MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea7d9798c925b0ec1d02108eada571ca7267c172f9bc338faaa0ff8586068fb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea7d9798c925b0ec1d02108eada571ca7267c172f9bc338faaa0ff8586068fb6
SHA3-384 hash: f2a3be688db1ee8f6b40219dd6d55b0d76f8a89393ad550ffbb5ad7b86dc6d57c04b4443cb37b5e8f1c30fa62af37b5d
SHA1 hash: e9c5240da0dd89daf47a14363abcdbe422da8d0a
MD5 hash: 4515daf7dbc809057544a88bc04dec1d
humanhash: cola-delta-hotel-sixteen
File name:Level 3 security update.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:5'356'808 bytes
First seen:2023-09-03 08:06:40 UTC
Last seen:2023-09-07 08:25:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (244 x ConnectWise)
ssdeep 98304:aaeNO66+6efPPw2Ks9fM8dYdstG1l40MprZ:aa9efPu8nk40IF
Threatray 5 similar samples on MalwareBazaar
TLSH T12346F111F3D591B6D07F0638D8794666AB74BC088322CB5F5794BE696D33BC09E223B2
TrID 74.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
15.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.9% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:ConnectWise exe instance-whpfy0-relay-screenconnect-com signed

Code Signing Certificate

Organisation:Connectwise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-17T00:00:00Z
Valid to:2025-08-15T23:59:59Z
Serial number: 0b9360051bccf66642998998d5ba97ce
Intelligence: 444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
275
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Level 3 security update.exe
Verdict:
Malicious activity
Analysis date:
2023-09-03 08:07:04 UTC
Tags:
screenconnect remote policy
Link:
https://app.any.run/tasks/6ae2f651-9494-4320-b63a-754a9d1a8b42

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445841/
Detection(s):
Sanesecurity.Malware.29065.SC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a file
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Loading a suspicious library
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Creating a process from a recently created file
Searching for the window
DNS request
Moving a file to the Windows subdirectory
Using the Windows Management Instrumentation requests
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun for a service
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/109661/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Labled as:
RemoteAdmin.ConnectWise
Link:
https://www.hybrid-analysis.com/sample/ea7d9798c925b0ec1d02108eada571ca7267c172f9bc338faaa0ff8586068fb6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ConnectWise
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4204980f-7e35-496e-959f-49dbc6c8da1d
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
45 / 100
Link:
https://www.joesandbox.com/analysis/1302374
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302374 Sample: Level_3_security_update.exe Startdate: 03/09/2023 Architecture: WINDOWS Score: 45 56 Multi AV Scanner detection for submitted file 2->56 58 .NET source code contains potential unpacker 2->58 60 .NET source code references suspicious native API functions 2->60 62 Contains functionality to hide user accounts 2->62 7 ScreenConnect.ClientService.exe 17 15 2->7         started        10 msiexec.exe 92 45 2->10         started        13 Level_3_security_update.exe 3 2->13         started        15 4 other processes 2->15 process3 dnsIp4 50 server-nixde3ff2ff-relay.screenconnect.com 145.40.106.4, 443, 49719, 49720 BREEDBANDDELFTNL Netherlands 7->50 52 instance-whpfy0-relay.screenconnect.com 7->52 17 ScreenConnect.WindowsClient.exe 2 7->17         started        32 C:\Windows\Installer\MSI8521.tmp, PE32 10->32 dropped 34 C:\Windows\Installer\MSI8195.tmp, PE32 10->34 dropped 36 ScreenConnect.Wind...dentialProvider.dll, PE32+ 10->36 dropped 38 7 other files (none is malicious) 10->38 dropped 20 msiexec.exe 10->20         started        22 msiexec.exe 1 10->22         started        24 msiexec.exe 10->24         started        26 msiexec.exe 6 13->26         started        file5 process6 file7 54 Contains functionality to hide user accounts 17->54 29 rundll32.exe 8 20->29         started        40 C:\Users\user\AppData\Local\...\MSI7484.tmp, PE32 26->40 dropped signatures8 process9 file10 42 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 29->42 dropped 44 C:\...\ScreenConnect.InstallerActions.dll, PE32 29->44 dropped 46 C:\Users\user\...\ScreenConnect.Core.dll, PE32 29->46 dropped 48 Microsoft.Deployme...indowsInstaller.dll, PE32 29->48 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea7d9798c925b0ec1d02108eada571ca7267c172f9bc338faaa0ff8586068fb6/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5j6zpggjewyoyhiccchk3jlrzjzgpqls7g6dhd5kud7ylbqgr63a._file
Verdict:
malicious
Similar samples:
24cb773fd21e8ff6126882b218a5a178f41db0f4fdb290ca4b6b4afbfdb4e3a4
ConnectWise
3daa4dab145c54df4959ad5ef311c6387a3cd7984fc41e167535d4ebcf831827
ConnectWise
60dbc8e2cb2389609132466a2125b832b478e2793db3b68a33ab0c3018f4b47b
ConnectWise
73ab66e22bda8d73307bfbe2c6edba30e8f5b94a4d916b5b00b147ca618a080d
ConnectWise
994fd4e2ae80afedfa17ef2789eab8da068d8b5217bbf4d75ba6fea85d55d3fe
ConnectWise
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230903-jzze5sgf4x/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Sets service image path in registry
Unpacked files
SH256 hash:
5e7e86caa0c4366b027a4e391bf4d0c7fa8dd40956c2b863bb91214c682ef74c
MD5 hash:
54f5022e5ecd74ee6dad1f64028cc3ef
SHA1 hash:
fa3f58f91d8df6954792eaa86dbb211ec778933a
Link:
https://www.unpac.me/results/f6a62f44-6bfd-4506-a597-91a8f9b1aa9a/
SH256 hash:
db2448a84b95ee9943678669dfdf780387eca163808a166345990ad5487ac827
MD5 hash:
31503bfa04ad00596959fd74d23e4c57
SHA1 hash:
cdcf0d9b55a62707a3f73555eedeeec5e8de0bfc
Link:
https://www.unpac.me/results/f6a62f44-6bfd-4506-a597-91a8f9b1aa9a/
SH256 hash:
c87b39c02e0f9b60cea63960e8baa58e8db42251686a97472c7c97efe9165f5e
MD5 hash:
ee04dab6a7c668821d345d1da860dd4a
SHA1 hash:
ba6cbba54a1116b6c9e3296052e1902b277e82a1
Link:
https://www.unpac.me/results/f6a62f44-6bfd-4506-a597-91a8f9b1aa9a/
SH256 hash:
cfec05cbdef70862f237fb505d8fca2ae94a4b8955a5030687815bac2ce908a3
MD5 hash:
b69446f8cc101d89bcb2a2e09c24b228
SHA1 hash:
9bbe4c6100bd27decb02df72adcb42a5e8aea955
Link:
https://www.unpac.me/results/f6a62f44-6bfd-4506-a597-91a8f9b1aa9a/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/f6a62f44-6bfd-4506-a597-91a8f9b1aa9a/
SH256 hash:
23e016f28fdec7c986d32c5af10308a166caf73b89c123a86552479eed9e13f4
MD5 hash:
a34322bcb3565cd228ffea96d7871942
SHA1 hash:
066e2c6009b441350ec23c676aa40dd48edd1c80
Link:
https://www.unpac.me/results/f6a62f44-6bfd-4506-a597-91a8f9b1aa9a/
SH256 hash:
30ad686ba96481059ba06059b58b264992a31969ad3f8eefe0243dc101b67ffe
MD5 hash:
3f2ee3a197040f4c01109805b6570e2b
SHA1 hash:
9db6efd7cda0546ecfef53c0e6d868cb78732803
Link:
https://www.unpac.me/results/f6a62f44-6bfd-4506-a597-91a8f9b1aa9a/
SH256 hash:
ea7d9798c925b0ec1d02108eada571ca7267c172f9bc338faaa0ff8586068fb6
MD5 hash:
4515daf7dbc809057544a88bc04dec1d
SHA1 hash:
e9c5240da0dd89daf47a14363abcdbe422da8d0a
Link:
https://www.unpac.me/results/f6a62f44-6bfd-4506-a597-91a8f9b1aa9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/ea7d9798c925b0ec1d02108eada571ca7267c172f9bc338faaa0ff8586068fb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/445841/

Comments