MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdfe8ca7a41ccc60e49b5a7164d06263dd0db8e2053128f37281480f5d0a6e30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ScreenConnect


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdfe8ca7a41ccc60e49b5a7164d06263dd0db8e2053128f37281480f5d0a6e30
SHA3-384 hash: 713e6bc2a0fa6f0bc3a7d39517230272366f280dfa26ad12a79e8627db4fa34d19605730b2fe1fc493b923fd9552dce6
SHA1 hash: 927f54ae7509917610f7789b7001d6ff7768a7e8
MD5 hash: 1fbbb3eca5c1e92231eee641e9c5ecc1
humanhash: london-triple-ink-rugby
File name:scink.lnk
Download: download sample
Signature ScreenConnect
Create hunting rule
File size:1'607 bytes
First seen:2025-07-12 06:55:44 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8J/BHYVKVWU+/CWewCO83YAjjLtjmSYHJm0sHCEJZaSUHWBjs:8x5acwCZIwmdHJUiuZqWB
Threatray 642 similar samples on MalwareBazaar
TLSH T1F63106280EE703A9E273C7799BF973634822FA93DD655ABD108097405626111F873E3A
Magika lnk
Reporter abuse_ch
Tags:lnk screenconnect

Intelligence

File Origin
# of uploads :
1
# of downloads :
20
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6872071d900df8e7f86a0dae
Tags:
connectwise cryxos
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/bdfe8ca7a41ccc60e49b5a7164d06263dd0db8e2053128f37281480f5d0a6e30/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
BZC.YAX.Pantera.41
Link:
https://www.hybrid-analysis.com/sample/bdfe8ca7a41ccc60e49b5a7164d06263dd0db8e2053128f37281480f5d0a6e30
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1734598
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates processes via WMI
Enables network access during safeboot for specific services
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies security policies related information
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Possible COM Object hijacking
Powershell drops PE file
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1734598 Sample: scink.lnk Startdate: 12/07/2025 Architecture: WINDOWS Score: 100 88 data.reversesync.com 2->88 94 Windows shortcut file (LNK) starts blacklisted processes 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 .NET source code contains potential unpacker 2->98 100 9 other signatures 2->100 11 powershell.exe 11 2->11         started        14 msiexec.exe 2->14         started        17 ScreenConnect.ClientService.exe 2->17         started        20 6 other processes 2->20 signatures3 process4 dnsIp5 120 Windows shortcut file (LNK) starts blacklisted processes 11->120 122 Encrypted powershell cmdline option found 11->122 124 Powershell drops PE file 11->124 22 powershell.exe 23 11->22         started        25 conhost.exe 1 11->25         started        76 C:\Windows\Installer\MSI4413.tmp, PE32 14->76 dropped 78 C:\Windows\Installer\MSI41C0.tmp, PE32 14->78 dropped 80 ScreenConnect.Wind...dentialProvider.dll, PE32+ 14->80 dropped 82 9 other files (1 malicious) 14->82 dropped 126 Enables network access during safeboot for specific services 14->126 128 Modifies security policies related information 14->128 27 msiexec.exe 14->27         started        39 2 other processes 14->39 86 data.reversesync.com 94.26.90.4, 49696, 8041 ASDETUKhttpwwwheficedcomGB Bulgaria 17->86 130 Reads the Security eventlog 17->130 132 Reads the System eventlog 17->132 29 ScreenConnect.WindowsClient.exe 17->29         started        31 ScreenConnect.WindowsClient.exe 17->31         started        134 Changes security center settings (notifications, updates, antivirus, firewall) 20->134 33 mshta.exe 16 20->33         started        35 MpCmdRun.exe 20->35         started        37 conhost.exe 20->37         started        file6 signatures7 process8 signatures9 102 Windows shortcut file (LNK) starts blacklisted processes 22->102 104 Loading BitLocker PowerShell Module 22->104 41 mshta.exe 15 22->41         started        45 rundll32.exe 27->45         started        106 Contains functionality to hide user accounts 29->106 108 Creates processes via WMI 33->108 48 conhost.exe 35->48         started        process10 dnsIp11 92 31.129.22.45, 49687, 49688, 49694 TELEDYNE-ASRU Russian Federation 41->92 114 Encrypted powershell cmdline option found 41->114 116 Creates processes via WMI 41->116 50 powershell.exe 41->50         started        54 powershell.exe 14 16 41->54         started        68 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 45->68 dropped 70 C:\...\ScreenConnect.InstallerActions.dll, PE32 45->70 dropped 72 C:\Users\user\...\ScreenConnect.Core.dll, PE32 45->72 dropped 74 4 other files (none is malicious) 45->74 dropped 118 Contains functionality to hide user accounts 45->118 file12 signatures13 process14 dnsIp15 90 94.159.99.169, 49692, 49693, 80 NETCOM-R-ASRU Russian Federation 50->90 66 C:\Users\user\AppData\Roaming\sc77.exe, PE32 50->66 dropped 56 sc77.exe 50->56         started        59 conhost.exe 50->59         started        61 conhost.exe 54->61         started        file16 process17 signatures18 110 Multi AV Scanner detection for dropped file 56->110 112 Contains functionality to hide user accounts 56->112 63 msiexec.exe 56->63         started        process19 file20 84 C:\Users\user\AppData\Local\...\MSI375F.tmp, PE32 63->84 dropped
Verdict:
Malware
YARA:
2 match(es)
Tags:
Batch Command DeObfuscated Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:powershell.exe Malicious PowerShell PowerShell Call T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/1fbbb3eca5c1e92231eee641e9c5ecc1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdfe8ca7a41ccc60e49b5a7164d06263dd0db8e2053128f37281480f5d0a6e30/
Threat name:
Win32.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2025-07-11 09:28:00 UTC
File Type:
Binary
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xx7izj5edtggbze3ljywjudcmpoq3ohcauysr43sqfea6xiknyya._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
1f473e89717a811066269c38eb6a53a9a0ea0e5788190636b45622b74eaa4d53
ScreenConnect
58ff97145ad54ff4900f10bedbecd4a926fb847b23cc0c26ad46f1a96c0a34e9
ScreenConnect
64ca91a2446a8e567b24deea926bbdb34fd2dda221577787bbb62d07cbf0272d
ScreenConnect
6d7c89f55c50eb63071a1eb0ef8b212a8d87e42aa376fa63d433120b212b4a48
ScreenConnect
b17964f1729c74ab244e0322f3bac392063ae791380fbfa49bdf82a10e4cd7f0
ScreenConnect
d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd
ScreenConnect
e1a3eb6e1ec31406443bfbe5067c1852706406a824a29c2490c8e1b73fcf0081
ScreenConnect
error
ScreenConnect
f435f6ed37b03147bc9ea44f2f291afde9a1c303452ecd3c64493a6c7504b03a
ScreenConnect
+ 632 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/250712-hqh65ayqw7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://31.129.22.45/scstager.mp4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdfe8ca7a41ccc60e49b5a7164d06263dd0db8e2053128f37281480f5d0a6e30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ScreenConnect

Shortcut (lnk) lnk bdfe8ca7a41ccc60e49b5a7164d06263dd0db8e2053128f37281480f5d0a6e30

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3580943/
  
Delivery method
Distributed via web download

Comments