MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
SHA3-384 hash: b5395b1facb7b66e74541220d3bd42c466b4a6c7530a5be2851ac27ef5542c5bf69a5631f074188f92e19af2c2e88751
SHA1 hash: 421a477d45f6dd9bf7fa2e0aa2230bef6dcd307d
MD5 hash: 4b94c5e1d4d2483efc01850df63a2115
humanhash: robin-bakerloo-golf-robert
File name:ScreenConnect.ClientSetup.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:12'572'728 bytes
First seen:2025-11-12 10:21:25 UTC
Last seen:2025-11-12 21:35:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (245 x ConnectWise)
ssdeep 196608:13fefPG9gnsvf43WsH9BmgnsvfYgnsvfxgnsvfI:1Ywg3t9Bfw5w6wg
Threatray 964 similar samples on MalwareBazaar
TLSH T100C61211F3E592B5D0BF0A38E87A42665A75BC049712C7BF5790792A2D32BC09E32773
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter juroots
Tags:ConnectWise exe signed

Code Signing Certificate

Organisation:ConnectWise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-06-23T00:00:00Z
Valid to:2028-06-22T23:59:59Z
Serial number: 0abbca120c79810a182f72f89c04358f
Intelligence: 20 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b7902a93876909ba13bc23013f2c4239db57bfe742f500766a1673c5199fd1fb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ScreenConnect.ClientSetup.exe
Verdict:
Malicious activity
Analysis date:
2025-11-12 10:22:14 UTC
Tags:
screenconnect rmm-tool tool remote
Link:
https://app.any.run/tasks/6d65f3f7-e503-4ce6-8845-b6df786a2bf8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37590/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69145fe228ddbbca4d8d51fe
Tags:
connectwise shellcode dropper spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a file
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Loading a suspicious library
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
DNS request
Moving a file to the Windows subdirectory
Connection attempt
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 installer-heuristic microsoft_visual_cc net packed privilege reconnaissance signed
Link:
https://www.filescan.io/uploads/69145fddf0f11f085d6854df/reports/5a7fb739-bd72-4d09-9ea3-049990f397f5/overview
Verdict:
Malicious
Labled as:
RemoteAdmin.ConnectWiseControl
Link:
https://www.hybrid-analysis.com/sample/be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
Verdict:
Adware
File Type:
exe x32
First seen:
2025-11-12T07:51:00Z UTC
Last seen:
2025-11-12T16:28:00Z UTC
Hits:
~10
Detections:
not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen
Link:
https://opentip.kaspersky.com/be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a870ee91-83d7-4027-b8f8-4a4869f32eff
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net CAB:COMPRESSION:LZX CAB:COMPRESSION:NONE Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.00 SOS: 0.07 SOS: 0.21 SOS: 0.24 SOS: 0.25 SOS: 0.26 SOS: 0.27 SOS: 0.31 SOS: 0.36 SOS: 0.39 Win 32 Exe x86
Link:
https://app.malva.re/file/4b94c5e1d4d2483efc01850df63a2115
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87/
Verdict:
Malicious
Threat:
RemoteAdmin.Win32.ConnectWise
Link:
https://tip.neiki.dev/file/be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-11-12 10:22:48 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
12 of 38 (31.58%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzela4wwtc4xrocupu6y22iblbxmjk5rff4gzwea2kkl2jz2lodq._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
3a3c9806b994cac747aa2eeddc6e481d3f8cd66149ce8a74dc3056ae9ac191f2
ConnectWise
433ec15200c20d2d70f26f753897dd71c53362814f8fe2966a10b0cfcdb8a4e5
ConnectWise
5c7ee0d7f0521667ac8b8613d72d2d37cff7997bd1008add3d0dc363db7bc086
ConnectWise
77ea13f76b8c9f4e67f4d149ca5cce7d9937e8fe0497dfd76520d870a84dae2e
ConnectWise
be15b42a47a652a968f2e8dd81d18cc502949d6fcde337e207aabc94c9c3b5a9
ConnectWise
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
ConnectWise
e0af0be8429ca59caa591431d0cd4189f79a2a4e06850a96328206e660cb637c
ConnectWise
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
ConnectWise
error
ConnectWise
+ 954 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery persistence privilege_escalation ransomware rat
Link:
https://tria.ge/reports/251112-meef1sh13f/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Authentication Package
Checks computer location settings
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Badlisted process makes network request
Enumerates connected drives
ConnectWise ScreenConnect remote access tool
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c100da22-bd00-487a-b41a-aa07019e0a0e
Unpacked files
SH256 hash:
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
MD5 hash:
4b94c5e1d4d2483efc01850df63a2115
SHA1 hash:
421a477d45f6dd9bf7fa2e0aa2230bef6dcd307d
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
24b35b9f3630b27f36fcae0a8064f16c6bc73def2ba00374d874a459acaaaef4
MD5 hash:
d3705cce7d76cbb34b8c32db011a8900
SHA1 hash:
babcc303b25599a6fd1663a4353759b100362f80
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
Parent samples :
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
SH256 hash:
2fe4971f0af384cc409adebbc5e657f23485abd47b735a09a598f56c69d247e7
MD5 hash:
d0df824f8eff0b844c26fbbc404a72a7
SHA1 hash:
20e83e4a20e52805568640857d6d3103cff6a815
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
3575e75152305162122f4bbbaf47468a1ca88517c6147306c91fc57b2f374389
MD5 hash:
c025888cc46853e42343e0196f34d403
SHA1 hash:
934c68b2d862bb7344b5d89e505832922d945d7b
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
390c3122f647553fe83ed4f4a7d6aebf834fd54aaeaba30512876eeb649d7f3c
MD5 hash:
2d4c4b16ea9f833038a064a8127267d1
SHA1 hash:
a93b5237ac7f29f161e154eeb8e8ec561f1a406f
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
3edf926e5a35a74fd792a740a90e2a3a1c2d0574366f910dd2cfb06c905409b2
MD5 hash:
d33aced2a786cecb5a97f43221adee4d
SHA1 hash:
7330f44ddbce757b203d015d446f08cc4cd30b73
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
47ecc0e50315e30d705408ce5fa783135fdf4e79fcff6da32b648af4cfcea855
MD5 hash:
09db58e4988798a2263a6f4aed6942a1
SHA1 hash:
3bb8951ecbc147f52b057ff828d3fcb80336b50f
Detections:
SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
Parent samples :
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
29ef0043dfd8c1e642c559976201c44823757eb8cb2dc9c5e9f6183dd9678883
SH256 hash:
57d83406f6642aeba9bf42c8f8650a1c3d11145a90355b8daeb6a2afe2afdc8a
MD5 hash:
967a0e19c16909e243fb0df81310f4ac
SHA1 hash:
61ad181097ed042dc80d5899c8ee8cdcb7a9197b
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
807ac81b0882409e082c95c1f00771d836f7a7ae82637300f81e46ebce6ea078
MD5 hash:
3dbe0d79810c999310c4b95e64fe3752
SHA1 hash:
812367f23da90fa9c09762d26744f75ee6a3f43c
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08
MD5 hash:
5419ff27205d3e5affa3fc18b811b843
SHA1 hash:
cf49072c50456381cd26cd32cb97606c5f5cfd26
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
30077c8f5b118458a5c924039b44e5b271b6af053304cfd3da3ec46d9b40417b
MD5 hash:
42ca9d2ae74370935445219605a30b17
SHA1 hash:
d68fb04f52df55424404775814920173db854654
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
SH256 hash:
66be99f7cedbeb0b2755fc98191a07848fa013cb0ba9b3786bc8c4a0e885c3da
MD5 hash:
5c7b13d9b432a0ee859d7684e20602e8
SHA1 hash:
e3dc010ddbf5178049bd3c06d441e8967a4cfb97
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
Parent samples :
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
29ef0043dfd8c1e642c559976201c44823757eb8cb2dc9c5e9f6183dd9678883
SH256 hash:
2cb45c8a613d13a6e457a7ab67416e522753c19581dfd5db37e1f8a2bd85d1fd
MD5 hash:
ee029cc80de9358a347af51588f24e9d
SHA1 hash:
e53fa3f5581c3f5b792b6b6468a1ec140b2c923f
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/6183bfc8-8b16-4abc-b2c1-8ac83e2c83ed/
Parent samples :
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
29ef0043dfd8c1e642c559976201c44823757eb8cb2dc9c5e9f6183dd9678883
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ConnectWise

Executable exe be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/37590/
  
URLhaus
https://urlhaus.abuse.ch/url/3703837/
  
Delivery method
Distributed via web download

Comments