MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebef9a56758e158208aa1396fe129d84f8a67253f17e871c966e4b2c8ee39f6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 14

Intelligence 14 IOCs YARA 13 File information Comments

SHA256 hash:	ebef9a56758e158208aa1396fe129d84f8a67253f17e871c966e4b2c8ee39f6f
SHA3-384 hash:	2e55f6893172d4c83bbb8c58bc6267364141c9fdfc3ef9264dbc401c8ac434c8a462156dbc7cea1ffeb030c3b4aedb27
SHA1 hash:	4076ae042599611c955a1acc91106878fb433dc9
MD5 hash:	d830fcdedc2100be262c7537ffc5b78a
humanhash:	one-spring-johnny-alanine
File name:	ScreenConnect.ClientSetup.exe
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	17'095'736 bytes
First seen:	2026-04-24 17:39:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9771ee6344923fa220489ab01239bdfd (413 x ConnectWise)
ssdeep	393216:ZCXvI5MvHxrJSCXvI5MvHx4CXvI5MvHxYCXvI5MvHxeCXvI5MvHxrCXvI5MvHxE:ZZ6HxYZ6Hx4Z6HxYZ6HxeZ6HxrZ6HxE
Threatray	2'059 similar samples on MalwareBazaar
TLSH	T1AD072211B3E585B6D0BF1678E8BD42654632FC144B26C2AF53A4796E2C32BC08E72777
TrID	29.5% (.EXE) Win64 Executable (generic) (6522/11/2) 22.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Anonymous
Tags:	ConnectWise exe

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

ScreenConnect

Details

ScreenConnect

a c2 socket address, RSA public key

Link:

https://research.acce.ciphertechsolutions.com/results/81677a52-3978-453f-97d7-b2f33480d3f4/

Malware family:

connectwise

ID:

File name:

https://bellorealtyg.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe

Verdict:

No threats detected

Analysis date:

2026-04-21 10:36:29 UTC

Tags:

connectwise rmm-tool

Link:

https://app.any.run/tasks/0ed56fb5-8753-4807-a8f2-f5e6ca80062b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/63485/

Detection(s):

SecuriteInfo.com.Trojan.Siggen26.37800.12014.29258.UNOFFICIAL

PUA.Win.Tool.ScreenConnect-10058263-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ebab2951cce3ff702f9c23

Tags:

connectwise shellcode dropper virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Launching a process

Creating a file

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

DNS request

Connection attempt

Loading a suspicious library

Sending a custom TCP request

Modifying a system file

Creating a file in the Windows subdirectories

Creating a file in the Program Files subdirectories

Enabling autorun with the shell\open\command registry branches

Gathering data

Verdict:

Malicious

Labled as:

Win32_RemoteAdmin_ConnectWiseControl_Q_potentially_unsafe_application

Link:

https://www.hybrid-analysis.com/sample/ebef9a56758e158208aa1396fe129d84f8a67253f17e871c966e4b2c8ee39f6f

Verdict:

Unknown

File Type:

exe x32

First seen:

2026-04-24T16:44:00Z UTC

Last seen:

2026-04-24T18:52:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/ebef9a56758e158208aa1396fe129d84f8a67253f17e871c966e4b2c8ee39f6f/results?tab=lookup

Malware family:

ConnectWise Inc

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/39dd3a2e-46db-462f-91dd-2c197c149554

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ebef9a56758e158208aa1396fe129d84f8a67253f17e871c966e4b2c8ee39f6f

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ebef9a56758e158208aa1396fe129d84f8a67253f17e871c966e4b2c8ee39f6f/

Verdict:

Malicious

Threat:

Family.SCREENCONNECT

Link:

https://tip.neiki.dev/file/ebef9a56758e158208aa1396fe129d84f8a67253f17e871c966e4b2c8ee39f6f

Threat name:

Win32.PUA.ConnectWise

Status:

Suspicious

First seen:

2026-04-14 08:22:00 UTC

AV detection:

7 of 36 (19.44%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5pxzuvtvrykyecfkcolp4eu5qt4km4st6f7iohewnzfszdxdt5xq._file

Verdict:

suspicious

Label(s):

admintool_screenconnect

ConnectWise

dcb9e9760084d3c15061f6bdd17ff63b4166fca1e310254a12cc4db0a0894e57

ConnectWise

de4152e2623b9a98c812ad8b22a2a89eb74f4cdd901af269f874eb7980f54d42

ConnectWise

e67ccc2c4df908ac20729b05e246eb2a2992e8c5558c43b9bc9938371cb4fb43

ConnectWise

error

ConnectWise

+ 2'049 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery ransomware

Link:

https://tria.ge/reports/260424-v8625af17r/

Behaviour

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Badlisted process makes network request

Unpacked files

SH256 hash:

ebef9a56758e158208aa1396fe129d84f8a67253f17e871c966e4b2c8ee39f6f

MD5 hash:

d830fcdedc2100be262c7537ffc5b78a

SHA1 hash:

4076ae042599611c955a1acc91106878fb433dc9

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254

MD5 hash:

decb1fd20d75e6eade9289cc24605f29

SHA1 hash:

5169602d641c4f2ebd9ca0639622949e00c25566

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

0e6502db9fcae756f42f1e32cbb70b87b54286cc9ea1b7a83f51f57b10975aad

MD5 hash:

222611c5a579a6e22a3333dcd3587aba

SHA1 hash:

a1cc8b62acbb217146525a20f26e9ef4241e8563

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

28ff8468ad2db8b41fe9d9a2971dd56fea0aecad14808fe4b31c9b1072d3b129

MD5 hash:

62d114c95b604d7ca684759c22c4c688

SHA1 hash:

d0563d46f2dc95dc8c18535efe7b18292128c0e6

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

6e95d68102dc761942e67e2337ad8e49d32ee7c8943340489a01e2c56ea6e00b

MD5 hash:

1bec5ec41f5a88bab602ba15d6d2879d

SHA1 hash:

859fd0edba414551a48d598141a58fabbb343715

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

9cf2c77df0a1a1e854ec1bbc6940d96f508bfb4b0555a07657c77314803a717e

MD5 hash:

cee388546abc6dfb7a766a33a8066ff5

SHA1 hash:

a41ffb64a859ff3bd32589ce58ac03a84c0b1955

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

Parent samples :

e67ccc2c4df908ac20729b05e246eb2a2992e8c5558c43b9bc9938371cb4fb43
de4152e2623b9a98c812ad8b22a2a89eb74f4cdd901af269f874eb7980f54d42
dcb9e9760084d3c15061f6bdd17ff63b4166fca1e310254a12cc4db0a0894e57
72b0bdc099597ac6bdcd812f2d57ef5066f1b5f4d2f4a8f2a8f9a45a697eb37d
f3419d6903670e26e8b9c9582d5621d85942abee0f431b1d619d3dcd66daded6
e696be9abe6b2b9a656f33e7aed8092f73f94ae439f680305e5dcc0fb430f4b3
66ca66cae93c34e60a9a328b082fc7aa5396cc046bcfc5a14681d072128b9be7
66d6874b32fe87967b5e7a0771b581d2016591c3d3f46afd53ee24f73547293a
b014212dad9301369b09c11e2ca06279b23a764a183e0958b802b2d92cc0038f
ebef9a56758e158208aa1396fe129d84f8a67253f17e871c966e4b2c8ee39f6f
c3f9a7289415de1e238d094c061f2f620058faa59190fe016f86cab5bde25b83
fe580e517b77136ddd535a05feeedd8a8e73d99d590f2ee1ff96a2f1de75e2bc

SH256 hash:

a40087c78a18f9d177dfe5fa5f0bec2cf113a80c2ffbe4d0ec3d582b067120d5

MD5 hash:

ebebb49c1d1e6f35febe4b8d4138f7b5

SHA1 hash:

00337a0af8352464407d9b8f114ad798ba99bee5

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614

MD5 hash:

48979a1a6d3badea8124bce04b1e01a5

SHA1 hash:

06931bd96343ce167eda796112a30ca8d9fa536a

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

a980a4c044edd3bd118742814dec48d56506e6f40675c60defd5e85ce0f5ec20

MD5 hash:

06f620d184bc8ffc52de73e453b6a62a

SHA1 hash:

0ff1dbbc90aa09a9cd43e4f87f6eb357b0b55d7f

Detections:

INDICATOR_RMM_ConnectWise_ScreenConnect

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

Parent samples :

SH256 hash:

10933424536d53e397f651915f862c933199c50722943c236b020787b2e8f147

MD5 hash:

c261e034df63aca035d7914d354b9dca

SHA1 hash:

50e59350f4b524e55eec1a7ee0531bf9ad33a33b

Detections:

SUSP_NET_Shellcode_Loader_Indicators_Jan24

INDICATOR_RMM_ConnectWise_ScreenConnect

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

Parent samples :

SH256 hash:

528242c7745783b3b4ae72fec13bb9bd49b17b0e00f60c027351147f21fdd359

MD5 hash:

dc1e764763d65555086850eba51af5c4

SHA1 hash:

66043dbac97f3b86c019c218e5b127bb7e4441b8

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc

MD5 hash:

5fb6074b08ac4709cf2f29fa5b49023e

SHA1 hash:

8bbb78a47c08867c50572f0bd2a27171f91e0454

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

4e8de6683206a607d12bc32f2c4316cb37992ffcfade7f2ae3a84fb5cf492a9a

MD5 hash:

d6c08447040e5e6b591483c4780dbd7a

SHA1 hash:

a10af25f44a08afe10821d009b71e55e756ae5b4

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b

MD5 hash:

723f2aaeeda1d2bb2f49322da349ffc9

SHA1 hash:

ac6ab994beaff69adf8a2dc480a8a628175ff6c8

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

df431539a35b117118fb0cb10a37d2395a68ce3b7506b5e3f3aeaf3cd8790fe1

MD5 hash:

1e00080be9c04de5ff4026e7dbdf8232

SHA1 hash:

cb1fb1d36524f18d0d1b6b1cd50c7ca683ad27e5

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08

MD5 hash:

5419ff27205d3e5affa3fc18b811b843

SHA1 hash:

cf49072c50456381cd26cd32cb97606c5f5cfd26

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

SH256 hash:

c51a2b5cb5054ec0136e332bf290c8af3392d7936b5137a07423df08ab33d264

MD5 hash:

d9ef4f245159eb7374677f603e18b9ec

SHA1 hash:

e7aa0b8bce504d31323d10dd987fa2d517649191

Detections:

INDICATOR_RMM_ConnectWise_ScreenConnect

Link:

https://www.unpac.me/results/1223cb84-4dbf-4d1d-8c9f-02acb2eee5dd/

Parent samples :

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ebef9a56758e158208aa1396fe129d84f8a67253f17e871c966e4b2c8ee39f6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_DotNET_Encrypted Create hunting rule
Author:	ditekSHen
Description:	Detects encrypted or obfuscated .NET executables

Rule name:	INDICATOR_RMM_ConnectWise_ScreenConnect Create hunting rule
Author:	ditekSHen
Description:	Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/63485/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample