MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe
SHA3-384 hash: d863561369733185f2bb7e26f27fdb164332bb0c38c0e843f80897ef903dc39d3c8a375282692a26274b27eabf8f365a
SHA1 hash: 555c00755fa3a5ba5ccb1f56e6a560c7bfa8c7b7
MD5 hash: 480b342c46e221bf5fe260375db46d21
humanhash: mirror-ceiling-texas-missouri
File name:994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:5'272'328 bytes
First seen:2023-03-20 22:21:24 UTC
Last seen:2023-03-20 22:22:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (245 x ConnectWise)
ssdeep 98304:99a6+6efP4Vm23wTDnO1O+ShhdYds3G3YQhWGl4sL/rBHB:JefP7JuNOhnCYIl40/rBh
Threatray 4 similar samples on MalwareBazaar
TLSH T16536F112B3D585B6D4BF0538E8B952669774BC185312CB6F5394BE693D33B808E233B2
TrID 74.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
15.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.9% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:ConnectWise exe instance-ptljvr-relay-screenconnect-com screenconnect signed

Code Signing Certificate

Organisation:Connectwise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-17T00:00:00Z
Valid to:2025-08-15T23:59:59Z
Serial number: 0b9360051bccf66642998998d5ba97ce
Intelligence: 444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Anonymous
https://financeirodigitalpj.com/

Intelligence

File Origin
# of uploads :
2
# of downloads :
311
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe.exe
Verdict:
Malicious activity
Analysis date:
2023-03-20 22:27:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9f635cad-4747-420b-b306-f04511081066

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376010/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a file
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Creating a process from a recently created file
DNS request
Moving a file to the Windows subdirectory
Using the Windows Management Instrumentation requests
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74323/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware msiexec.exe overlay packed remoteadmin rundll32.exe virus
Link:
https://www.filescan.io/uploads/6418dc8b3b01ade53e6fd0b5/reports/a9a9e5dc-c13e-416f-84d0-3a2e0351d427/overview
Verdict:
Malicious
Labled as:
RemoteAdmin.ConnectWise
Link:
https://www.hybrid-analysis.com/sample/994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ConnectWise
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/34dc5855-a248-4e84-8a5f-6d5700209ef6
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
suspicious
Classification:
n/a
Score:
39 / 100
Link:
https://www.joesandbox.com/analysis/1198101
Signature
Contains functionality to hide user accounts
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 831002 Sample: bIc8YQ6aX3.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 39 53 Multi AV Scanner detection for submitted file 2->53 55 Contains functionality to hide user accounts 2->55 7 msiexec.exe 92 45 2->7         started        10 bIc8YQ6aX3.exe 3 2->10         started        12 ScreenConnect.ClientService.exe 17 17 2->12         started        process3 dnsIp4 31 C:\Windows\Installer\MSIE359.tmp, PE32 7->31 dropped 33 C:\Windows\Installer\MSIDFDD.tmp, PE32 7->33 dropped 35 ScreenConnect.Wind...dentialProvider.dll, PE32+ 7->35 dropped 39 7 other files (none is malicious) 7->39 dropped 15 msiexec.exe 7->15         started        17 msiexec.exe 1 7->17         started        19 msiexec.exe 7->19         started        37 C:\Users\user\AppData\...\bIc8YQ6aX3.exe.log, CSV 10->37 dropped 21 msiexec.exe 6 10->21         started        49 server-nixd4d461d5-relay.screenconnect.com 145.40.105.168, 443, 49696, 49697 BREEDBANDDELFTNL Netherlands 12->49 51 instance-ptljvr-relay.screenconnect.com 12->51 24 ScreenConnect.WindowsClient.exe 2 12->24         started        file5 process6 file7 26 rundll32.exe 8 15->26         started        29 C:\Users\user\AppData\Local\...\MSID56C.tmp, PE32 21->29 dropped process8 file9 41 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 26->41 dropped 43 C:\...\ScreenConnect.InstallerActions.dll, PE32 26->43 dropped 45 C:\Users\user\...\ScreenConnect.Core.dll, PE32 26->45 dropped 47 Microsoft.Deployme...indowsInstaller.dll, PE32 26->47 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfh5jyvoqcx636qx54tyt2vy3idi3c2sc657jv23u37kqxkv2p7a._file
Verdict:
malicious
Similar samples:
0ce441304f7c47187c34fdf6d601624ce345c211e21a892328cf2205df7dfb47
ConnectWise
24cb773fd21e8ff6126882b218a5a178f41db0f4fdb290ca4b6b4afbfdb4e3a4
ConnectWise
60dbc8e2cb2389609132466a2125b832b478e2793db3b68a33ab0c3018f4b47b
ConnectWise
6e3a1e4e946e7b6cdf277b39d134cf68cd87b5ff4335e5cc5c8447add9faed23
ConnectWise
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230320-1979gaff43/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Sets service image path in registry
Unpacked files
SH256 hash:
0dbfcf54c4583121845aa7c3c657a48988b3b50312acd3cf4bcfdcccdb467838
MD5 hash:
9271cbe6b2ada5feb8813ca5948f0bd2
SHA1 hash:
ad39c647a05fe84443bcdb5f362ab830d5572e32
Link:
https://www.unpac.me/results/62fba127-6205-4716-97b7-4a2d771011da/
SH256 hash:
87c0b7317b318b601e77443446c1d062978ac0b4059c754b8e7d50001ad8077a
MD5 hash:
36e0b47b51d59e656de90f16f179ff93
SHA1 hash:
953b9e0b06e51c05730e8fc214925abe1575ed94
Link:
https://www.unpac.me/results/62fba127-6205-4716-97b7-4a2d771011da/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/62fba127-6205-4716-97b7-4a2d771011da/
SH256 hash:
ede789b057c643a3bf4f0a79c583bf54b94b521056a050211f5bb83c6b5d24a7
MD5 hash:
d2e798a4ea64b806903afe98a18576a7
SHA1 hash:
71c5d8f07e1790948487b960df9d160344c059fd
Link:
https://www.unpac.me/results/62fba127-6205-4716-97b7-4a2d771011da/
SH256 hash:
7e2a1466f0c40199870d90c27219fa3d1fd0535f9ab371c18da3d81885832941
MD5 hash:
1630b5cdfa7a57f0e2830679b57b3f16
SHA1 hash:
5e96a722476d3cc0d2bf65eb10a2f60d94c3cfc0
Link:
https://www.unpac.me/results/62fba127-6205-4716-97b7-4a2d771011da/
SH256 hash:
4e3e94e4f6891edf40cc10b5a102d6a506d4ac41e25474dc48e8ae270e7ff2b1
MD5 hash:
c745845e064c6113a6c822713682d15b
SHA1 hash:
276d6868daf51f94589f1e2bd392fe1b28f24019
Link:
https://www.unpac.me/results/62fba127-6205-4716-97b7-4a2d771011da/
SH256 hash:
994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe
MD5 hash:
480b342c46e221bf5fe260375db46d21
SHA1 hash:
555c00755fa3a5ba5ccb1f56e6a560c7bfa8c7b7
Link:
https://www.unpac.me/results/62fba127-6205-4716-97b7-4a2d771011da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ConnectWise

Executable exe 994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/376010/

Comments