MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2d7f10bc541f7b56137cb1b7ae8ea496b8301f38a2d2649d1a64016798015df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	c2d7f10bc541f7b56137cb1b7ae8ea496b8301f38a2d2649d1a64016798015df
SHA3-384 hash:	3a3c3161609e42990ff94d875f6193507c7c76877073485b7229e2daf17a3c9f11533eed4d1b9b67eb6e01a85e0c0f51
SHA1 hash:	fef337b7bdc59eb20db5ad56ece067a78441a89f
MD5 hash:	7790e3ac5039bcd7f40ac5f1d3a12fea
humanhash:	cold-quiet-spring-batman
File name:	c2d7f10bc541f7b56137cb1b7ae8ea496b8301f38a2d2649d1a64016798015df.msi
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	11'808'768 bytes
First seen:	2025-11-25 06:54:13 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	196608:CHxcp9ym3nltDUJVZHxcp9ym3ZHxcp9ym36Hxcp9ym3dHxcp9ym3UHxcp9ym3:QGplpmGprGpIGpPGpyGp
Threatray	858 similar samples on MalwareBazaar
TLSH	T1B9C62313AFF89665F0B15B78FC3658B4A53A7D059D23A1AF12247D4E2C71A808DA3337
TrID	80.0% (.MSI) Microsoft Windows Installer (454500/1/170) 10.7% (.MST) Windows SDK Setup Transform script (61000/1/5) 7.8% (.MSP) Windows Installer Patch (44509/10/5) 1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	msi
Reporter	JAMESWT_WT
Tags:	ConnectWise msi

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/41416/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6925531b587b4206e7f2ade7

Tags:

connectwise shellcode spawn

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug base64 expand expired-cert installer installer lolbin packed rundll32

Link:

https://www.filescan.io/uploads/692552aac4bd66164273e7f1/reports/b69db343-c7c9-4528-a071-17774c3742ae/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/c2d7f10bc541f7b56137cb1b7ae8ea496b8301f38a2d2649d1a64016798015df

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/c2d7f10bc541f7b56137cb1b7ae8ea496b8301f38a2d2649d1a64016798015df

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Adware

File Type:

msi

First seen:

2025-11-22T05:46:00Z UTC

Last seen:

2025-11-25T15:05:00Z UTC

Hits:

~10

Detections:

BSS:Trojan.Win32.Generic.nblk BSS:Trojan.Win32.Generic not-a-virus:RemoteAdmin.MSIL.ConnectWise.d not-a-virus:RemoteAdmin.MSIL.ConnectWise.c not-a-virus:RemoteAdmin.MSIL.ConnectWise.b not-a-virus:RemoteAdmin.MSIL.ConnectWise.a not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen

Link:

https://opentip.kaspersky.com/c2d7f10bc541f7b56137cb1b7ae8ea496b8301f38a2d2649d1a64016798015df/results?tab=lookup

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

.Net CAB:COMPRESSION:LZX CAB:COMPRESSION:NONE Executable Managed .NET Office Document PDB Path PE (Portable Executable) PE File Layout SOS: 0.21 SOS: 0.24 SOS: 0.25 SOS: 0.26 SOS: 0.27 SOS: 0.31 SOS: 0.32 SOS: 0.36 SOS: 0.39

Link:

https://app.malva.re/file/7790e3ac5039bcd7f40ac5f1d3a12fea

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c2d7f10bc541f7b56137cb1b7ae8ea496b8301f38a2d2649d1a64016798015df/

Verdict:

Malicious

Threat:

RemoteAdmin.MSIL.ConnectWise

Link:

https://tip.neiki.dev/file/c2d7f10bc541f7b56137cb1b7ae8ea496b8301f38a2d2649d1a64016798015df

Threat name:

ByteCode-MSIL.PUA.RAdminConnectWise

Status:

Malicious

First seen:

2025-11-22 01:55:26 UTC

File Type:

Binary (Archive)

Extracted files:

175

AV detection:

11 of 24 (45.83%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yll7cc6fih33kyjxzmnxv2hkjfvygaptriwsmsoruzabm6macxpq._file

Verdict:

malicious

Label(s):

admintool_screenconnect

ConnectWise

1c7af2a207fb45a7c54613e5f7d185ea20afe2d36fcff25f09e2163025eba216

ConnectWise

a316d5310f1e5f12415b740ce2c7e3988635f404a451716a9a85cf7ba93684aa

ConnectWise

b23524c5ee1960293a4a82d607cc7eb34f079187a74ef95b3a4b4e83918e4d47

ConnectWise

c2d7f10bc541f7b56137cb1b7ae8ea496b8301f38a2d2649d1a64016798015df

ConnectWise

error

ConnectWise

+ 848 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

backdoor discovery persistence privilege_escalation ransomware rat revoked_codesign

Link:

https://tria.ge/reports/251125-hpglxaaj5z/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Enumerates connected drives

ConnectWise ScreenConnect remote access tool

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Binary is signed using a ConnectWise certificate revoked for key compromise.

Sets service image path in registry

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7d8ca0fd-627c-45aa-b669-e089c28625c9

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c2d7f10bc541f7b56137cb1b7ae8ea496b8301f38a2d2649d1a64016798015df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/41416/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample