva.re/file/041dc98d117f09e98218f2e0a9cfb0a1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f19d0c3444439ed0550153d6c8943ca343154706e473cd7f3458f7f82880c7d/

Verdict:

Malicious

Threat:

RemoteAdmin.ConnectWise.HTTP

Link:

https://tip.neiki.dev/file/8f19d0c3444439ed0550153d6c8943ca343154706e473cd7f3458f7f82880c7d

Threat name:

Script.Trojan.Heuristic

Status:

Malicious

First seen:

2025-12-12 14:16:14 UTC

File Type:

Text (VBS)

AV detection:

9 of 38 (23.68%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r4m5bq2eiq462bkqcu6wzckdzi2dcvdqnzdtzv7tiwhx7auibr6q._file

Verdict:

malicious

Label(s):

admintool_screenconnect

ConnectWise

26fbda92490b8ab92a28b709b11b31361266714200fa8954f91bb0bbc96e9c2a

ConnectWise

2f9155e9b3c398809d0ea8217600e6575d116b47744fcf76344622fbede1dddb

ConnectWise

3736f158f14a152920163270add0c7b202650ea3524ab584e3ce91088e1bccb0

ConnectWise

aa0d5f98bb9ef620d8ade9669e88def0a2833158e19ebb7eae8b5bfb23f7ea17

ConnectWise

aae9aeae9cad1d3f39698f3e63f06ea1158d59ba9d076ce82591b21600ee91c3

ConnectWise

d09a41581c732f175b4017608a74afd636cc32bde5f56e3d9bd1ca53ef6ec29c

ConnectWise

error

ConnectWise

+ 1'083 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

execution

Link:

https://tria.ge/reports/251212-rk9lkaspav/

Behaviour

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8f19d0c3444439ed0550153d6c8943ca343154706e473cd7f3458f7f82880c7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	detect_tiny_vbs Create hunting rule
Author:	daniyyell
Description:	Detects tiny VBS delivery technique

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	WIN_ClickFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:	ClickFix social engineering and malicious PowerShell commands