MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5d72bcef0cb31e87ec071a43ad12468cf9a2841a695016e2240b4585f18cba1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5d72bcef0cb31e87ec071a43ad12468cf9a2841a695016e2240b4585f18cba1
SHA3-384 hash: 0bfca3f8a9beaaaabf1016c80e2ee7e404245964166dd1d5ed2c3e2eb0a1f8061dbeaad769d539527264bfba03be296f
SHA1 hash: a80ffb5605126f23618b2a21002d96a76800b0f4
MD5 hash: 533452be7f667e4ab8e082289a3663ff
humanhash: beryllium-social-hydrogen-oklahoma
File name:file.exe.lnk
Download: download sample
Signature ConnectWise
Create hunting rule
File size:1'631 bytes
First seen:2025-11-30 17:58:54 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 48:8c0m6sTUVNz+X3BIIPTUVNz+phphHrqpDUO:8cNQVNz+X3B4VNz+/fHmt
TLSH T12B319B2026F98314E3F36F7E68F665529022BD02FDA5CF1D0061824D1861A51EC70F76
Magika lnk
Reporter smica83
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/ac8e6087-7e87-4953-b4a9-1e59a2c34cb5/
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28758.LnkHeur.UNOFFICIAL
Create hunting rule

MiscreantPunch.INFO.LNK.CMDPSHELL.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.PkillPSHELLDlAndDetonateFoundationsOfDecay.20220517.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLook.20220523.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692c85f0fca025d00d470fe0
Tags:
connectwise dropper shell sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/c5d72bcef0cb31e87ec071a43ad12468cf9a2841a695016e2240b4585f18cba1/results/dashboard
Payload URLs
URL
File name
https://raw.githubusercontent.com/008webhost/filename/refs/heads/main/file.bat
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
Trojan.PowerShell.LNK.Generic
Link:
https://www.hybrid-analysis.com/sample/c5d72bcef0cb31e87ec071a43ad12468cf9a2841a695016e2240b4585f18cba1
Verdict:
Malicious
File Type:
lnk
First seen:
2025-11-30T12:19:00Z UTC
Last seen:
2025-11-30T17:40:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.WinLNK.Agent.gen HEUR:Trojan.Multi.Powedon.c HEUR:Trojan.Multi.Powedon.a PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Alien.gen Trojan.WinLNK.Agent.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/c5d72bcef0cb31e87ec071a43ad12468cf9a2841a695016e2240b4585f18cba1/results?tab=lookup
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1823132
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates files in the system32 config directory
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1823132 Sample: file.exe.lnk Startdate: 30/11/2025 Architecture: WINDOWS Score: 100 90 x1.i.lencr.org 2->90 92 relay.0089host.org 2->92 94 7 other IPs or domains 2->94 104 Windows shortcut file (LNK) starts blacklisted processes 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 Yara detected Powershell download and execute 2->108 110 10 other signatures 2->110 13 cmd.exe 1 2->13         started        16 ScreenConnect.ClientService.exe 2 5 2->16         started        19 svchost.exe 2->19         started        21 5 other processes 2->21 signatures3 process4 dnsIp5 126 Windows shortcut file (LNK) starts blacklisted processes 13->126 128 Suspicious powershell command line found 13->128 130 Wscript starts Powershell (via cmd or directly) 13->130 23 powershell.exe 14 18 13->23         started        27 conhost.exe 1 13->27         started        88 0089host.org 178.173.246.108, 49725, 8041 AS45671-NET-AUWholesaleServicesProviderAU Iran (ISLAMIC Republic Of) 16->88 132 Reads the Security eventlog 16->132 134 Reads the System eventlog 16->134 29 ScreenConnect.WindowsClient.exe 16->29         started        32 ScreenConnect.WindowsClient.exe 2 16->32         started        136 Changes security center settings (notifications, updates, antivirus, firewall) 19->136 34 MpCmdRun.exe 19->34         started        signatures6 process7 dnsIp8 98 raw.githubusercontent.com 185.199.110.133, 443, 49717, 49718 FASTLYUS Netherlands 23->98 80 C:\Users\user\AppData\Local\Temp\file.vbs, ASCII 23->80 dropped 82 C:\Users\user\AppData\Local\Temp\file.bat, DOS 23->82 dropped 36 wscript.exe 1 23->36         started        138 Creates files in the system32 config directory 29->138 140 Contains functionality to hide user accounts 29->140 39 conhost.exe 34->39         started        file9 signatures10 process11 signatures12 112 Windows shortcut file (LNK) starts blacklisted processes 36->112 114 Wscript starts Powershell (via cmd or directly) 36->114 116 Windows Scripting host queries suspicious COM object (likely to drop second stage) 36->116 118 Suspicious execution chain found 36->118 41 cmd.exe 3 2 36->41         started        process13 signatures14 120 Windows shortcut file (LNK) starts blacklisted processes 41->120 122 Suspicious powershell command line found 41->122 124 Wscript starts Powershell (via cmd or directly) 41->124 44 Acrobat.exe 41->44         started        46 powershell.exe 16 41->46         started        50 powershell.exe 16 41->50         started        52 2 other processes 41->52 process15 dnsIp16 54 AcroCEF.exe 44->54         started        57 AdobeCollabSync.exe 44->57         started        59 AdobeCollabSync.exe 44->59         started        61 4 other processes 44->61 100 edge-block-www-env.dropbox-dns.com 162.125.9.15, 443, 49724 DROPBOXUS United States 46->100 84 C:\Users\user\AppData\...\Windows Update.msi, Composite 46->84 dropped 86 C:\Users\user\AppData\Local\...\document.pdf, PDF 50->86 dropped file17 process18 dnsIp19 96 e8652.dscx.akamaiedge.net 23.55.253.31, 49730, 80 AKAMAI-ASN1EU United States 54->96 63 AcroCEF.exe 54->63         started        66 AdobeCollabSync.exe 57->66         started        68 AdobeCollabSync.exe 59->68         started        70 AdobeCollabSync.exe 61->70         started        72 AdobeCollabSync.exe 61->72         started        74 AdobeCollabSync.exe 61->74         started        76 AdobeCollabSync.exe 61->76         started        process20 dnsIp21 102 184.25.164.138, 443, 49733 BBIL-APBHARTIAirtelLtdIN United States 63->102 78 FullTrustNotifier.exe 66->78         started        process22
Verdict:
Malware
YARA:
2 match(es)
Tags:
Batch Command DeObfuscated Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:cmd.exe Malicious PowerShell PowerShell Call T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/533452be7f667e4ab8e082289a3663ff
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5d72bcef0cb31e87ec071a43ad12468cf9a2841a695016e2240b4585f18cba1/
Verdict:
Malicious
Threat:
Trojan.Multi.Powedon
Link:
https://tip.neiki.dev/file/c5d72bcef0cb31e87ec071a43ad12468cf9a2841a695016e2240b4585f18cba1
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-30 16:51:49 UTC
File Type:
Binary
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yxlsxtxqzmy6q7waogsdvujendhzukcbu2kqc3rcic2fqxyyzoqq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware backdoor discovery execution persistence privilege_escalation rat revoked_codesign spyware
Link:
https://tria.ge/reports/251130-wks12aav9d/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
ConnectWise ScreenConnect remote access tool
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Binary is signed using a ConnectWise certificate revoked for key compromise.
Command and Scripting Interpreter: PowerShell
Sets service image path in registry
Malware family:
ScreenConnect
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c5d72bcef0cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5d72bcef0cb31e87ec071a43ad12468cf9a2841a695016e2240b4585f18cba1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CDN_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies CDN (Content Delivery Network) domain in shortcut (LNK) file.
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ConnectWise

Shortcut (lnk) lnk c5d72bcef0cb31e87ec071a43ad12468cf9a2841a695016e2240b4585f18cba1

(this sample)

ConnectWise

Microsoft Software Installer (MSI) msi 79b7b84850095305eed56f15781ff75aa456593d84e558646db60249b28711e8

ConnectWise

Batch (bat) bat 4ef2e884b6259392c2555b2a33fe2d0721bf7f28cc13228ded18b1afcc9ba98a

  
Dropping
SHA256 4ef2e884b6259392c2555b2a33fe2d0721bf7f28cc13228ded18b1afcc9ba98a
  
Dropping
MD5 9d8b4974715616cc4e4e6143bf6261d7

Comments