MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5b1a12aa56b1dd1ebfbcf8e658443f8ed0c314e8b9be6a9622427cd77bbeadd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5b1a12aa56b1dd1ebfbcf8e658443f8ed0c314e8b9be6a9622427cd77bbeadd
SHA3-384 hash: de29af5309540b7f97cc4d5f6c13b3b01880384d0f386aa86cdbeb28af304f05a37f17a0c350a825f069741f2bcafa48
SHA1 hash: 760fc0ce2ec8f41b67b72a4e992fcb76a6766f32
MD5 hash: 484730d6e8a5e03f3d795062e1c5b199
humanhash: nitrogen-asparagus-september-grey
File name:COAF-POLICIAFEDERAL.bin
Download: download sample
Signature ConnectWise
Create hunting rule
File size:4'045'064 bytes
First seen:2026-02-13 19:22:20 UTC
Last seen:2026-02-14 23:46:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (391 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 98304:LLPx4ojSGoG4oIfE4xIrVtBaN9xBbN01jPJU4Fr:L3poGqxIZt6bNGS0r
Threatray 1'426 similar samples on MalwareBazaar
TLSH T12B16337A7CCF3CAEE1ACC3B487B87113A1E0469DD187529729DD6A0B47B88909F061D7
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter johnk3r
Tags:ConnectWise conseg-ssp-go-gov-br exe impressoraantig-com signed

Code Signing Certificate

Organisation:BSD TASIMACILIK TURIZM INSAAT SANAYI TICARET LIMITED SIRKETI
Issuer:Sectigo Public Code Signing CA EV R36
Algorithm:sha256WithRSAEncryption
Valid from:2026-01-30T00:00:00Z
Valid to:2027-01-30T23:59:59Z
Serial number: bca75234f538c606eecbdd0c8646f774
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 706ab38bb800d5eb8795eae9477faa084f0d45406657a2e3ccf275a521089219
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
146
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
PEPacker
Details
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/f326e9da-e94f-46d0-ac80-c8db6e538f74/
Malware family:
n/a
ID:
1
File name:
COAF-POLICIAFEDERAL.bin.exe
Verdict:
Malicious activity
Analysis date:
2026-02-13 19:26:27 UTC
Tags:
screenconnect tool rmm-tool remote
Link:
https://app.any.run/tasks/d5890c21-c405-472a-9946-d35f8b66ec6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53297/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698f7a2776589225f66680b3
Tags:
connectwise shellcode dropper blic
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/a5b1a12aa56b1dd1ebfbcf8e658443f8ed0c314e8b9be6a9622427cd77bbeadd
Verdict:
Adware
File Type:
exe x64
First seen:
2026-02-09T15:09:00Z UTC
Last seen:
2026-02-13T17:38:00Z UTC
Hits:
~10
Detections:
not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen
Link:
https://opentip.kaspersky.com/a5b1a12aa56b1dd1ebfbcf8e658443f8ed0c314e8b9be6a9622427cd77bbeadd/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/07a5cd11-d946-438d-8964-c9f967808701
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1869316
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Backstage Mode Anomaly
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Uses ipconfig to lookup or modify the Windows network settings
Uses nslookup.exe to query domains
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1869316 Sample: COAF-POLICIAFEDERAL.bin.exe Startdate: 13/02/2026 Architecture: WINDOWS Score: 56 73 impressoraantig.com 2->73 79 Malicious sample detected (through community Yara rule) 2->79 81 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 6 other signatures 2->85 8 ScreenConnect.ClientService.exe 2 11 2->8         started        13 msiexec.exe 88 47 2->13         started        15 COAF-POLICIAFEDERAL.bin.exe 1 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 75 impressoraantig.com 185.208.159.240, 49723, 8041 SIMPLECARRER2IT Switzerland 8->75 51 C:\Windows\SystemTemp\...\qKMou6xGnkqNrun.cmd, ASCII 8->51 dropped 93 Reads the Security eventlog 8->93 95 Reads the System eventlog 8->95 19 cmd.exe 8->19         started        22 cmd.exe 8->22         started        24 ScreenConnect.WindowsClient.exe 8->24         started        36 3 other processes 8->36 53 C:\...\ScreenConnect.ClientService.exe, PE32 13->53 dropped 55 C:\Windows\Installer\MSI8AF5.tmp, PE32 13->55 dropped 57 C:\Windows\Installer\MSI88E1.tmp, PE32 13->57 dropped 61 7 other files (none is malicious) 13->61 dropped 97 Enables network access during safeboot for specific services 13->97 26 msiexec.exe 13->26         started        28 msiexec.exe 1 13->28         started        30 msiexec.exe 13->30         started        59 ScreenConnect.ClientSetup.exe2536320958, PE32 15->59 dropped 99 Contains functionality to hide user accounts 15->99 32 ScreenConnect.ClientSetup.exe2536320958 6 15->32         started        101 Changes security center settings (notifications, updates, antivirus, firewall) 17->101 34 MpCmdRun.exe 17->34         started        file6 signatures7 process8 signatures9 87 Uses nslookup.exe to query domains 19->87 89 Uses ipconfig to lookup or modify the Windows network settings 19->89 38 ipconfig.exe 19->38         started        40 nslookup.exe 22->40         started        43 rundll32.exe 11 26->43         started        91 Contains functionality to hide user accounts 32->91 47 msiexec.exe 8 32->47         started        49 conhost.exe 34->49         started        process10 dnsIp11 77 1.1.1.1.in-addr.arpa 40->77 63 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 43->63 dropped 65 C:\...\ScreenConnect.InstallerActions.dll, PE32 43->65 dropped 67 C:\Users\user\...\ScreenConnect.Core.dll, PE32 43->67 dropped 71 4 other files (none is malicious) 43->71 dropped 103 Contains functionality to hide user accounts 43->103 69 C:\Users\user\AppData\Local\...\MSI7E61.tmp, PE32 47->69 dropped file12 signatures13
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a5b1a12aa56b1dd1ebfbcf8e658443f8ed0c314e8b9be6a9622427cd77bbeadd
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/484730d6e8a5e03f3d795062e1c5b199
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5b1a12aa56b1dd1ebfbcf8e658443f8ed0c314e8b9be6a9622427cd77bbeadd/
Verdict:
Malicious
Threat:
Family.SCREENCONNECT
Link:
https://tip.neiki.dev/file/a5b1a12aa56b1dd1ebfbcf8e658443f8ed0c314e8b9be6a9622427cd77bbeadd
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwy2ckvfnmo5d273z6hglbcd7dwqymkoron6nklceqt425535loq._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
1f12c8b6d7094286f3d9965c4563c3ee53a0e4d19cf4a111e7519d0829ffa08e
ConnectWise
28cc4128905aff14091bc5a1822d823affacbfba23e80fbd5035ee74783e2c3f
ConnectWise
4990164c8296288b93e66901737c1840b43a71adc06ad0ab8ab2bb50aaad22a8
ConnectWise
4d780470993cb94b9d71b7fbc5c65af6ef1b61c25ef258efcf4e3ac72eb59168
ConnectWise
527a521f0cca55ce3bed8b03b9b0917d0929682a0bbd55c15c4e2e449121c644
ConnectWise
689602b148c320c0f29029be38bcd9fef3c5f3cc59211dea2b5ca03ec290efdf
ConnectWise
6a78ddede346214855dfa762bbbbb85289369ff5929acd587a25c967be0524a9
ConnectWise
error
ConnectWise
f8bc8d622722c56b1a486955640a40343bd734aa9255f8620557dd72466241a2
ConnectWise
fdab07556a11f9dd61330fd681d0821c8a4ec815f84e95cd61530b9e6cb70f3c
ConnectWise
+ 1'416 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery persistence ransomware rat upx
Link:
https://tria.ge/reports/260213-x3w13sds8g/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
UPX packed file
Badlisted process makes network request
Enumerates connected drives
ConnectWise ScreenConnect remote access tool
Sets service image path in registry
Unpacked files
SH256 hash:
a5b1a12aa56b1dd1ebfbcf8e658443f8ed0c314e8b9be6a9622427cd77bbeadd
MD5 hash:
484730d6e8a5e03f3d795062e1c5b199
SHA1 hash:
760fc0ce2ec8f41b67b72a4e992fcb76a6766f32
Link:
https://www.unpac.me/results/1818d5b6-9145-4cae-ae33-1cd7916fa370/
Malware family:
ScreenConnect
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5b1a12aa56b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a5b1a12aa56b1dd1ebfbcf8e658443f8ed0c314e8b9be6a9622427cd77bbeadd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:suspicious_PEs
Create hunting rule
Author:txc
Description:This rule detected suspicious PE files, based on high entropy and low amount of imported DLLs. This behaviour indicates packed files or files, that hide their true intention.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53297/

Comments