Update/new rule needed for ScreenConnect? sid:2036627

j0hnb3r00t · September 13, 2023, 7:36am

Hello,

While I was following a campaign using ScreenConnect maliciously, I noticed that the initial checkin packet may have changed.
As can be seen in the screenshot below, it looks like it is now “87 1C 10” instead of “87 15 10”.

Here is the link to this specific any.run analysis: Analysis hgsuhfs.exe (MD5: A047BFE20C52C21BC6060FF0F763C235) Malicious activity - Interactive analysis ANY.RUN

Regards,

John

ishaughnessy · September 13, 2023, 4:21pm

@j0hnb3r00t - Thanks for sharing! we’ll get another signature out today to catch this checkin variant.

 2048051 - ET POLICY ScreenConnect-ConnectWise Initial Checkin Packet M2```

Topic		Replies	Views
StealC Stealer Rule Signatures	11	655	December 28, 2023
Bandios C2 Check in Rule Signatures	4	219	December 27, 2022
Inconsistency between the rules 2049660 & 2049661 and the family Rule Signatures	1	156	December 19, 2023
GCleaner Sig Submission Rule Signatures	1	386	January 31, 2023
SIG: MoveIt File Transfer WebShell Interaction Rule Signatures	3	643	June 13, 2023

Update/new rule needed for ScreenConnect? sid:2036627

Related Topics