MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b895abac5709358aad92fec5f99d25b3beaf81595719394f33f8f5fc46b331f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b895abac5709358aad92fec5f99d25b3beaf81595719394f33f8f5fc46b331f3
SHA3-384 hash: 06d499f806fdd85bad6ade7599c8ce06930492e2e5f3d5d734ebe3a70029d8b5ab2ef6db9181d8f6592d00b8f828f163
SHA1 hash: c2a519c77f9a1849c372d08ece7c1c653dfb42d1
MD5 hash: 5deaa8a5e46e8880df8222177bcb7158
humanhash: snake-winner-washington-william
File name:adobe_updated_27.092.3029.vbs
Download: download sample
Signature ConnectWise
Create hunting rule
File size:6'123 bytes
First seen:2026-03-18 10:05:15 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:gvrkdrZz/26ZW3svEf1upj8RjqUjvOIryfR855Sfr8oAK9l868oRTkZYZcw:okBZzjZSsviMGNGSyfO55c8fKz97Rx
Threatray 1'827 similar samples on MalwareBazaar
TLSH T1B3C16493738803EA9A541AED0158A02B54F6D469382E65CDEBF26707F43DAE1FC1C3B4
Magika vba
Reporter abuse_ch
Tags:ConnectWise vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57946/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b8a57188c80c01586af8ef
Tags:
connectwise shellcode dropper spawn
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper installer-heuristic net networm obfuscated packed
Link:
https://www.filescan.io/uploads/69ba78ee2000fc76c3e8f234/reports/013808d7-97c7-48af-ace8-425fdab9b59f/overview
Verdict:
Malicious
Labled as:
VBS/Packed.Runner
Link:
https://www.hybrid-analysis.com/sample/b895abac5709358aad92fec5f99d25b3beaf81595719394f33f8f5fc46b331f3
Result
Gathering data
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885556
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Benign windows process drops PE files
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Joe Sandbox ML detected suspicious sample
Modifies security policies related information
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885556 Sample: adobe_updated_27.092.3029.vbs Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 87 pub-aa4b4a4b76964ef7b9e03a074612353a.r2.dev 2->87 89 server-ovh30010047-relay.screenconnect.com 2->89 91 3 other IPs or domains 2->91 99 Suricata IDS alerts for network traffic 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 .NET source code contains potential unpacker 2->103 105 5 other signatures 2->105 9 wscript.exe 1 2->9         started        12 msiexec.exe 95 49 2->12         started        15 ScreenConnect.ClientService.exe 2->15         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 121 Benign windows process drops PE files 9->121 123 VBScript performs obfuscated calls to suspicious functions 9->123 125 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->125 127 WScript reads language and country specific registry keys (likely country aware script) 9->127 20 wscript.exe 3 9->20         started        79 C:\Windows\Installer\MSI3C2A.tmp, PE32 12->79 dropped 81 C:\Windows\Installer\MSI394B.tmp, PE32 12->81 dropped 83 C:\...\ScreenConnect.ClientService.exe, PE32 12->83 dropped 85 9 other files (none is malicious) 12->85 dropped 129 Enables network access during safeboot for specific services 12->129 131 Modifies security policies related information 12->131 25 msiexec.exe 12->25         started        27 msiexec.exe 12->27         started        29 msiexec.exe 12->29         started        97 server-ovh30010047-relay.screenconnect.com 15.204.159.130, 443, 49698 HP-INTERNET-ASUS United States 15->97 133 Reads the Security eventlog 15->133 135 Reads the System eventlog 15->135 31 ScreenConnect.WindowsClient.exe 15->31         started        33 ScreenConnect.WindowsClient.exe 15->33         started        137 Changes security center settings (notifications, updates, antivirus, firewall) 18->137 35 MpCmdRun.exe 18->35         started        file6 signatures7 process8 dnsIp9 93 pub-aa4b4a4b76964ef7b9e03a074612353a.r2.dev 104.18.54.45, 443, 49689 CLOUDFLARENETUS United States 20->93 59 C:\Users\...\ScreenConnect.ClientSetup.exe, PE32 20->59 dropped 113 System process connects to network (likely due to code injection or exploit) 20->113 115 Contains functionality to hide user accounts 20->115 117 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->117 119 WScript reads language and country specific registry keys (likely country aware script) 20->119 37 ScreenConnect.ClientSetup.exe 6 20->37         started        40 rundll32.exe 15 13 25->40         started        44 rundll32.exe 12 25->44         started        46 rundll32.exe 25->46         started        48 conhost.exe 35->48         started        file10 signatures11 process12 dnsIp13 107 Multi AV Scanner detection for dropped file 37->107 50 msiexec.exe 8 37->50         started        95 check.screenconnect.com 3.95.109.176, 443, 49694 AMAZON-AESUS United States 40->95 61 C:\...\ScreenConnect.WindowsInstaller.dll, PE32 40->61 dropped 63 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 40->63 dropped 65 C:\...\ScreenConnect.InstallerActions.dll, PE32 40->65 dropped 73 5 other files (none is malicious) 40->73 dropped 109 System process connects to network (likely due to code injection or exploit) 40->109 111 Contains functionality to hide user accounts 40->111 75 8 other files (none is malicious) 44->75 dropped 67 C:\...\ScreenConnect.WindowsInstaller.dll, PE32 46->67 dropped 69 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 46->69 dropped 71 C:\...\ScreenConnect.InstallerActions.dll, PE32 46->71 dropped 77 5 other files (none is malicious) 46->77 dropped file14 signatures15 process16 file17 53 C:\Users\user\AppData\Local\...\MSIA14D.tmp, PE32 50->53 dropped 55 C:\Users\user\AppData\Local\...\MSI9891.tmp, PE32 50->55 dropped 57 C:\Users\user\AppData\Local\...\MSI8F0B.tmp, PE32 50->57 dropped
Score:
82%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b895abac5709358aad92fec5f99d25b3beaf81595719394f33f8f5fc46b331f3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b895abac5709358aad92fec5f99d25b3beaf81595719394f33f8f5fc46b331f3/
Verdict:
Malicious
Threat:
Trojan.Script
Link:
https://tip.neiki.dev/file/b895abac5709358aad92fec5f99d25b3beaf81595719394f33f8f5fc46b331f3
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-03-17 00:51:03 UTC
File Type:
Text (VBS)
AV detection:
9 of 36 (25.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xck2xlcxbe2yvlms73c7thjfwo7k7akzk4mtstzt7d27yrvtghzq._file
Verdict:
suspicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
32b95bd0f65bb4f926103857859dd1dbdd40ef2a3b52fbda3a6a4cf458edf3c3
ConnectWise
38ca5502ef30e39e5fe5ba65869f742f62991264ab92f70d3fcefc7a13635bdc
ConnectWise
4990164c8296288b93e66901737c1840b43a71adc06ad0ab8ab2bb50aaad22a8
ConnectWise
64adb568ceb1d4abb36113bde0ca9bffa423be366262f8a4ec75b1e23aef50ad
ConnectWise
a0c8f8770fffd941b3e123023432e275aea210a7ab71a6bce5be890861f054c2
ConnectWise
f28a060cd841574451960ddc5f2a706526597e361b1a7eb86245488aaa431014
ConnectWise
+ 1'817 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery persistence privilege_escalation ransomware rat
Link:
https://tria.ge/reports/260318-l4sjhafx7w/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
ConnectWise ScreenConnect remote access tool
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Downloads MZ/PE file
Sets service image path in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.08
Link:
https://yomi.yoroi.company/submissions/b895abac5709358aad92fec5f99d25b3beaf81595719394f33f8f5fc46b331f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GlowSpark_Downloader
Create hunting rule
Author:inquest.net
Description:GlowSpark_2nd_Stage_Actinium_Downloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57946/

Comments