MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f
SHA3-384 hash:	536412cefa0e41c0bf994e5463e531a39b60fa0f16d6109988eac681c2b2e036fae46103f178f2d90ba478d95158837e
SHA1 hash:	20aa56ee60d798b6dccabdc3fe2f58313e27238b
MD5 hash:	b73d8db360a729d215c12509a8ab1800
humanhash:	utah-football-two-spring
File name:	invite (1).vbs
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	2'021 bytes
First seen:	2025-11-25 06:54:07 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	24:9LPhC3H7jMbn5SKUv2wQhJV1olzaKJBca/wvY4j5vx5vew1Uy+CUedG+n740QhIl:986nJ4J3ca/whv+CUaG+n7AY
Threatray	1'037 similar samples on MalwareBazaar
TLSH	T11B4156DAFC0651585B7102D3A42A545EDF39553F4A621030F998CCAE4F212B963FC1E7
Magika	vba
Reporter	JAMESWT_WT
Tags:	ConnectWise vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/41415/

Detection(s):

SecuriteInfo.com.PUA.Telegrambot-21.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692552985d7fac83ebf2baf2

Tags:

trojandownloader dropper html

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

expand lolbin lolbin msiexec obfuscated rundll32

Link:

https://www.filescan.io/uploads/692552a91b3279b9ed0cde8d/reports/0b11c506-95c0-41be-9f59-7e9b7d40b21c/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f

Verdict:

Malicious

File Type:

vbs

First seen:

2025-11-22T15:29:00Z UTC

Last seen:

2025-11-24T21:26:00Z UTC

Hits:

~100

Detections:

Trojan-Downloader.JS.SLoad.sb BSS:Trojan.Win32.Generic.nblk HEUR:Trojan-Downloader.VBS.SLoad.gen BSS:Trojan.Win32.Generic PDM:Trojan.Win32.Generic not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen RemoteAdmin.ConnectWise.HTTP.C&C not-a-virus:RemoteAdmin.MSIL.ConnectWise.c not-a-virus:RemoteAdmin.MSIL.ConnectWise.d not-a-virus:RemoteAdmin.MSIL.ConnectWise.b not-a-virus:RemoteAdmin.MSIL.ConnectWise.a

Link:

https://opentip.kaspersky.com/b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f/results?tab=lookup

Score:

35%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f

Verdict:

Malware

YARA:

1 match(es)

Tags:

ADODB.Stream MSXML2.XMLHTTP Scripting.FileSystemObject VBScript WScript.Shell

Link:

https://app.malva.re/file/b73d8db360a729d215c12509a8ab1800

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f/

Verdict:

Malicious

Threat:

RemoteAdmin.MSIL.ConnectWise

Link:

https://tip.neiki.dev/file/b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f

Threat name:

Script-WScript.Trojan.Heuristic

Status:

Malicious

First seen:

2025-11-22 00:46:33 UTC

File Type:

Text (VBS)

AV detection:

6 of 24 (25.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w2ji3codadm5gf5i5kee6obkzoq26arx3e5ojwentaq4pafudihq._file

Verdict:

malicious

Label(s):

admintool_screenconnect

ConnectWise

1c7af2a207fb45a7c54613e5f7d185ea20afe2d36fcff25f09e2163025eba216

ConnectWise

6c67cacf03c7f253b00449e018b0f72c0c5cc4df697b2959f646202d310a6dcb

ConnectWise

99e7b628ee17aca20a951378ea88373f0208e48b80fc85b8936099ae570b5a77

ConnectWise

9e54445c35f5c02a9a97f95a4207457e36a94fc9e884b810d990f7d4b23bd6fd

ConnectWise

b23524c5ee1960293a4a82d607cc7eb34f079187a74ef95b3a4b4e83918e4d47

ConnectWise

b538713f852bb850cf8e42c9d71f93e6c65654f77357a56d31ab184e2b79e299

ConnectWise

b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f

ConnectWise

cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066

ConnectWise

error

ConnectWise

fc7ee0a9cffabfd03e1b972bcbfd4504289482f86c83c391165ebe5253995ef9

ConnectWise

+ 1'027 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

backdoor discovery persistence privilege_escalation rat revoked_codesign

Link:

https://tria.ge/reports/251125-hpga5ssqap/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Enumerates connected drives

Checks computer location settings

ConnectWise ScreenConnect remote access tool

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Binary is signed using a ConnectWise certificate revoked for key compromise.

Sets service image path in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/41415/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample