MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6a4f2de6f4e37b2a25beeeefb60ecb5af8f204c6d42c46ee885dec38f313d36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6a4f2de6f4e37b2a25beeeefb60ecb5af8f204c6d42c46ee885dec38f313d36
SHA3-384 hash: 30ecb8945753ac404eefcc960b3212cea9933ddcfe230f618d1c364117537ef5a7252a785b9c3337cae1cc200a8f7d83
SHA1 hash: 52c89ae70097fa97523082fec93afdbb9b6c27ad
MD5 hash: c462ae308666d54c9c02757d3419223f
humanhash: skylark-eight-sixteen-sierra
File name:e6a4f2de6f4e37b2a25beeeefb60ecb5af8f204c6d42c46ee885dec38f313d36
Download: download sample
Signature ConnectWise
Create hunting rule
File size:14'101'280 bytes
First seen:2025-04-09 10:25:57 UTC
Last seen:2025-04-09 14:23:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5d1eb56d5adda1ec09420d586e0d54f6 (1 x ConnectWise)
ssdeep 393216:MH2ETQH2ET/H2ETPH2ETOH2ETPH2ETyH2ETE:MHfTQHfT/HfTPHfTOHfTPHfTyHfTE
Threatray 439 similar samples on MalwareBazaar
TLSH T141E62221F7FA5624F9B62A30AC3EE1614A757C018A02D17F63653C4E7A71F809A72377
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter JAMESWT_WT
Tags:46-253-4-18 ChasingFire Dream Technologies Co Ltd ConnectWise daqqoi1a-anondns-net exe signed

Code Signing Certificate

Organisation:ChasingFire Dream Technologies Co., Ltd.
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-03-21T06:15:59Z
Valid to:2026-03-22T06:15:59Z
Serial number: 3f639fe6c6390ae939eaa74e
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: f638a3339bac7fcfc1e36a0c39bace2be30c9796a41be71b76b018ef37ce1cba
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
418
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
connectwise
Create hunting rule
ID:
1
File name:
e6a4f2de6f4e37b2a25beeeefb60ecb5af8f204c6d42c46ee885dec38f313d36
Verdict:
No threats detected
Analysis date:
2025-04-09 11:34:10 UTC
Tags:
connectwise rmm-tool
Link:
https://app.any.run/tasks/ec7e0adb-53b7-4b84-b22a-a6cc8629fdc3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1301/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f64eacf9ba909217cdb92d
Tags:
shellcode virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a window
Сreating synchronization primitives
Modifying a system file
Creating a file in the Windows subdirectories
Loading a suspicious library
Creating a file
Creating a file in the Program Files subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
DNS request
Moving a file to the Windows subdirectory
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Malicious
Labled as:
Kryptik_AGeneric.FFA trojan
Link:
https://www.hybrid-analysis.com/sample/e6a4f2de6f4e37b2a25beeeefb60ecb5af8f204c6d42c46ee885dec38f313d36
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ce81a36-7d03-4000-bf64-05cbb6660f53
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
44 / 100
Link:
https://www.joesandbox.com/analysis/1660645
Signature
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Joe Sandbox ML detected suspicious sample
Modifies security policies related information
Multi AV Scanner detection for submitted file
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1660645 Sample: 8JBgkWOJr3.exe Startdate: 09/04/2025 Architecture: WINDOWS Score: 44 54 daqqoi1a.anondns.net 2->54 62 Multi AV Scanner detection for submitted file 2->62 64 .NET source code references suspicious native API functions 2->64 66 Contains functionality to hide user accounts 2->66 68 3 other signatures 2->68 8 msiexec.exe 94 53 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 svchost.exe 2->15         started        17 7 other processes 2->17 signatures3 process4 dnsIp5 46 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->46 dropped 48 C:\...\ScreenConnect.ClientService.exe, PE32 8->48 dropped 50 C:\Windows\Installer\MSI9A72.tmp, PE32 8->50 dropped 52 10 other files (none is malicious) 8->52 dropped 72 Enables network access during safeboot for specific services 8->72 74 Modifies security policies related information 8->74 19 msiexec.exe 8->19         started        21 msiexec.exe 1 8->21         started        56 daqqoi1a.anondns.net 46.253.4.18, 49685, 8041 BTEL-BG-ASBG Bulgaria 12->56 76 Reads the Security eventlog 12->76 78 Reads the System eventlog 12->78 23 ScreenConnect.WindowsClient.exe 2 12->23         started        26 ScreenConnect.WindowsClient.exe 2 12->26         started        80 Changes security center settings (notifications, updates, antivirus, firewall) 15->80 28 MpCmdRun.exe 15->28         started        58 127.0.0.1 unknown unknown 17->58 30 msiexec.exe 17->30         started        file6 signatures7 process8 signatures9 32 rundll32.exe 11 19->32         started        70 Contains functionality to hide user accounts 23->70 36 conhost.exe 28->36         started        process10 file11 38 C:\Windows\...\ScreenConnect.Windows.dll, PE32 32->38 dropped 40 C:\...\ScreenConnect.InstallerActions.dll, PE32 32->40 dropped 42 C:\Windows\...\ScreenConnect.Core.dll, PE32 32->42 dropped 44 4 other files (none is malicious) 32->44 dropped 60 Contains functionality to hide user accounts 32->60 signatures12
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e6a4f2de6f4e37b2a25beeeefb60ecb5af8f204c6d42c46ee885dec38f313d36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6a4f2de6f4e37b2a25beeeefb60ecb5af8f204c6d42c46ee885dec38f313d36/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2025-04-09 00:26:40 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=42spfxtpjy33fis353xpwyhmwwxy6icmnvbmi3xiqxpmhdzrhu3a._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
006930b41d4187f382d805989c3f1cc709d626d36a9bb1d6eacd45887c78e815
ConnectWise
29ada66e00b3836081159768d9ce4e28bae93259227af22ee8052fa0485df9da
ConnectWise
33b2b67b33d1e021d63c507a98bc2cd73c9f888ee81fb9473ede1926992c3a1d
ConnectWise
592816f41c606b11e8b5369cdce93b91eb7a4492bf9b2e272772b8baa559082a
ConnectWise
b218a4d70fabb2b1e986449597e4c40f9b8d10b1b5038e9e53d14534703ba8d1
ConnectWise
cad2e9c9620091d5807096dc7e1a7404643469f5b1b52d38ef717eeabad0cdd7
ConnectWise
error
ConnectWise
+ 429 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250409-mglccaxms9/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Enumerates connected drives
Looks up external IP address via web service
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8d413694-4b33-4994-965c-5be356132bc4
Unpacked files
SH256 hash:
e6a4f2de6f4e37b2a25beeeefb60ecb5af8f204c6d42c46ee885dec38f313d36
MD5 hash:
c462ae308666d54c9c02757d3419223f
SHA1 hash:
52c89ae70097fa97523082fec93afdbb9b6c27ad
Link:
https://www.unpac.me/results/866154ae-8adc-4a22-939a-eb7c4d4cc0ec/
SH256 hash:
4b218c6be6f4cc9ca2c3eb603bb39e8b0219e910230a0d390035718d7d93d9e0
MD5 hash:
bd6c75d7056f31ec7e63a9878621058f
SHA1 hash:
98a7127d21d36b40b28f779007a49404c63196c2
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/866154ae-8adc-4a22-939a-eb7c4d4cc0ec/
Parent samples :
e6a4f2de6f4e37b2a25beeeefb60ecb5af8f204c6d42c46ee885dec38f313d36
1de1b9eb516a1e570b7137ee18388529773242353b2a14d9c8397de25ede0606
SH256 hash:
0d7aa9fe84fce93c6c791a8465026400906cb6abf6a7273d1595893e144c82fe
MD5 hash:
39230307a35e3391f44779a9db493243
SHA1 hash:
4217020b0585c3144f3c2ec281d2825fa458f25f
Link:
https://www.unpac.me/results/866154ae-8adc-4a22-939a-eb7c4d4cc0ec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6a4f2de6f4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6a4f2de6f4e37b2a25beeeefb60ecb5af8f204c6d42c46ee885dec38f313d36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/1301/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileMappingA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW

Comments