MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2cc4d978d215a424e3ca10b9442f31e4fd48822aca3fde85a5ec73eb49c03ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	d2cc4d978d215a424e3ca10b9442f31e4fd48822aca3fde85a5ec73eb49c03ba
SHA3-384 hash:	abb17f9304c2f7065de33f2efae443424eab6fd92b5784f4387659775218ab67b3fa14a9b19a090634afbe5d1b9c6c94
SHA1 hash:	01b33ccc560ba8288ecf85b089f653ca0fedfe50
MD5 hash:	dd2c7162a730dc3063489a53ba0ff005
humanhash:	kentucky-twenty-comet-juliet
File name:	support.client.exe
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	312'544 bytes
First seen:	2026-05-02 17:35:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c2fe6927e1db8cf00400dbef9e5d35be (137 x ConnectWise)
ssdeep	6144:1mlfAgiw7Op5ryNkS7Z12wvtGVG3iVt8eZ1u2J/xFti98l:A1iw7gryNkSV1hy1Z1u2JLI9a
Threatray	251 similar samples on MalwareBazaar
TLSH	T171646C11B9C48432C673383107B4E2B28DBDB8302D655B9F57A81D7A9F741D0EA29B6F
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	BlinkzSec
Tags:	ConnectWise signed

Code Signing Certificate

Organisation:	Connectwise, LLC
Issuer:	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-07-13T00:00:00Z
Valid to:	2025-07-12T23:59:59Z
Serial number:	0fc890218ebc1b3c4b8521f655979371
Intelligence:	44 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	d03556ae33727e478ea2791c72e0d18fd25da9d48446ebc6334df57d1148e5a6
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

exe

Verdict:

No threats detected

Analysis date:

2026-05-02 17:43:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8160fba7-56d2-4047-945d-352cfcd35507

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/64333/

Detection(s):

SecuriteInfo.com.Win32.Trojan.PSE.1X0MVDR.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Сreating synchronization primitives

Connection attempt to an infection source

Sending a TCP request to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

RiskWare[RemoteAdmin]/ConnectWise

Link:

https://www.hybrid-analysis.com/sample/d2cc4d978d215a424e3ca10b9442f31e4fd48822aca3fde85a5ec73eb49c03ba

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-05-02T15:13:00Z UTC

Last seen:

2026-05-03T02:58:00Z UTC

Hits:

~10

Detections:

UDS:DangerousObject.Multi.Generic not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen

Link:

https://opentip.kaspersky.com/d2cc4d978d215a424e3ca10b9442f31e4fd48822aca3fde85a5ec73eb49c03ba/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a7c33bdb-e573-4087-8d54-13762f8ab79e

Score:

92%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d2cc4d978d215a424e3ca10b9442f31e4fd48822aca3fde85a5ec73eb49c03ba

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d2cc4d978d215a424e3ca10b9442f31e4fd48822aca3fde85a5ec73eb49c03ba/

Verdict:

Malicious

Threat:

Family.CONNECTWISE

Link:

https://tip.neiki.dev/file/d2cc4d978d215a424e3ca10b9442f31e4fd48822aca3fde85a5ec73eb49c03ba

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2lge3f4nefneetr4uefziqxtdzh5jcbcvsr732c2l3dt5ne4ao5a._file

Verdict:

malicious

Label(s):

evilconwi

ConnectWise

30999cbfd69010bddb597ff22cadb9123c1509f337a4dc444ccd8b3990a61848

ConnectWise

3cca3890854ff63d904311ddc133d2fdee454086797e202752527b84b84ae674

ConnectWise

41716f2f226e09ed33d5d07802d6fa03ac3c61571c4b58c2822eb3a22804d804

ConnectWise

764a1084d9f90226c7386993d42b76957ec589dec014637fbcbbbe26107aa496

ConnectWise

95bd72d96fe263e7a96a6e7dc994b86155f488b8d2e0c860c2e1b153f3da2e84

ConnectWise

968ade5a99bff741c5f34a250ceff2cfa38847d40ef6ae147d392beec006cc69

ConnectWise

a01b5df0fc3df8332567c1920e0caede68ace9b09c0d9b9750200c4c14b4caf4

ConnectWise

b43b8be7fe45d23744ce90569927f009a2a86fcccadd35567080b4be6f9302fe

ConnectWise

error

ConnectWise

f6e5928e476c92ff4a06d50c28f0c34857ba7474f6aa8f08e836c4af32e76dc7

ConnectWise

+ 241 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery revoked_codesign spyware trojan

Link:

https://tria.ge/reports/260502-v6ej4acy4s/

Behaviour

Modifies registry class

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Manipulates Digital Signatures

Unpacked files

SH256 hash:

d2cc4d978d215a424e3ca10b9442f31e4fd48822aca3fde85a5ec73eb49c03ba

MD5 hash:

dd2c7162a730dc3063489a53ba0ff005

SHA1 hash:

01b33ccc560ba8288ecf85b089f653ca0fedfe50

Link:

https://www.unpac.me/results/d7566fec-d16e-490e-91fa-033b50ded6d0/

SH256 hash:

a665adf1acd014984b818f95699c2205e9e9f7cc10031d5fa52260154004ba9b

MD5 hash:

c7dd4bcf2bdb96e081db2941f13f8154

SHA1 hash:

d7044c4ef07e59cf5e304be00502ea8218cb9297

Link:

https://www.unpac.me/results/d7566fec-d16e-490e-91fa-033b50ded6d0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d2cc4d978d215a424e3ca10b9442f31e4fd48822aca3fde85a5ec73eb49c03ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect_CERT Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.