MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f50bb85de2859695c5a82a061f9bb4ca53a96df654b3555f67bcacb7150d53fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ConnectWise

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	f50bb85de2859695c5a82a061f9bb4ca53a96df654b3555f67bcacb7150d53fc
SHA3-384 hash:	420e26eeb832a68f6af625ba8b5ef557629bb4b70543dd9acf91d73aa607872d0d7ef5485ca220e3876cc089d70c5c29
SHA1 hash:	9f05dc3e22b094e24826b6b8397e8337eaac72a1
MD5 hash:	ab41b8aae23139a120bd150b480f52d9
humanhash:	magazine-robin-mirror-lemon
File name:	INVITATION.vbs
Download:	download sample
Signature	ConnectWise Create hunting rule
File size:	1'209 bytes
First seen:	2025-12-15 17:59:28 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	24:Pb7z/Gc+YDLUd0s3MfhK6KJevZROMaARkIIMPTQ/FdW2AwU/G:j/1DL48k6KJevZHREMc/FdW2AXO
Threatray	1'101 similar samples on MalwareBazaar
TLSH	T1D821241FFA4BE2213565A213C3AA1D1DC748126B57008851BBA87508AB24734EBB92D7
Magika	vba
Reporter	Anonymous
Tags:	ConnectWise vbs

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45123/

Detection(s):

SecuriteInfo.com.PUA.Powershell.Downloader-3.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69404ccccacd1005450d830c

Tags:

obfuscate xtreme overt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive expand lolbin lolbin msiexec powershell rundll32 wscript

Link:

https://www.filescan.io/uploads/69404cbde126b9ff4380f4b6/reports/9813151b-d251-4e41-a046-1a22a56188b1/overview

Verdict:

Malicious

Labled as:

TrojanDownloader/VBS.Agent

Link:

https://www.hybrid-analysis.com/sample/f50bb85de2859695c5a82a061f9bb4ca53a96df654b3555f67bcacb7150d53fc

Verdict:

Malicious

File Type:

vbs

First seen:

2025-12-15T15:24:00Z UTC

Last seen:

2025-12-17T11:28:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic not-a-virus:RemoteAdmin.MSIL.ConnectWise.c not-a-virus:RemoteAdmin.MSIL.ConnectWise.b not-a-virus:RemoteAdmin.MSIL.ConnectWise.a RemoteAdmin.ConnectWise.HTTP.C&C not-a-virus:RemoteAdmin.MSIL.ConnectWise.d not-a-virus:HEUR:RemoteAdmin.MSIL.ConnectWise.gen

Link:

https://opentip.kaspersky.com/f50bb85de2859695c5a82a061f9bb4ca53a96df654b3555f67bcacb7150d53fc/results?tab=lookup

Score:

32%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/f50bb85de2859695c5a82a061f9bb4ca53a96df654b3555f67bcacb7150d53fc

Verdict:

Malware

YARA:

1 match(es)

Tags:

Batch Command DeObfuscated PowerShell PowerShell Call Scripting.FileSystemObject Shell.Application VBScript WScript.Shell

Link:

https://app.malva.re/file/ab41b8aae23139a120bd150b480f52d9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f50bb85de2859695c5a82a061f9bb4ca53a96df654b3555f67bcacb7150d53fc/

Verdict:

Malicious

Threat:

RemoteAdmin.MSIL.ConnectWise

Link:

https://tip.neiki.dev/file/f50bb85de2859695c5a82a061f9bb4ca53a96df654b3555f67bcacb7150d53fc

Threat name:

Script-BAT.Trojan.Runner

Status:

Malicious

First seen:

2025-12-15 17:53:39 UTC

File Type:

Text (VBS)

AV detection:

13 of 37 (35.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6uf3qxpcqwljlrnifidb7g5uzjj2s3pwkszvkx3hxswlofinkp6a._file

Verdict:

malicious

Label(s):

admintool_screenconnect

ConnectWise

1e4d6715cfaad3943b71fa529402e678bd23913811b31a21481a5a8a2e1f3499

ConnectWise

a316d5310f1e5f12415b740ce2c7e3988635f404a451716a9a85cf7ba93684aa

ConnectWise

b23524c5ee1960293a4a82d607cc7eb34f079187a74ef95b3a4b4e83918e4d47

ConnectWise

b6928d89c300d9d317a8ea884f382acba1af0237d93ae4d88d9821c780b41a0f

ConnectWise

c2d7f10bc541f7b56137cb1b7ae8ea496b8301f38a2d2649d1a64016798015df

ConnectWise

ddaba68dfac28852d3936c8ca86b9061d754e02bd20c15ab36504805f634b0be

ConnectWise

error

ConnectWise

fc7ee0a9cffabfd03e1b972bcbfd4504289482f86c83c391165ebe5253995ef9

ConnectWise

+ 1'091 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

backdoor discovery execution persistence privilege_escalation rat revoked_codesign

Link:

https://tria.ge/reports/251215-wlk2taynbr/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Drops file in Windows directory

Boot or Logon Autostart Execution: Authentication Package

Drops file in System32 directory

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Checks computer location settings

ConnectWise ScreenConnect remote access tool

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Binary is signed using a ConnectWise certificate revoked for key compromise.

Sets service image path in registry

Malware Config

Dropper Extraction:

http://server.realopmo.online/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f50bb85de2859695c5a82a061f9bb4ca53a96df654b3555f67bcacb7150d53fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/45123/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample