MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
SHA3-384 hash: a7eaef521bb3c595e7d541a0ee3f4c5863ff3ff2c892fd9c4e6a6fdbf727b843e97d39489aceff8fb5d7b051e87b744a
SHA1 hash: dd766b44921711cc6a71929fcc8b10d3343de53a
MD5 hash: 1b370a5d1c4d0c9ed6bcc6b492e526a2
humanhash: rugby-paris-eighteen-maine
File name:ZoomWorkspace.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:12'572'728 bytes
First seen:2025-11-03 07:48:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (245 x ConnectWise)
ssdeep 196608:53fefPGFgnsvf03WsH9BMgnsvfYgnsvfhgnsvfB:5Mw83t9BVw5wKwZ
Threatray 818 similar samples on MalwareBazaar
TLSH T151C61211F3E592B5D0BF0A38E87A42665A75BC049712C7BF5790792A2D32BC09E32773
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter juroots
Tags:ConnectWise exe signed

Code Signing Certificate

Organisation:ConnectWise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-06-23T00:00:00Z
Valid to:2028-06-22T23:59:59Z
Serial number: 0abbca120c79810a182f72f89c04358f
Intelligence: 20 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b7902a93876909ba13bc23013f2c4239db57bfe742f500766a1673c5199fd1fb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998.exe
Verdict:
Malicious activity
Analysis date:
2025-11-03 07:50:01 UTC
Tags:
screenconnect rmm-tool tool remote
Link:
https://app.any.run/tasks/6685e52f-c5ea-41ba-930a-b255f4fd73ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35061/
Detection(s):
Sanesecurity.Malware.29065.SC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen26.37800.12014.29258.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69085e559942f1282ecb9b59
Tags:
connectwise shellcode dropper spawn
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
base64 installer-heuristic microsoft_visual_cc net packed privilege reconnaissance signed
Link:
https://www.filescan.io/uploads/69085e4cde25fddba0625da5/reports/21ce9cf6-71ae-4674-b537-a6d65ebc608e/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
Verdict:
Adware
File Type:
exe x32
Detections:
BSS:Trojan.Win32.Generic BSS:Exploit.Win32.Generic.nblk BSS:Exploit.Win32.Generic not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen
Link:
https://opentip.kaspersky.com/ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/daf14677-cdd8-4f6f-9db2-3cf7b034bff2
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net CAB:COMPRESSION:LZX CAB:COMPRESSION:NONE Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.00 SOS: 0.07 SOS: 0.21 SOS: 0.24 SOS: 0.25 SOS: 0.26 SOS: 0.27 SOS: 0.31 SOS: 0.36 SOS: 0.39 Win 32 Exe x86
Link:
https://app.malva.re/file/1b370a5d1c4d0c9ed6bcc6b492e526a2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998/
Verdict:
Malicious
Threat:
RemoteAdmin.Win32.ConnectWise
Link:
https://tip.neiki.dev/file/ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ljzz6vc6tdxgt4gz746oqtkttrlmqlbefn2lf576sesvnl5hgma._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
16d219bf805b87558798ebff2246de247a010de7baa7fe3058daeaac1ffc3fa7
ConnectWise
1fd040c91b03f71d5a120f3c6b696da441d8424ba6f874991f5e7f1b014beb65
ConnectWise
41b09f258f3086f89c3c0dfa0c89e8c7a1a0095ac17537ba49eb381061cbd4ce
ConnectWise
433ec15200c20d2d70f26f753897dd71c53362814f8fe2966a10b0cfcdb8a4e5
ConnectWise
77ea13f76b8c9f4e67f4d149ca5cce7d9937e8fe0497dfd76520d870a84dae2e
ConnectWise
bd12c6d8caeb7e4a473c37878435e812db9a379b435ac1aa66b41e1036eb02eb
ConnectWise
e0af0be8429ca59caa591431d0cd4189f79a2a4e06850a96328206e660cb637c
ConnectWise
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
ConnectWise
error
ConnectWise
+ 808 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
backdoor discovery persistence privilege_escalation ransomware rat
Link:
https://tria.ge/reports/251103-jndz3afs4f/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Authentication Package
Checks computer location settings
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Badlisted process makes network request
Enumerates connected drives
ConnectWise ScreenConnect remote access tool
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/98cb9ebb-08f4-4cf2-aa75-681fb4eccf3a
Unpacked files
SH256 hash:
1fbdb295cdb52e242e272bb1390264d9da196bbcd40a02b7a00a2b091d657e17
MD5 hash:
f6bfdee9978ae72a53bcd2355c5f905b
SHA1 hash:
1043c4e15e64de9ef85cb8499aabc6b9396e7d6d
Detections:
INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08
MD5 hash:
5419ff27205d3e5affa3fc18b811b843
SHA1 hash:
cf49072c50456381cd26cd32cb97606c5f5cfd26
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
808c61a09e220c361cff01e76c30f269e6c037c85069e0811662fd86c137874a
MD5 hash:
80e0336184ee640aa9318b02d255aac1
SHA1 hash:
d6159490c9024d7053241960671aa26a0ccc8579
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
807ac81b0882409e082c95c1f00771d836f7a7ae82637300f81e46ebce6ea078
MD5 hash:
3dbe0d79810c999310c4b95e64fe3752
SHA1 hash:
812367f23da90fa9c09762d26744f75ee6a3f43c
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
30077c8f5b118458a5c924039b44e5b271b6af053304cfd3da3ec46d9b40417b
MD5 hash:
42ca9d2ae74370935445219605a30b17
SHA1 hash:
d68fb04f52df55424404775814920173db854654
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
66be99f7cedbeb0b2755fc98191a07848fa013cb0ba9b3786bc8c4a0e885c3da
MD5 hash:
5c7b13d9b432a0ee859d7684e20602e8
SHA1 hash:
e3dc010ddbf5178049bd3c06d441e8967a4cfb97
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
Parent samples :
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
29ef0043dfd8c1e642c559976201c44823757eb8cb2dc9c5e9f6183dd9678883
SH256 hash:
57d83406f6642aeba9bf42c8f8650a1c3d11145a90355b8daeb6a2afe2afdc8a
MD5 hash:
967a0e19c16909e243fb0df81310f4ac
SHA1 hash:
61ad181097ed042dc80d5899c8ee8cdcb7a9197b
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
47ecc0e50315e30d705408ce5fa783135fdf4e79fcff6da32b648af4cfcea855
MD5 hash:
09db58e4988798a2263a6f4aed6942a1
SHA1 hash:
3bb8951ecbc147f52b057ff828d3fcb80336b50f
Detections:
SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
Parent samples :
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
29ef0043dfd8c1e642c559976201c44823757eb8cb2dc9c5e9f6183dd9678883
SH256 hash:
2cb45c8a613d13a6e457a7ab67416e522753c19581dfd5db37e1f8a2bd85d1fd
MD5 hash:
ee029cc80de9358a347af51588f24e9d
SHA1 hash:
e53fa3f5581c3f5b792b6b6468a1ec140b2c923f
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
Parent samples :
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
29ef0043dfd8c1e642c559976201c44823757eb8cb2dc9c5e9f6183dd9678883
SH256 hash:
24b35b9f3630b27f36fcae0a8064f16c6bc73def2ba00374d874a459acaaaef4
MD5 hash:
d3705cce7d76cbb34b8c32db011a8900
SHA1 hash:
babcc303b25599a6fd1663a4353759b100362f80
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
Parent samples :
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
be48b072d698b978b8547d3d8d6901586ec4abb129786cd880d294bd273a5b87
SH256 hash:
2fe4971f0af384cc409adebbc5e657f23485abd47b735a09a598f56c69d247e7
MD5 hash:
d0df824f8eff0b844c26fbbc404a72a7
SHA1 hash:
20e83e4a20e52805568640857d6d3103cff6a815
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
3575e75152305162122f4bbbaf47468a1ca88517c6147306c91fc57b2f374389
MD5 hash:
c025888cc46853e42343e0196f34d403
SHA1 hash:
934c68b2d862bb7344b5d89e505832922d945d7b
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
390c3122f647553fe83ed4f4a7d6aebf834fd54aaeaba30512876eeb649d7f3c
MD5 hash:
2d4c4b16ea9f833038a064a8127267d1
SHA1 hash:
a93b5237ac7f29f161e154eeb8e8ec561f1a406f
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
3edf926e5a35a74fd792a740a90e2a3a1c2d0574366f910dd2cfb06c905409b2
MD5 hash:
d33aced2a786cecb5a97f43221adee4d
SHA1 hash:
7330f44ddbce757b203d015d446f08cc4cd30b73
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5
MD5 hash:
5adcb5ae1a1690be69fd22bdf3c2db60
SHA1 hash:
09a802b06a4387b0f13bf2cda84f53ca5bdc3785
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
be88222df0d4b16419ca33b99fa95ee12046495b7d27cd555004f8652419ad24
MD5 hash:
6c91b8321c1b1ae4316c26f483c8944d
SHA1 hash:
19463cabcd8122e5dd58092796625fad4f2efd4f
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
bfab3c94cf201d3c7f77abd7c4b384a026bab1379afc0094a829f19eaf1c6853
MD5 hash:
adad2276e1f769e3fef2c5d0b1563709
SHA1 hash:
9bd6ebd71041e5091b572b2985ae167022adca91
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
e6bc140a7c450d1785692d940219df98eb903644e0c247eddf1723c05b8d73ab
MD5 hash:
1732b31b22f87d46fbc56da6e9faefbc
SHA1 hash:
691400a1d74a5a6a295f2723268b54e9b5515ea1
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
ee10da3a88d53e59a57a587625676db99eb149429aa3708beaf02b133850becf
MD5 hash:
cc082690e7c9e690a589d7fc8033cd5a
SHA1 hash:
0c3c9a6646aded29ff274bc1d348836428491118
Detections:
SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
f816096653cb2538e47d6e1b7657693ecdb15bc005d189d70e935abcad0917b3
MD5 hash:
eff9478bbec5c6ef3150f47bb0e9a13a
SHA1 hash:
8fe999d46e4da87aad7654c6b5664d85cd03a8c9
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
e4b29e87ae288199964726c10ea221827cfde794c2aee17f71f4561cd09bf472
MD5 hash:
95e483ac0872859afbf474ea322006d4
SHA1 hash:
d44024116695f61f35d219af176ca1dff371b222
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
SH256 hash:
ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998
MD5 hash:
1b370a5d1c4d0c9ed6bcc6b492e526a2
SHA1 hash:
dd766b44921711cc6a71929fcc8b10d3343de53a
Link:
https://www.unpac.me/results/b3ea49ef-c09b-43f3-b12c-c9a34ae21496/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ConnectWise

Executable exe ead39cfaa2f4c7734f86cff9e7426a9ce2b64161215ba597bff4892ab57d3998

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/35061/
  
URLhaus
https://urlhaus.abuse.ch/url/3694781/
  
Delivery method
Distributed via web download

Comments