MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33283eed43cb365ae5f4541f387ea4f4e81667573b3c890be5606fc53c5852d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AteraAgent


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33283eed43cb365ae5f4541f387ea4f4e81667573b3c890be5606fc53c5852d5
SHA3-384 hash: 19a30ce144c377d12ac9f6921aacb086883408fcc64df021762e9e4f8e57ae9e8cb32f94323a29bd24d4cb2e5c04d2d5
SHA1 hash: 1f5101843913e1f053442b7412635855ed80e16d
MD5 hash: a49092bd08748f5fe5e51ffcb63325f5
humanhash: connecticut-four-football-social
File name:33283eed43cb365ae5f4541f387ea4f4e81667573b3c890be5606fc53c5852d5
Download: download sample
Signature AteraAgent
Create hunting rule
File size:2'994'176 bytes
First seen:2024-11-08 12:27:05 UTC
Last seen:2024-11-08 14:22:19 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:w+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:w+lUlz9FKbsodq0YaH7ZPxMb8tT
Threatray 150 similar samples on MalwareBazaar
TLSH T10FD523117584483AE3BB0A358D7AD6A05E7DFE605B70CA8E9308741E2D705C1AB76FB3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:AteraAgent msi signed

Code Signing Certificate

Organisation:Atera Networks Ltd
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2024-02-15T00:00:00Z
Valid to:2025-03-18T23:59:59Z
Serial number: 0a28499978e5898df40a238eb8a552e8
Intelligence: 70 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f166bf0cc1fb75ea35db8fb76143a4946a63ff5b1720f787b99014d4777d81d7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
PUA.Win.File.AteraRemoteAdmin-9942568-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672e03d4a5bee3c9d42bca71
Tags:
shellcode exploit virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd expand installer lolbin lolbin packed rundll32
Link:
https://www.filescan.io/uploads/672e03d863e1de74c32421f7/reports/f6a3ef9c-5d9b-431a-852c-1deda2e46f1d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/33283eed43cb365ae5f4541f387ea4f4e81667573b3c890be5606fc53c5852d5
Result
Threat name:
AteraAgent
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1552148
Signature
AI detected suspicious sample
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Installs Task Scheduler Managed Wrapper
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1552148 Sample: e8gTT6OTKZ.msi Startdate: 08/11/2024 Architecture: WINDOWS Score: 100 141 Multi AV Scanner detection for dropped file 2->141 143 Multi AV Scanner detection for submitted file 2->143 145 Yara detected AteraAgent 2->145 147 7 other signatures 2->147 9 msiexec.exe 501 854 2->9         started        13 AteraAgent.exe 2->13         started        16 AteraAgent.exe 2->16         started        18 2 other processes 2->18 process3 dnsIp4 107 C:\Windows\Installer\...\ARPPRODUCTICON.exe, PE32 9->107 dropped 109 C:\Windows\Installer\MSIE69C.tmp, PE32 9->109 dropped 111 C:\Windows\Installer\MSID9AB.tmp, PE32 9->111 dropped 119 453 other files (390 malicious) 9->119 dropped 167 Sample is not signed and drops a device driver 9->167 20 msiexec.exe 9->20         started        24 msiexec.exe 9->24         started        26 msiexec.exe 9->26         started        28 AteraAgent.exe 9->28         started        135 18.66.112.10 MIT-GATEWAYSUS United States 13->135 113 C:\...\System.Management.dll, PE32 13->113 dropped 115 C:\...115ewtonsoft.Json.dll, PE32 13->115 dropped 117 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 13->117 dropped 121 278 other malicious files 13->121 dropped 169 Installs Task Scheduler Managed Wrapper 13->169 31 sc.exe 13->31         started        137 18.66.112.49 MIT-GATEWAYSUS United States 16->137 139 35.157.63.227 AMAZON-02US United States 16->139 123 31 other malicious files 16->123 dropped 171 Creates files in the system32 config directory 16->171 173 Reads the Security eventlog 16->173 175 Reads the System eventlog 16->175 33 AgentPackageSTRemote.exe 16->33         started        35 AgentPackageAgentInformation.exe 16->35         started        37 AgentPackageMonitoring.exe 16->37         started        39 4 other processes 16->39 file5 signatures6 process7 dnsIp8 77 C:\...\SRCredentialProvider.dll (copy), PE32+ 20->77 dropped 79 C:\Windows\Temp\...\_isres_0x0409.dll, PE32 20->79 dropped 81 C:\Windows\Temp\...\_is38F5.exe, PE32+ 20->81 dropped 89 14 other malicious files 20->89 dropped 149 Enables network access during safeboot for specific services 20->149 52 8 other processes 20->52 54 4 other processes 24->54 41 taskkill.exe 26->41         started        44 net.exe 26->44         started        127 199.232.210.172 FASTLYUS United States 28->127 129 192.229.221.95 EDGECASTUS United States 28->129 83 C:\Windows\System32\InstallUtil.InstallLog, Unicode 28->83 dropped 85 C:\...\AteraAgent.InstallLog, Unicode 28->85 dropped 151 Reads the Security eventlog 28->151 153 Reads the System eventlog 28->153 46 conhost.exe 31->46         started        131 35.71.184.3 MERIT-AS-14US United States 33->131 133 13.35.58.107 AMAZON-02US United States 33->133 87 C:\Windows\Temp\SplashtopStreamer.exe, PE32 33->87 dropped 155 Creates files in the system32 config directory 33->155 58 2 other processes 33->58 48 conhost.exe 35->48         started        50 conhost.exe 37->50         started        60 5 other processes 39->60 file9 signatures10 process11 dnsIp12 157 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 41->157 159 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 41->159 161 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->161 165 2 other signatures 41->165 62 conhost.exe 41->62         started        64 conhost.exe 44->64         started        66 net1.exe 44->66         started        125 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 54->125 97 C:\...\AlphaControlAgentInstallation.dll, PE32 54->97 dropped 99 C:\...\AlphaControlAgentInstallation.dll, PE32 54->99 dropped 101 C:\...\AlphaControlAgentInstallation.dll, PE32 54->101 dropped 105 13 other files (1 malicious) 54->105 dropped 163 System process connects to network (likely due to code injection or exploit) 54->163 103 C:\Windows\Temp\unpack\PreVerCheck.exe, PE32 58->103 dropped 68 PreVerCheck.exe 58->68         started        71 conhost.exe 60->71         started        73 cscript.exe 60->73         started        file13 signatures14 process15 file16 91 C:\Windows\Temp\unpack\libssl-3.dll, PE32 68->91 dropped 93 C:\Windows\Temp\unpack\libcrypto-3.dll, PE32 68->93 dropped 95 C:\Windows\Temp\unpack\SRSocketCtrl.dll, PE32 68->95 dropped 75 msiexec.exe 68->75         started        process17
Score:
75%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/33283eed43cb365ae5f4541f387ea4f4e81667573b3c890be5606fc53c5852d5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33283eed43cb365ae5f4541f387ea4f4e81667573b3c890be5606fc53c5852d5/
Threat name:
Win32.Trojan.Atera
Create hunting rule
Status:
Malicious
First seen:
2024-11-08 12:26:44 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gmud53kdzm3fvzpukqptq7ve6tubmz2xhm6isc7fmbx4kpcyklkq._file
Verdict:
suspicious
Label(s):
ateraagent
Create hunting rule
Similar samples:
2ba7c24b984423bda7b4982b3b6e230a6c0f2dae44b580c6f02d133e625fd3bb
AteraAgent
3809affad6dc10de4613edb2c172f47b641b0393270a129b24683ccd30fb39d7
AteraAgent
44f4a65edf7ae3ce4fbc50b03bc034b27d699e7a17cbd130cac07d78ce171985
AteraAgent
55af6a90ac8863f27b3fcaa416a0f1e4ff02fb42aa46a7274c6b76aa000aacc2
AteraAgent
615ba2f7363ac61f75d05171c3c02fceefe1e7ab328295be8e4dc55691416c25
AteraAgent
8c684bf0b13e4bc010d63490bd53593cd627be43e8178117c80e4b836881dad6
AteraAgent
9104930a661af5e641ad911fc30c0887433713ea589e389f06cbd5bb0a7ed5ad
AteraAgent
e7d97013314341bbdb5abd3bdade00039a87ec865efc3df4a72feab27f82bf52
AteraAgent
e91b55d8505e22892db37e282dfeca56aa398725f1528ed545c0b77d825be1a7
AteraAgent
error
AteraAgent
fab822cc1d5b10a959de748250badb0f1244964942814046b74c41b8887c8c00
AteraAgent
+ 140 additional samples on MalwareBazaar
Result
Malware family:
ateraagent
Create hunting rule
Score:
  10/10
Tags:
family:ateraagent discovery persistence privilege_escalation rat
Link:
https://tria.ge/reports/241108-pnbgts1pdw/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Drops file in System32 directory
Enumerates connected drives
Blocklisted process makes network request
AteraAgent
Ateraagent family
Detects AteraAgent
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b8b934c2-e79d-4dc8-84b1-5a0a9dfb901a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33283eed43cb365ae5f4541f387ea4f4e81667573b3c890be5606fc53c5852d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AteraAgent_RemoteAdmin_April_2024
Create hunting rule
Author:NDA0
Description:Detects AteraAgent Remote Admin Tool
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments