MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4c6d8572345c4c9ab3c05603f9710e235a4fe83145f6a18288b43dac6815935. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4c6d8572345c4c9ab3c05603f9710e235a4fe83145f6a18288b43dac6815935
SHA3-384 hash: b434396e3a8d478132525f1c96bd95077fea56d856e78e8254cd23c23c807e9b8aec75451093e5f97cb5d75cbbf25533
SHA1 hash: 15ce0cc80f7889e746cb9d47ae44c2b4039ecb17
MD5 hash: 667df6616def927bafc6df064a795486
humanhash: music-oscar-stream-bakerloo
File name:b4c6d8572345c4c9ab3c05603f9710e235a4fe83145f6a18288b43dac6815935
Download: download sample
Signature ConnectWise
Create hunting rule
File size:1'568'768 bytes
First seen:2025-10-10 06:18:03 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:fZPlmF0uwTKh56Z5vePu/DVeL1pVjeOdnUUGGu/aYmQurhwQUv4:fmh69eWbVypVCCgGu/aYmn1g4
Threatray 53 similar samples on MalwareBazaar
TLSH T11F75012077F88439F6F62B31AE3A96609E3ABD241F71C15E8354351D0DB0A909BB6773
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:ConnectWise connectwise-fun msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
28
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31981/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e8a52e8b7b147cc4b686ae
Tags:
connectwise shellcode spawn virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expand installer lolbin obfuscated remote rundll32
Link:
https://www.filescan.io/uploads/68e8a54efe81c560ba5663dc/reports/4e3da460-b28a-4817-8da2-aa1e83d51013/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b4c6d8572345c4c9ab3c05603f9710e235a4fe83145f6a18288b43dac6815935
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b4c6d8572345c4c9ab3c05603f9710e235a4fe83145f6a18288b43dac6815935
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Adware
File Type:
msi
Link:
https://opentip.kaspersky.com/b4c6d8572345c4c9ab3c05603f9710e235a4fe83145f6a18288b43dac6815935/results?tab=lookup
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4c6d8572345c4c9ab3c05603f9710e235a4fe83145f6a18288b43dac6815935/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-09-27 21:22:53 UTC
File Type:
Binary (Archive)
Extracted files:
147
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtdnqvzdixcmtkz4avqd7fyq4i22j7udcrpwugbirnb5vruble2q._file
Verdict:
suspicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
21d00ad7ffc295045adbf60f3337f1b1c35e617b4d67fe59d2ad0d4c10bf46f6
ConnectWise
2ca0dc3544cb47fe391f5203ab0325ed4584255914280ca2377d5aa3ae58c5eb
ConnectWise
39d85b07696c8cb8d8a22c243787e8a7163ef819e03fbbfaf145290c4b00a77e
ConnectWise
469b83d6052ba96d49c49223b839da82fe83b64cd4edb92293f86721b5b0af7e
ConnectWise
912dae1f6b1d0266ed9ade5bda1b8c125bf0a8711a761ae2eaaa1a84a8278761
ConnectWise
b4c6d8572345c4c9ab3c05603f9710e235a4fe83145f6a18288b43dac6815935
ConnectWise
error
ConnectWise
+ 43 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/251010-g2x9ra1lv8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f44f0386-3067-4e36-b740-d90e1b2d6d40
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4c6d8572345c4c9ab3c05603f9710e235a4fe83145f6a18288b43dac6815935

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:win_evilconwi_w0
Create hunting rule
Author:Karsten Hahn @ G DATA CyberDefense
Description:Settings from app.config that hide the connection of the client. These settings are potentially unwanted

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31981/

Comments