MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6e5ede61684a2246797a01a6b6aeb8f99603044abb8a23663da0395edf6f20a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6e5ede61684a2246797a01a6b6aeb8f99603044abb8a23663da0395edf6f20a
SHA3-384 hash: d2aa8f5dbf22003b8f7dc4f85356c8ffa161ffaf5e8ecf52cbc7e3dba2786292582aa7d81bc279fae1c994f729a8caf4
SHA1 hash: b86c9a6c3880d2cd835e1967cf26d36729740cd6
MD5 hash: 5799b3eb56c08d87dc11b445b46f5999
humanhash: four-dakota-artist-social
File name:Information_file.vbs
Download: download sample
Signature ConnectWise
Create hunting rule
File size:15'017 bytes
First seen:2026-03-18 09:53:03 UTC
Last seen:2026-03-18 15:11:12 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:MlxAt1rxGDnlNl/vHOeYYEYYoYYMLnGvFb3chDvUs0pFhLUcX:y
TLSH T159621EDCAFB6F01532FBD3D78AA29A114D1BBC0BB1157A8B1E4D0A14112D9C86E764F3
Magika vba
Reporter abuse_ch
Tags:ConnectWise vbs

Intelligence

File Origin
# of uploads :
2
# of downloads :
54
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57933/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b9eefb93b644ca466b2691
Tags:
xtreme shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated powershell
Link:
https://www.filescan.io/uploads/69ba7616ab95f82184f6b08b/reports/f79bb392-dbe7-41d1-bc73-07a67343c962/overview
Verdict:
Malicious
Labled as:
DR/VBS.Agent
Link:
https://www.hybrid-analysis.com/sample/b6e5ede61684a2246797a01a6b6aeb8f99603044abb8a23663da0395edf6f20a
Verdict:
Malicious
File Type:
vbs
Detections:
HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/b6e5ede61684a2246797a01a6b6aeb8f99603044abb8a23663da0395edf6f20a/results?tab=lookup
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885543
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies security policies related information
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885543 Sample: Information_file.vbs Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 81 cloud.pearlpeel.com 2->81 83 drive.usercontent.google.com 2->83 85 drive.google.com 2->85 95 Multi AV Scanner detection for dropped file 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 Yara detected UAC Bypass using CMSTP 2->99 101 11 other signatures 2->101 9 msiexec.exe 94 51 2->9         started        13 wscript.exe 1 2->13         started        15 ScreenConnect.ClientService.exe 2->15         started        17 6 other processes 2->17 signatures3 process4 file5 73 C:\Windows\Installer\MSI4328.tmp, PE32 9->73 dropped 75 C:\Windows\Installer\MSI40A6.tmp, PE32 9->75 dropped 77 C:\...\ScreenConnect.WindowsFileManager.exe, PE32 9->77 dropped 79 9 other files (7 malicious) 9->79 dropped 109 Enables network access during safeboot for specific services 9->109 111 Modifies security policies related information 9->111 19 msiexec.exe 9->19         started        36 2 other processes 9->36 113 VBScript performs obfuscated calls to suspicious functions 13->113 115 Wscript starts Powershell (via cmd or directly) 13->115 117 Bypasses PowerShell execution policy 13->117 127 3 other signatures 13->127 21 powershell.exe 22 13->21         started        119 Reads the Security eventlog 15->119 121 Reads the System eventlog 15->121 25 ScreenConnect.WindowsClient.exe 15->25         started        27 ScreenConnect.WindowsClient.exe 15->27         started        123 Changes security center settings (notifications, updates, antivirus, firewall) 17->123 125 Loading BitLocker PowerShell Module 17->125 29 curl.exe 2 17->29         started        32 msiexec.exe 6 17->32         started        34 MpCmdRun.exe 17->34         started        38 2 other processes 17->38 signatures6 process7 dnsIp8 40 rundll32.exe 19->40         started        55 C:\Users\user\AppData\...\jjemxrf2.cmdline, Unicode 21->55 dropped 103 Suspicious execution chain found 21->103 44 csc.exe 3 21->44         started        46 curl.exe 2 21->46         started        49 conhost.exe 21->49         started        105 Contains functionality to hide user accounts 25->105 87 cloud.pearlpeel.com 139.64.172.139, 443, 49731, 49733 EXPOHLUS Reserved 29->87 57 C:\Temp\ScreenConnect.ClientSetup.msi, Composite 29->57 dropped 59 C:\Users\user\AppData\Local\...\MSI3451.tmp, PE32 32->59 dropped 51 conhost.exe 34->51         started        file9 signatures10 process11 dnsIp12 61 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 40->61 dropped 63 C:\...\ScreenConnect.InstallerActions.dll, PE32 40->63 dropped 65 C:\Users\user\...\ScreenConnect.Core.dll, PE32 40->65 dropped 71 4 other malicious files 40->71 dropped 107 Contains functionality to hide user accounts 40->107 67 C:\Users\user\AppData\Local\...\jjemxrf2.dll, PE32 44->67 dropped 53 cvtres.exe 1 44->53         started        89 drive.google.com 142.250.114.101, 443, 49718 GOOGLEUS United States 46->89 91 drive.usercontent.google.com 173.194.208.132, 443, 49722 GOOGLEUS United States 46->91 93 127.0.0.1 unknown unknown 46->93 69 C:\Windows\Temp\FileR.txt, ASCII 46->69 dropped file13 signatures14 process15
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b6e5ede61684a2246797a01a6b6aeb8f99603044abb8a23663da0395edf6f20a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6e5ede61684a2246797a01a6b6aeb8f99603044abb8a23663da0395edf6f20a/
Verdict:
Malicious
Threat:
Trojan-Downloader.Script
Link:
https://tip.neiki.dev/file/b6e5ede61684a2246797a01a6b6aeb8f99603044abb8a23663da0395edf6f20a
Threat name:
Script-WScript.Dropper.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-18 00:17:05 UTC
File Type:
Text (VBS)
AV detection:
1 of 36 (2.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3s63zqwqsrciz4xuangw2xlr6mwamcevo4kentd3ibzl3pw6ifa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery execution persistence privilege_escalation ransomware rat revoked_codesign
Link:
https://tria.ge/reports/260318-lwsjjafw3x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Command and Scripting Interpreter: PowerShell
Contacts third-party web service commonly abused for C2
Enumerates connected drives
Checks computer location settings
ConnectWise ScreenConnect remote access tool
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Sets service image path in registry
Signed with revoked ConnectWise certificate
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6e5ede61684a2246797a01a6b6aeb8f99603044abb8a23663da0395edf6f20a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57933/

Comments