MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df5e5e3138ed79f15b0aab5b091ca9809f9d839ee21a90d80a587e9cf2a13423. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	df5e5e3138ed79f15b0aab5b091ca9809f9d839ee21a90d80a587e9cf2a13423
SHA3-384 hash:	9b63a2560dcef36775ad73aea0cd7b199b72dd6210cbcc449151339e2acfaa546ea1feaba0c70a4a506c5bc5add6d5a1
SHA1 hash:	8fe9d22cb37456022fdfc7f884d4ab747067d8e2
MD5 hash:	a67588428f0a77662d5fc44480e11db5
humanhash:	princess-nitrogen-pip-white
File name:	Google-meet installer.vbs
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	2'357 bytes
First seen:	2026-02-22 14:08:25 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	24:PXCjMmu5FgKZhs3TcAzSG9QdW4ahMYkb9/ROMx1AWqSMqgX6pMxZcrkezaGoHJVi:PG3RjcAzpKdWzC71AWdMWQ4haGEs1
Threatray	1'442 similar samples on MalwareBazaar
TLSH	T16B41755AFC0BA915C5B1C6D2B9267E0FEBA40417152060A8F91CC99ACB349BDDB7C1CF
Magika	vba
Reporter	juroots
Tags:	ConnectWise vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/54067/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699b0e128fffa866e3b08a0e

Tags:

dropper virus agent

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive expand lolbin msiexec rundll32 wscript

Link:

https://www.filescan.io/uploads/699b0e1397feb4afd651e76b/reports/2c05112f-8b66-42b7-9a91-c9b5d71c1ba8/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/df5e5e3138ed79f15b0aab5b091ca9809f9d839ee21a90d80a587e9cf2a13423

Verdict:

Malicious

File Type:

vbs

Detections:

HEUR:Trojan.VBS.SAgent.gen RemoteAdmin.ConnectWise.HTTP.C&C not-a-virus:HEUR:RemoteAdmin.VBS.Alien.gen

Link:

https://opentip.kaspersky.com/df5e5e3138ed79f15b0aab5b091ca9809f9d839ee21a90d80a587e9cf2a13423/results?tab=lookup

Score:

44%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/df5e5e3138ed79f15b0aab5b091ca9809f9d839ee21a90d80a587e9cf2a13423

Verdict:

Malware

YARA:

1 match(es)

Tags:

ADODB.Stream Scripting.FileSystemObject Shell.Application VBScript WinHttp.WinHttpRequest.5.1 WScript.Shell

Link:

https://app.malva.re/file/a67588428f0a77662d5fc44480e11db5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/df5e5e3138ed79f15b0aab5b091ca9809f9d839ee21a90d80a587e9cf2a13423/

Verdict:

Malicious

Threat:

Family.CONNECTWISE

Link:

https://tip.neiki.dev/file/df5e5e3138ed79f15b0aab5b091ca9809f9d839ee21a90d80a587e9cf2a13423

Threat name:

Script.Trojan.Heuristic

Status:

Malicious

First seen:

2026-02-20 13:20:59 UTC

File Type:

Text (VBS)

AV detection:

7 of 36 (19.44%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=35pf4mjy5v47cwykvnnqshfjqcpz3a464injbwaklb7jz4vbgqrq._file

Verdict:

malicious

Label(s):

admintool_screenconnect

ConnectWise

119e0f88cfcefe70884d5958d9078f7bacf465a2109eea6d8c2e254244ad58a6

ConnectWise

29dac2d3b58b2c7ac6d872d68a3d71fdb4b78b1f9420738e107006087457df71

ConnectWise

9bb8e7b466dd8e068dee78cb714c1061c198698442c259b02aaf94b07aeed714

ConnectWise

ddaba68dfac28852d3936c8ca86b9061d754e02bd20c15ab36504805f634b0be

ConnectWise

error

ConnectWise

f71e8c66a51b05bb87941d2ab45dde1b83d97c32bd6443b80d04e8df6e419d11

ConnectWise

f7db0fb97ee95b9f4a6175c66496bad6bed4ed5b0c2ad73c2ce27013e17b9dad

ConnectWise

+ 1'432 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

backdoor discovery persistence privilege_escalation rat revoked_codesign

Link:

https://tria.ge/reports/260222-rfsr9afy2e/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Enumerates connected drives

Checks computer location settings

ConnectWise ScreenConnect remote access tool

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Binary is signed using a ConnectWise certificate revoked for key compromise.

Sets service image path in registry

Malware family:

ScreenConnect

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/df5e5e3138ed/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.21

Link:

https://yomi.yoroi.company/submissions/df5e5e3138ed79f15b0aab5b091ca9809f9d839ee21a90d80a587e9cf2a13423

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/54067/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample