MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 12


Intelligence 12 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
SHA3-384 hash: 9e8660976315aa34a8dfa01206d48697552f281a72a5624fecd192278d67d9f3b5954f50cc9eb458e0e70bafcf440bad
SHA1 hash: 537681a23f6d3b249b1ede91715096bf9259d151
MD5 hash: 07283102bfaebfc2b7596602a1eb78a5
humanhash: one-illinois-solar-mango
File name:SSA-Benefit06052025.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:5'347'592 bytes
First seen:2025-06-06 12:09:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (244 x ConnectWise)
ssdeep 98304:Vxwxd/6+6efPCqe9kNDqnS2wdYdstG1f2yrOnTJkY:VxCyefPCq18nlwnzyrOnNv
Threatray 566 similar samples on MalwareBazaar
TLSH T10436F111B3D581B6D4BF0638D87952669770BC088326D7AF9794BE697D33B808E22373
TrID 61.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
15.5% (.EXE) Win64 Executable (generic) (10522/11/4)
7.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.6% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter juroots
Tags:ConnectWise exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
503
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://u23356477.ct.sendgrid.net/ls/click?upn=u001.AXM2KoghUkK-2B14KtemMWY67-2Fwspyi3OdSbVl9wzAOsBEqRg-2F4GO75RvexAxBwP5YIeAJzbBEKjAhjBL9HZLIyKlBLlDnf1k42cmBqU1977Ckpp-2FmToPpCRMo9tOxnXNKtzhWh4aUIvRVO2OxR6LayQ-3D-3DOnay_dU7ByA6vX7z47ue0IJutpTnEHCwqaOj182wYMNhVUIDFs11sfG7Is-2FCB4ykewTKvLRuZKNq1qprPGIxRdSu97efyAYfBH5BHOIP8gOqdAEL9t-2B28qr0pAAwwt1paWOv8xS-2B178-2F7XMjSS37r33GThyQwugGbtod1R6TjR26jiZfcalrn3V6IqOhD5dAfWcV2D64t7NZb54ktIQZQNlwYUg-3D-3D
Verdict:
Malicious activity
Analysis date:
2025-06-06 11:45:44 UTC
Tags:
screenconnect rmm-tool remote rat
Link:
https://app.any.run/tasks/abb8ae86-1021-4730-ae32-a4ea6ec715d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7671/
Detection(s):
Sanesecurity.Malware.29065.SC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen26.37800.12014.29258.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6842daf08bd5d68a12e5ec5b
Tags:
connectwise dropper virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a file
Creating a window
Searching for synchronization primitives
Loading a suspicious library
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Searching for the window
DNS request
Moving a file to the Windows subdirectory
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Malicious
Labled as:
Win32_RemoteAdmin_ConnectWiseControl_E_potentially_unsafe
Link:
https://www.hybrid-analysis.com/sample/a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/87f7c44a-c1d9-4700-b712-fedebdea7549
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
46 / 100
Link:
https://www.joesandbox.com/analysis/1708108
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates files in the system32 config directory
Detected potential unwanted application
Enables network access during safeboot for specific services
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Possible COM Object hijacking
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Uses threadpools to delay analysis
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1708108 Sample: SSA-Benefit06052025.exe Startdate: 06/06/2025 Architecture: WINDOWS Score: 46 60 pulseriseglobal.com 2->60 64 Multi AV Scanner detection for submitted file 2->64 66 .NET source code contains potential unpacker 2->66 68 .NET source code references suspicious native API functions 2->68 70 6 other signatures 2->70 8 msiexec.exe 91 48 2->8         started        12 ScreenConnect.ClientService.exe 5 2->12         started        15 SSA-Benefit06052025.exe 3 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 48 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->48 dropped 50 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->50 dropped 52 C:\...\ScreenConnect.ClientService.exe, PE32 8->52 dropped 56 8 other files (1 malicious) 8->56 dropped 72 Enables network access during safeboot for specific services 8->72 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        23 msiexec.exe 8->23         started        62 pulseriseglobal.com 51.68.182.103, 49688, 8041 OVHFR France 12->62 25 ScreenConnect.WindowsClient.exe 12->25         started        28 ScreenConnect.WindowsClient.exe 2 12->28         started        54 C:\Users\user\...\SSA-Benefit06052025.exe.log, CSV 15->54 dropped 74 Uses threadpools to delay analysis 15->74 30 msiexec.exe 6 15->30         started        76 Changes security center settings (notifications, updates, antivirus, firewall) 17->76 33 MpCmdRun.exe 17->33         started        file6 signatures7 process8 file9 35 rundll32.exe 8 19->35         started        78 Creates files in the system32 config directory 25->78 80 Contains functionality to hide user accounts 25->80 58 C:\Users\user\AppData\Local\...\MSI9318.tmp, PE32 30->58 dropped 38 conhost.exe 33->38         started        signatures10 process11 file12 40 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 35->40 dropped 42 C:\...\ScreenConnect.InstallerActions.dll, PE32 35->42 dropped 44 C:\Users\user\...\ScreenConnect.Core.dll, PE32 35->44 dropped 46 Microsoft.Deployme...indowsInstaller.dll, PE32 35->46 dropped
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ubsgizavoiqsm7bovnhdqerrzz7ak4qsx3eejz54qygnfcohhyla._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
ConnectWise
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
ConnectWise
600a380c178cd94762e213c306b55cccdbfcc10b8be060386c0d2b4503ba1d9e
ConnectWise
90256ffaecaef72d4ea2147a53d2030dd8bcf3cde5fa5e2dc1f09a58f491b740
ConnectWise
925e293f9543126059e4b82806b526a494753255872d7e896246ed8c6432ab14
ConnectWise
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ConnectWise
error
ConnectWise
+ 556 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250606-pb7phatqv3/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Sets service image path in registry
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/414fd6cb-903a-4de5-b964-9185af776a4a
Unpacked files
SH256 hash:
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
MD5 hash:
07283102bfaebfc2b7596602a1eb78a5
SHA1 hash:
537681a23f6d3b249b1ede91715096bf9259d151
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
SH256 hash:
4988e919f011256869e2b7fa82a885e87137f46bbfa251e598ed0720dc831499
MD5 hash:
5822cde544c4214cb6cdda1f83ec2671
SHA1 hash:
c0bf0f9f6542f012b28a3659ff47e0518643cfa7
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
SH256 hash:
05e78416a344f74095e36ff14baa719867e9e163e1ae9a96c29df8615748b0ae
MD5 hash:
254d64388c6c52228d7a921960a03f6b
SHA1 hash:
b023b69348bb06c4b4ad67bee0f55bb9cfb3748c
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
9f7b3fe209ffb2f09bd4484f2dcbd4f821dddd28e5a007e10013836db60f9db3
MD5 hash:
cbc13ed6bfe5af87f7d9bd9f08d56d12
SHA1 hash:
0307dd7aa2b548d27b0312b4f18d45fe93a56919
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
SH256 hash:
3b0c45370ca9295881ef5e9d14402c42dfb45803f54d542e6a7e595a05f365a1
MD5 hash:
6c5d0928642bf37ceed295b984e05be2
SHA1 hash:
46be0d5a7db56cb1ad77274709d0db053a3c0999
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
d7f95e2a6d4927aa2f4eb0dc9f3de63c1fbe46b89258975c4e84efcdecde1a65
MD5 hash:
96216fd1b79c27f62c83e809c0676427
SHA1 hash:
8204bcc42c78d3c4a4d34c509d6b2f28eb0a89ac
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
SH256 hash:
022ffc5289123852fd3a43ec6a648c16f9ee1c77a0f01f18d6d292e20f865264
MD5 hash:
e2f28dfc8ad7b8c835c4cb7e91895610
SHA1 hash:
9f5038ab97076ba5d6a1010e2799084f8d8d4e7d
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
SH256 hash:
1698d7431ab4e0458e8ac84e0851ec813f290e929319dd825257cbbe8f4dade4
MD5 hash:
18c27c1e8686615e17baf01786ba143e
SHA1 hash:
e3ed60202db0c9beb9a8bd821144f729cdde55b0
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/45f9673e-d3d6-4ea7-a2bc-0b57ff0b8fea/
Parent samples :
184c629038e05bac72eb206a355d203612ddd7d4fbfff49f5248463bdaa6672c
3a4ad89dd6951b958a09bb11ead2987b6ec2c56a097cce45fc3140a53699e7ec
a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16
ee3f44b845311eaf6fcc13ebcadf20db6501d19c23b775a81547bf73c61c4e83
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect_CERT
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_rat_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic RAT malware
Rule name:win_stealer_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic stealer malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ConnectWise

Executable exe a0646464157221267c2eab4e381231ce7e057212bec844e7bc860cd289c73e16

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/7671/
  
URLhaus
https://urlhaus.abuse.ch/url/3558737/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments