MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9fbcad42aaf846845c6c04550e5c010903112eedccd901c43c0a7a9be1bf2eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	d9fbcad42aaf846845c6c04550e5c010903112eedccd901c43c0a7a9be1bf2eb
SHA3-384 hash:	57850f82590f5815cb17e83faaf82c39394d77a373999c6be62d1d8e8130189024f288c5f39034494e97498dcf676a3e
SHA1 hash:	acabda7cd65b26478b62add1360cf08bf0af601f
MD5 hash:	55a3f053774512ee807f72af0068d6fe
humanhash:	golf-india-saturn-delaware
File name:	support.client.exe
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	312'528 bytes
First seen:	2026-05-15 13:36:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c2fe6927e1db8cf00400dbef9e5d35be (158 x ConnectWise)
ssdeep	6144:CmlfAgiw7Op5ryNkS7Z12wvtGVG3iVt8eZ1u2J/xFji9s:B1iw7gryNkSV1hy1Z1u2JLu9s
Threatray	328 similar samples on MalwareBazaar
TLSH	T1BC647C11B9C48432C673383147B4E2B28DBDB8302D655B8F57A81D7A9F741D0EA29B6F
TrID	50.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.5% (.EXE) Win64 Executable (generic) (6522/11/2) 8.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	BlinkzSec
Tags:	ConnectWise signed

Code Signing Certificate

Organisation:	Connectwise, LLC
Issuer:	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-08-17T00:00:00Z
Valid to:	2025-08-15T23:59:59Z
Serial number:	0b9360051bccf66642998998d5ba97ce
Intelligence:	659 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_d9fbcad42aaf846845c6c04550e5c010903112eedccd901c43c0a7a9be1bf2eb.exe

Verdict:

No threats detected

Analysis date:

2026-05-15 13:38:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1954860a-8975-4fba-b2a3-156bab826f5c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/66038/

Detection(s):

SecuriteInfo.com.Win32.Trojan.PSE.1X0MVDR.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a07217546d6967b3d907d5d

Tags:

n/a

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug crypto expired-cert fingerprint microsoft_visual_cc revoked-cert signed

Link:

https://www.filescan.io/uploads/6a0721da861ee596e636f25f/reports/6b57f932-e4a5-4d4d-8210-e4159fd008db/overview

Verdict:

Malicious

Labled as:

RiskWare[RemoteAdmin]/ConnectWise

Link:

https://www.hybrid-analysis.com/sample/d9fbcad42aaf846845c6c04550e5c010903112eedccd901c43c0a7a9be1bf2eb

Verdict:

Adware

File Type:

exe x32

First seen:

2026-05-15T10:48:00Z UTC

Last seen:

2026-05-16T01:40:00Z UTC

Hits:

~10

Detections:

not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen

Link:

https://opentip.kaspersky.com/d9fbcad42aaf846845c6c04550e5c010903112eedccd901c43c0a7a9be1bf2eb/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/3d476ccb-e88d-45d8-ab8a-380b1872f074

Score:

92%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d9fbcad42aaf846845c6c04550e5c010903112eedccd901c43c0a7a9be1bf2eb

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/55a3f053774512ee807f72af0068d6fe

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d9fbcad42aaf846845c6c04550e5c010903112eedccd901c43c0a7a9be1bf2eb/

Verdict:

Malicious

Threat:

RemoteAdmin.Win32.ConnectWise

Link:

https://tip.neiki.dev/file/d9fbcad42aaf846845c6c04550e5c010903112eedccd901c43c0a7a9be1bf2eb

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2026-05-15 13:34:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3h54vvbkv6cgqrogybcvbzoaccidcexo3tgzahcdyct2tpq36lvq._file

Verdict:

malicious

Label(s):

evilconwi

ConnectWise

30999cbfd69010bddb597ff22cadb9123c1509f337a4dc444ccd8b3990a61848

ConnectWise

3cca3890854ff63d904311ddc133d2fdee454086797e202752527b84b84ae674

ConnectWise

41716f2f226e09ed33d5d07802d6fa03ac3c61571c4b58c2822eb3a22804d804

ConnectWise

764a1084d9f90226c7386993d42b76957ec589dec014637fbcbbbe26107aa496

ConnectWise

95bd72d96fe263e7a96a6e7dc994b86155f488b8d2e0c860c2e1b153f3da2e84

ConnectWise

968ade5a99bff741c5f34a250ceff2cfa38847d40ef6ae147d392beec006cc69

ConnectWise

a01b5df0fc3df8332567c1920e0caede68ace9b09c0d9b9750200c4c14b4caf4

ConnectWise

b43b8be7fe45d23744ce90569927f009a2a86fcccadd35567080b4be6f9302fe

ConnectWise

error

ConnectWise

f6e5928e476c92ff4a06d50c28f0c34857ba7474f6aa8f08e836c4af32e76dc7

ConnectWise

+ 318 additional samples on MalwareBazaar

Gathering data

Unpacked files

SH256 hash:

d9fbcad42aaf846845c6c04550e5c010903112eedccd901c43c0a7a9be1bf2eb

MD5 hash:

55a3f053774512ee807f72af0068d6fe

SHA1 hash:

acabda7cd65b26478b62add1360cf08bf0af601f

Link:

https://www.unpac.me/results/48afa4c3-dfeb-4909-86ab-8a99347f7daa/

SH256 hash:

a665adf1acd014984b818f95699c2205e9e9f7cc10031d5fa52260154004ba9b

MD5 hash:

c7dd4bcf2bdb96e081db2941f13f8154

SHA1 hash:

d7044c4ef07e59cf5e304be00502ea8218cb9297

Link:

https://www.unpac.me/results/48afa4c3-dfeb-4909-86ab-8a99347f7daa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/d9fbcad42aaf846845c6c04550e5c010903112eedccd901c43c0a7a9be1bf2eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect_CERT Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.