MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a268706b51885e33133aa9a07761f6e7d3384961eab65784ad895544b220fc65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 14

Intelligence 14 IOCs YARA 10 File information Comments

SHA256 hash:	a268706b51885e33133aa9a07761f6e7d3384961eab65784ad895544b220fc65
SHA3-384 hash:	abfa1dd1ba7692e4147368e03fcecb4284e35ce08e835f7e175ed5795ed94a654fad2154875164fc49546588904e12de
SHA1 hash:	dfd74c0c64a0ea3abe50644a890babe11f5f0c79
MD5 hash:	ca4ca8b8c3f34585e5efeebbcdf61714
humanhash:	ink-coffee-four-emma
File name:	E-receipt-67.exe
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	5'637'408 bytes
First seen:	2024-10-16 20:56:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9771ee6344923fa220489ab01239bdfd (243 x ConnectWise)
ssdeep	98304:/4s6efPOEnXkHywo+EVhaecMUzG4uc96ob2:gfefPFZs6Uruc9Xb
Threatray	106 similar samples on MalwareBazaar
TLSH	T12E46E001B3D599B9D5BF0678D87A42695A34BC048316CBFF97D0BD292E32BC04E32766
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	GovCERT_CH
Tags:	ConnectWise exe screenconnect signed

Code Signing Certificate

Organisation:	Connectwise, LLC
Issuer:	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-08-17T00:00:00Z
Valid to:	2025-08-15T23:59:59Z
Serial number:	0b9360051bccf66642998998d5ba97ce
Intelligence:	444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

411

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

E-receipt-67.exe

Verdict:

Suspicious activity

Analysis date:

2024-10-16 21:00:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/91f65059-9c7f-4054-83d9-0a16bc7b80a0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.29065.SC.UNOFFICIAL

SecuriteInfo.com.Trojan.Siggen26.37800.12014.29258.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=671028a11d4ef219fa6381a4

Tags:

Connectwise Dropper Exploit Blic

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/a268706b51885e33133aa9a07761f6e7d3384961eab65784ad895544b220fc65

Result

Verdict:

MALICIOUS

Malware family:

ConnectWise

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6486e5c5-d667-4c11-a1b1-e6ede842f92c

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a268706b51885e33133aa9a07761f6e7d3384961eab65784ad895544b220fc65

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a268706b51885e33133aa9a07761f6e7d3384961eab65784ad895544b220fc65/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-10-16 20:58:06 UTC

File Type:

PE (Exe)

Extracted files:

185

AV detection:

7 of 38 (18.42%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ujuha22rrbpdgez2vgqhoypw47jtqslb5k3fpbfnrfkujmra7rsq._file

Verdict:

malicious

Label(s):

admintool_screenconnect

ConnectWise

1f473e89717a811066269c38eb6a53a9a0ea0e5788190636b45622b74eaa4d53

ConnectWise

38cc1edc62b4b1296ed7045c238b9bb82f4c613281810973e433cce035c10d5d

ConnectWise

56f2d60a446835b53f1ecb54fefebd55c0cfd8c4511a8a96f0e396ad8bc22dbb

ConnectWise

6d7c89f55c50eb63071a1eb0ef8b212a8d87e42aa376fa63d433120b212b4a48

ConnectWise

934a35f92555d0004e1fb78fd91f6dd33036afa329c0900969adb07305231f74

ConnectWise

9d77eb0fee359764d3362dbbafb96472cf549fe144d95b3fe9dc97d0b5828976

ConnectWise

aa1b77e4203f23734eee91f426b9167c579f3a075ddc45c42ac4714ddc56d03a

ConnectWise

d014a441cee293d4696bfcb06d51816536312bf2f1d5ddfd224d4e6d8660f06b

ConnectWise

e8138e2cd06e85a73dd8993cfe4a86d14e96583a372df10aa7aeed7dca810201

ConnectWise

error

ConnectWise

+ 96 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery persistence privilege_escalation

Link:

https://tria.ge/reports/241016-zrkj1ssdma/

Behaviour

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Boot or Logon Autostart Execution: Authentication Package

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Enumerates connected drives

Sets service image path in registry

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/98bfff5b-550b-4efe-bdb4-ebc9b61861a6

Unpacked files

SH256 hash:

44a3eee68faba16a2ae2c9397771d7226b5daf8cb3a6e85cb1b4a6658b5a4464

MD5 hash:

beec5223b72fdde6b32c7ac718afb3f8

SHA1 hash:

e1632f49fb8adef91970550d8b85d0319fece985

Detections:

INDICATOR_RMM_ConnectWise_ScreenConnect

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

Parent samples :

e8138e2cd06e85a73dd8993cfe4a86d14e96583a372df10aa7aeed7dca810201
38cc1edc62b4b1296ed7045c238b9bb82f4c613281810973e433cce035c10d5d
a268706b51885e33133aa9a07761f6e7d3384961eab65784ad895544b220fc65
6a6da112f2da17e9372b53ac8eb1e06ef5c804f66c5ee2362d8b74a8d60fc73a
3c03cf93a80c9fa3a655d0c227429736d7f2bb627ee462fea40cd9da53a6c988
723553540a5bdd7ae07408bceef12e9b4feb1b572a5c0d30c251fe2bdf4bc5bf
29e369f7b7ee09c8b15a8dc133561d4d71e55c100eeff8d7e72d2c6016b179e9
2baad4cb8a8d6af1916b38237bb766c89c2bde59d555b73484722a48463d4a6f
762e2a16be5fd2a274ba0db78f20d4ba2e6f1b51ed962bd793349bf7de522638
4db7803a3142fb22ba63631612943f91459eceb4e1ded7b88808f9cec74f87b0

SH256 hash:

9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08

MD5 hash:

5419ff27205d3e5affa3fc18b811b843

SHA1 hash:

cf49072c50456381cd26cd32cb97606c5f5cfd26

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

SH256 hash:

6273504e10114ac8d423cb2e0123ae8e0d2a65087f411bdba251fc19143b975a

MD5 hash:

ccb8c1906b7580f51d6347792904bbff

SHA1 hash:

ca1c89b806f871d8d88e6d10efd8b40fd52277fb

Detections:

INDICATOR_RMM_ConnectWise_ScreenConnect

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

Parent samples :

SH256 hash:

a1edd67a131505cc84d76601474c53874a56b5437b835838e4a866e20f6cd264

MD5 hash:

d196174cf03f86c8776e717f07d5d19f

SHA1 hash:

bbd2c6a59229b3e4ec7c5742248f3f55a61dd216

Detections:

INDICATOR_RMM_ConnectWise_ScreenConnect

SUSP_NET_Shellcode_Loader_Indicators_Jan24

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

Parent samples :

SH256 hash:

ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b

MD5 hash:

723f2aaeeda1d2bb2f49322da349ffc9

SHA1 hash:

ac6ab994beaff69adf8a2dc480a8a628175ff6c8

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

SH256 hash:

19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc

MD5 hash:

5fb6074b08ac4709cf2f29fa5b49023e

SHA1 hash:

8bbb78a47c08867c50572f0bd2a27171f91e0454

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

SH256 hash:

fbb9bb02edf5dd03603b5123d9936d00c8018d4f7ae981f5e1d72f557cf188da

MD5 hash:

cb25eeeb670c22c147bd8bd20b4390f8

SHA1 hash:

726899deee7bd2d7e676e27a70780237d8356823

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

SH256 hash:

a843b3a4549c43ef5bd8470cacf5d2f0f3b3c8110441fcc10079facc7db3de29

MD5 hash:

3b1ba4bebefdc8a95b0f2f0b4e50c527

SHA1 hash:

15551d2e8bfb829f3a96d161b43de820c0d417ce

Detections:

INDICATOR_RMM_ConnectWise_ScreenConnect

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

Parent samples :

SH256 hash:

948c5e547421f1bd4a65b8c6812b807d4e85157ef7fcd78cd6f017a91cfd6039

MD5 hash:

73ef4d7e345e5b8ce27167770a0bb1be

SHA1 hash:

0ad658954bfe363dd5a1b4d206802f30e6857e82

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

SH256 hash:

289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614

MD5 hash:

48979a1a6d3badea8124bce04b1e01a5

SHA1 hash:

06931bd96343ce167eda796112a30ca8d9fa536a

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

SH256 hash:

8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254

MD5 hash:

decb1fd20d75e6eade9289cc24605f29

SHA1 hash:

5169602d641c4f2ebd9ca0639622949e00c25566

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

SH256 hash:

a268706b51885e33133aa9a07761f6e7d3384961eab65784ad895544b220fc65

MD5 hash:

ca4ca8b8c3f34585e5efeebbcdf61714

SHA1 hash:

dfd74c0c64a0ea3abe50644a890babe11f5f0c79

Link:

https://www.unpac.me/results/87fea60a-8d74-45aa-a909-b0c247efa250/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a268706b51885e33133aa9a07761f6e7d3384961eab65784ad895544b220fc65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_DotNET_Encrypted Create hunting rule
Author:	ditekSHen
Description:	Detects encrypted or obfuscated .NET executables

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect_CERT Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Joe Sandbox

https://jbxcloud.joesecurity.org/analysis/4163308

Delivery method

Distributed via e-mail link

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample