MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3871dd901ea063aca86177df067f3d2a023fc6064d720ca5255e58e5cb02c2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	c3871dd901ea063aca86177df067f3d2a023fc6064d720ca5255e58e5cb02c2e
SHA3-384 hash:	0cbc52b5ae65be96b492168fa9930dac4e208ea8c0773ef98f5014e38e7bcfab04418bc67da3166be63cf86623a14ae1
SHA1 hash:	0e153f6b6f61babf0150b4109ad318ed47d99cbe
MD5 hash:	3797fdf15ec21687fc2ce697d75a25f5
humanhash:	grey-mockingbird-fish-mango
File name:	quote3563.vbs
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	2'340 bytes
First seen:	2026-02-03 17:35:28 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	24:PXCjMmu5FgKZhs3TcGlIzSG9QdW4ahMYkb9/ROMx1AWqSMqgX6pMxZcrkezaGoH+:PG3RjcGGzpKdWzC71AWdMWQ4haGEs1
Threatray	1'308 similar samples on MalwareBazaar
TLSH	T1AE41755AFD0BA91AC5B1C2D2B9267E0FEBA4041715206068F94CD999CB349BCDB7C1CF
Magika	vba
Reporter	Anonymous
Tags:	ConnectWise vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51536/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6982322187f81e55ffef08db

Tags:

shellcode phishing dropper spawn

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive expand lolbin msiexec rundll32 wscript

Link:

https://www.filescan.io/uploads/6982322d2ffccda097671727/reports/96cf5514-6f23-4188-8ef4-b5dd14f62726/overview

Verdict:

Malicious

Labled as:

TrojanDownloader/VBS.Agent

Link:

https://www.hybrid-analysis.com/sample/c3871dd901ea063aca86177df067f3d2a023fc6064d720ca5255e58e5cb02c2e

Verdict:

Adware

File Type:

vbs

First seen:

2026-01-29T16:33:00Z UTC

Last seen:

2026-01-29T16:48:00Z UTC

Hits:

~10

Detections:

not-a-virus:HEUR:RemoteAdmin.VBS.Alien.gen

Link:

https://opentip.kaspersky.com/c3871dd901ea063aca86177df067f3d2a023fc6064d720ca5255e58e5cb02c2e/results?tab=lookup

Score:

26%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/c3871dd901ea063aca86177df067f3d2a023fc6064d720ca5255e58e5cb02c2e

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c3871dd901ea063aca86177df067f3d2a023fc6064d720ca5255e58e5cb02c2e/

Verdict:

Malicious

Threat:

RemoteAdmin.VBS.Alien

Link:

https://tip.neiki.dev/file/c3871dd901ea063aca86177df067f3d2a023fc6064d720ca5255e58e5cb02c2e

Threat name:

Script.Trojan.Heuristic

Status:

Malicious

First seen:

2026-01-29 19:35:53 UTC

File Type:

Text (VBS)

AV detection:

4 of 24 (16.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yodr3wib5iddvsugc567az7t2kqch7damtlsbssskxsy4xfqfqxa._file

Verdict:

malicious

Label(s):

admintool_screenconnect

ConnectWise

198811e87e0a54b6bae3bfff028ae94fa4c81574ce9f54b9f2150414578cd825

ConnectWise

54093a290bb379a426446500bb0ec5c0c8d669ae46e37e2628e60a114d7954e2

ConnectWise

acaa6d40c3adbd7079e1411de4e33782ebd5c118baca2ab01562e7f2220e8eab

ConnectWise

b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f

ConnectWise

c3871dd901ea063aca86177df067f3d2a023fc6064d720ca5255e58e5cb02c2e

ConnectWise

cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066

ConnectWise

error

ConnectWise

f50bb85de2859695c5a82a061f9bb4ca53a96df654b3555f67bcacb7150d53fc

ConnectWise

fab6011a3cb8ae1a26d6b5267510c63cfd3f36ee912d5d9c367991b33b61b41a

ConnectWise

fc7ee0a9cffabfd03e1b972bcbfd4504289482f86c83c391165ebe5253995ef9

ConnectWise

+ 1'298 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

backdoor discovery persistence privilege_escalation rat revoked_codesign

Link:

https://tria.ge/reports/260203-v6qmcsbs5f/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Enumerates connected drives

Checks computer location settings

ConnectWise ScreenConnect remote access tool

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Binary is signed using a ConnectWise certificate revoked for key compromise.

Sets service image path in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.21

Link:

https://yomi.yoroi.company/submissions/c3871dd901ea063aca86177df067f3d2a023fc6064d720ca5255e58e5cb02c2e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/51536/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample