Update/new rule needed for ScreenConnect? sid:2036627

j0hnb3r00t · September 13, 2023, 7:36am

Hello,

While I was following a campaign using ScreenConnect maliciously, I noticed that the initial checkin packet may have changed.
As can be seen in the screenshot below, it looks like it is now “87 1C 10” instead of “87 15 10”.

Here is the link to this specific any.run analysis: Analysis hgsuhfs.exe (MD5: A047BFE20C52C21BC6060FF0F763C235) Malicious activity - Interactive analysis ANY.RUN

Regards,

John

ishaughnessy · September 13, 2023, 4:21pm

@j0hnb3r00t - Thanks for sharing! we’ll get another signature out today to catch this checkin variant.

 2048051 - ET POLICY ScreenConnect-ConnectWise Initial Checkin Packet M2```

Topic		Replies	Views
Bandios C2 Check in Rule Signatures	4	280	December 27, 2022
Inconsistency between the rules 2049660 & 2049661 and the family Rule Signatures	1	210	December 19, 2023
GCleaner Sig Submission Rule Signatures	1	432	January 31, 2023
SIG: MoveIt File Transfer WebShell Interaction Rule Signatures	3	713	June 13, 2023
Possible FP: SID 2046267 ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (External IP) Feedback & Support	13	986	July 16, 2023

Update/new rule needed for ScreenConnect? sid:2036627

Related topics