MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d761d4e70590ba7ef3e816a2749b58d1805d882e7c2b57dcfbbf3d68d673fc49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d761d4e70590ba7ef3e816a2749b58d1805d882e7c2b57dcfbbf3d68d673fc49
SHA3-384 hash: ed12fc62c5c3fa050839ac5e28267c89172ae3cd3ee85f85d87aacd55d35d7854607e26a0344af6e7223beeeb5d2f50d
SHA1 hash: 439790f438efbfaa7b2a6ddf41acd672f8b92d0e
MD5 hash: d190071e18f1e62d94aa5b0db74c1789
humanhash: steak-sixteen-oregon-alabama
File name:Scan_Document_xlsx.vbs
Download: download sample
Signature ConnectWise
Create hunting rule
File size:4'442 bytes
First seen:2026-02-27 17:09:55 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:nFxnFl+i/mQV7N02UctXWSNVuPi+cONTS+UH0ddxolS3bAx2:nDnai/mQV7N5tXHXkiUPdbN62
Threatray 1'549 similar samples on MalwareBazaar
TLSH T1F291A582778C0BA5BA5848D64258B90780F2D47D3A2521C9FBF17643F43DAB6FC68774
Magika vba
Reporter Anonymous
Tags:ConnectWise vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
US US
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54911/
Detection(s):
SecuriteInfo.com.VBS.Dropper-PW.53314382.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a1d00f8fffa866e3b2dd2e
Tags:
shellcode overt shell
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d761d4e70590ba7ef3e816a2749b58d1805d882e7c2b57dcfbbf3d68d673fc49
Verdict:
Malicious
File Type:
vbs
Detections:
Trojan.Win32.Agent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic RemoteAdmin.ConnectWise.HTTP.C&C
Link:
https://opentip.kaspersky.com/d761d4e70590ba7ef3e816a2749b58d1805d882e7c2b57dcfbbf3d68d673fc49/results?tab=lookup
Score:
89%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d761d4e70590ba7ef3e816a2749b58d1805d882e7c2b57dcfbbf3d68d673fc49
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d761d4e70590ba7ef3e816a2749b58d1805d882e7c2b57dcfbbf3d68d673fc49/
Verdict:
Malicious
Threat:
RemoteAdmin.ConnectWise.HTTP
Link:
https://tip.neiki.dev/file/d761d4e70590ba7ef3e816a2749b58d1805d882e7c2b57dcfbbf3d68d673fc49
Threat name:
Script-WScript.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2026-02-27 02:36:40 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=25q5jzyfsc5h547ic2rhjg2y2gaf3cbopqvvpxh3x46wrvtt7req._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
04d1164fa6365282a8b8c0cce534d33854d0ba6e64d34906e32501bc906863dd
ConnectWise
3736f158f14a152920163270add0c7b202650ea3524ab584e3ce91088e1bccb0
ConnectWise
7856c9af45bbcfebb3ef585019bf16331e5b01265455e4559473bfaa3a6fe492
ConnectWise
79b7b84850095305eed56f15781ff75aa456593d84e558646db60249b28711e8
ConnectWise
8f19d0c3444439ed0550153d6c8943ca343154706e473cd7f3458f7f82880c7d
ConnectWise
a82d9c5fdb5912804f18e49db4c12073136c9050a5c74581714f79a08559376a
ConnectWise
aa0d5f98bb9ef620d8ade9669e88def0a2833158e19ebb7eae8b5bfb23f7ea17
ConnectWise
ab4e3cdb02791dda97abd220f89cd5e9f0ba404d48b87e17213a526674729abf
ConnectWise
ec6069de8aadd7f83d0d251c51c00ff009a0e3bfd8b4a0b19e269f08e15ce9b2
ConnectWise
error
ConnectWise
+ 1'539 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
backdoor discovery execution persistence privilege_escalation rat revoked_codesign
Link:
https://tria.ge/reports/260227-vpylmsat3b/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Checks computer location settings
ConnectWise ScreenConnect remote access tool
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Binary is signed using a ConnectWise certificate revoked for key compromise.
Sets service image path in registry
Malware Config
Dropper Extraction:
http://192.158.232.90:8040/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d761d4e70590ba7ef3e816a2749b58d1805d882e7c2b57dcfbbf3d68d673fc49

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54911/

Comments