MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066
SHA3-384 hash:	d18e85c5557aa7d3415a5b238f3b919f4d39b389fa03d00303c462d501b58070ac96f217d2ec8f9c9bfe05396e8826e4
SHA1 hash:	88c52a661db472ddad55fe2fdeddbfb9ddeaa98b
MD5 hash:	ee4186d546bb2d7a489b91550d11df47
humanhash:	queen-undress-april-quiet
File name:	ZoomWorkspace.bat
Download:	download sample
File size:	1'785 bytes
First seen:	2025-11-16 19:42:31 UTC
Last seen:	Never
File type:	bat
MIME type:	text/x-msdos-batch
ssdeep	24:wLJgbhCbr5x99rHFL/HiKObie1sluP58xKdOBDRaRuCDXRcmQ87Tno4ipvNL4IRM:qNFL/HiKDeOluPukdOBVaRuXVbMRgY
Threatray	764 similar samples on MalwareBazaar
TLSH	T12C31631B220D237802BB2262A73D429CF77E174A170132E976A1A03832453C09FEE2CB
Magika	batch
Reporter	juroots
Tags:	bat

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ZoomWorkspace.bat

Verdict:

Malicious activity

Analysis date:

2025-11-16 19:48:54 UTC

Tags:

screenconnect rmm-tool remote tool

Link:

https://app.any.run/tasks/ee926459-63ec-4fcb-b08f-31e79dd5eb65

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/38387/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=691a2970bdb0ec3a9dc27095

Tags:

connectwise dropper shell sage

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the process to interact with network services

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% subdirectories

Creating a window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

certutil expand fingerprint lolbin msiexec net powershell rundll32

Link:

https://www.filescan.io/uploads/691a296f8c51fc143c6eb2ca/reports/8050cd7f-db6a-43c3-9da6-b65cb67d5f73/overview

Verdict:

Malicious

Labled as:

BZC.PZQ.Cheetah.3

Link:

https://www.hybrid-analysis.com/sample/cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066

Result

Verdict:

MALICIOUS

Details

Hidden Powershell

Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-15T20:03:00Z UTC

Last seen:

2025-11-18T10:38:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan.BAT.Alien.gen PDM:Trojan.Win32.Generic not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen

Link:

https://opentip.kaspersky.com/cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066/results?tab=lookup

Score:

43%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066/

Verdict:

Malicious

Threat:

RemoteAdmin.MSIL.ConnectWise

Link:

https://tip.neiki.dev/file/cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066

Threat name:

Text.Trojan.Cheetah

Status:

Malicious

First seen:

2025-11-15 21:43:03 UTC

File Type:

Text (Batch)

AV detection:

5 of 24 (20.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zxmkysg47ixu5jtq5r2gahysywandqyd4udvgj2q5pgamfmvebta._file

Verdict:

malicious

Label(s):

admintool_screenconnect

2c1eafcde223b33f1e473e63f7364ac20ef8462d708e38e8ac4e7f37aa932fa0

3a3c9806b994cac747aa2eeddc6e481d3f8cd66149ce8a74dc3056ae9ac191f2

5c7ee0d7f0521667ac8b8613d72d2d37cff7997bd1008add3d0dc363db7bc086

6eb97a0f7fe52f2cd9bdf02b5c0858c17e66c69d7d3cebf093c8e024366fe141

955374f928a5a4fefea5429609c1864be910bc2fda6acb917380b0fc11d2133b

abfea09930b396cd33838f1d533ec7d14734176a10e55ef77c918ccc297491ed

c99c37da2bb0faa665a0952ac99b4ff0fff162fa73f6367b18698579aee4470f

d0e0699c7cc3648efe7fe0e74fcf12f5b7e490db68782d3195754c139828c855

error

+ 754 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

backdoor discovery execution persistence privilege_escalation rat revoked_codesign

Link:

https://tria.ge/reports/251116-yfkvzahj2y/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Enumerates connected drives

ConnectWise ScreenConnect remote access tool

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Binary is signed using a ConnectWise certificate revoked for key compromise.

Command and Scripting Interpreter: PowerShell

Sets service image path in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cdd8ac48dcfa2f4ea670ec74601f12c580d1c303e507532750ebcc0615952066

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	WIN_ClickFix_Detection Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:	ClickFix social engineering and malicious PowerShell commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/38387/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample