MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4efab7f3ce7ffb0b6402086f5f8eee8b8c117bca5805167ffd79e0ea81784e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 7

Intelligence 7 IOCs YARA 23 File information Comments

SHA256 hash:	a4efab7f3ce7ffb0b6402086f5f8eee8b8c117bca5805167ffd79e0ea81784e1
SHA3-384 hash:	800a07091efa0efae95645fa5fe7de189a2c3f12cd261f46537a7387fca2725f888f6e7bfa03036cb25339b8817f2437
SHA1 hash:	115f2682f0c6cf5bbe2ec9997348ffa5949b858d
MD5 hash:	7f980b41b32f169556bb841f8d9412e3
humanhash:	asparagus-hawaii-september-illinois
File name:	Stake Predictor V 7.2.zip
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	23'317'341 bytes
First seen:	2025-03-31 23:30:35 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	393216:9N+Jme7HZoxA5UT4mJEgTg1kTui9krOG5bh9kp7MRX/vN9bpAspBPl:SBjZoxA5Y3Jrui0p5bcp7E/vXbphBPl
TLSH	T134373343D50C027BCE9B686F979EFDD91278C976001744B2EA086E4C9B63353A1FEB58
Magika	zip
Reporter	aachum
Tags:	ConnectWise jmutanen software Oy zip

iamaachum

https://sourceforge.net/projects/stake-predictor/

ScreenConnect C2: microsoftnet.ru

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 4 file(s), sorted by their relevance:

File name:	VC_redist.x64.exe
File size:	13'949'616 bytes
SHA256 hash:	c4e3992f3883005881cf3937f9e33f1c7d792ac1c860ea9c52d8f120a16a7eb1
MD5 hash:	3ca2b599c42442b57aeb07229d731d71
MIME type:	application/x-dosexec
Signature	ConnectWise

File name:	VC_redist.x86.msi
File size:	9'924'608 bytes
SHA256 hash:	b5aca84d6ed69712edbf572db54cfdfd4375f5f89326e5fcecbe2adf9b9fee68
MD5 hash:	a2262594095967220b064086164c7ad3
MIME type:	application/x-msi
Signature	ConnectWise

File name:	Stake Predictor.exe
File size:	299'072 bytes
SHA256 hash:	e11a9404b163f3674bed28b2ee29c78464e6221b8b05a4727dbea1d29a8b3e00
MD5 hash:	8f226460531c82056fa514d40ba96964
MIME type:	application/x-dosexec
Signature	ConnectWise

File name:	Stake Predictor.data
File size:	8'704 bytes
SHA256 hash:	7c8f2a2ffbe4da5c85f2c764b988feceaed2b7fb21049196e8c014fdf9ee934c
MD5 hash:	1e1a03c1926def157aba3d0c5c116604
MIME type:	application/x-dosexec
Signature	ConnectWise

Vendor Threat Intelligence

Verdict:

Malicious

Score:

94.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67eb27b2855e5ec5240b160d

Tags:

shellcode dropper remo

Verdict:

Unknown

Threat level:

n/a -.1/10

Confidence:

100%

Tags:

adaptive-context crypto expand fingerprint installer lolbin masquerade microsoft_visual_cc overlay runonce signed

Link:

https://www.filescan.io/uploads/67eb25bc631830704a8c9e42/reports/3bbce967-010e-4694-a509-97fa66403e7f/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/a4efab7f3ce7ffb0b6402086f5f8eee8b8c117bca5805167ffd79e0ea81784e1

Result

Verdict:

SUSPICIOUS

Link:

https://labs.inquest.net/dfi/sha256/a4efab7f3ce7ffb0b6402086f5f8eee8b8c117bca5805167ffd79e0ea81784e1

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

85%

Verdict:

Malware

File Type:

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery persistence privilege_escalation

Link:

https://tria.ge/reports/250401-fxm3jstxgy/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Blocklisted process makes network request

Enumerates connected drives

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Sets service image path in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a4efab7f3ce7ffb0b6402086f5f8eee8b8c117bca5805167ffd79e0ea81784e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)