MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48c6727171424afc2789ed1af0197a3e700ea5039c4b7a3683724c46739f61c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AteraAgent


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48c6727171424afc2789ed1af0197a3e700ea5039c4b7a3683724c46739f61c2
SHA3-384 hash: 53e1303e81a2e1a9b1c2ce5ba147bf8b1c4a6dfff8c5114299f72347d59fc393a1e419087ad77b33afc9a92397e3d25c
SHA1 hash: 6ac09402cc896b8e478e6af1436aa5fa6dba4ea0
MD5 hash: 293dbededf4dee5163f25b7902df9a01
humanhash: arizona-white-fifteen-purple
File name:BOMB-762.msi
Download: download sample
Signature AteraAgent
Create hunting rule
File size:2'994'176 bytes
First seen:2024-11-19 01:43:00 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:1+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:1+lUlz9FKbsodq0YaH7ZPxMb8tT
Threatray 157 similar samples on MalwareBazaar
TLSH T1BFD523117584483AE37B0A358D7ADAA05E7DFE605B70CA8E9308741E2D705C1AB76FB3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter FXOLabs
Tags:AteraAgent msi signed

Code Signing Certificate

Organisation:Atera Networks Ltd
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2024-02-15T00:00:00Z
Valid to:2025-03-18T23:59:59Z
Serial number: 0a28499978e5898df40a238eb8a552e8
Intelligence: 70 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f166bf0cc1fb75ea35db8fb76143a4946a63ff5b1720f787b99014d4777d81d7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
BR BR
Vendor Threat Intelligence
Detection(s):
PUA.Win.File.AteraRemoteAdmin-9942568-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673bee8e5107a56eacc7c37c
Tags:
shellcode virus msil
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd expand installer lolbin packed rundll32
Link:
https://www.filescan.io/uploads/673bed2b823321d628c1bb3b/reports/32e2fa43-4279-4e7a-b7b1-06fdee0b8b3d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/48c6727171424afc2789ed1af0197a3e700ea5039c4b7a3683724c46739f61c2
Result
Threat name:
AteraAgent
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1558134
Signature
AI detected suspicious sample
Creates files in the system32 config directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Yara detected AteraAgent
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558134 Sample: BOMB-762.msi Startdate: 19/11/2024 Architecture: WINDOWS Score: 84 85 ps.pndsn.com 2->85 87 ps.atera.com 2->87 89 5 other IPs or domains 2->89 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Yara detected AteraAgent 2->101 103 2 other signatures 2->103 9 msiexec.exe 82 43 2->9         started        12 AteraAgent.exe 2->12         started        16 msiexec.exe 5 2->16         started        signatures3 process4 dnsIp5 53 C:\Windows\Installer\MSIEE27.tmp, PE32 9->53 dropped 55 C:\Windows\Installer\MSIE7BD.tmp, PE32 9->55 dropped 57 C:\Windows\Installer\MSI2BA.tmp, PE32 9->57 dropped 65 20 other files (17 malicious) 9->65 dropped 18 AteraAgent.exe 6 11 9->18         started        22 msiexec.exe 9->22         started        24 msiexec.exe 9->24         started        91 13.35.58.124, 443, 49957, 50165 AMAZON-02US United States 12->91 93 d25btwd9wax8gu.cloudfront.net 18.245.46.47, 443, 49756, 49884 AMAZON-02US United States 12->93 95 ps.pndsn.com 35.157.63.227, 443, 49745, 49747 AMAZON-02US United States 12->95 59 C:\...59ewtonsoft.Json.dll, PE32 12->59 dropped 61 C:\...\Atera.AgentPackage.Common.dll, PE32 12->61 dropped 63 C:\...\AgentPackageAgentInformation.exe, PE32 12->63 dropped 111 Reads the Security eventlog 12->111 113 Reads the System eventlog 12->113 26 sc.exe 12->26         started        file6 signatures7 process8 file9 49 C:\Windows\System32\InstallUtil.InstallLog, Unicode 18->49 dropped 51 C:\...\AteraAgent.InstallLog, Unicode 18->51 dropped 105 Creates files in the system32 config directory 18->105 107 Reads the Security eventlog 18->107 109 Reads the System eventlog 18->109 28 rundll32.exe 15 9 22->28         started        31 rundll32.exe 7 22->31         started        33 rundll32.exe 8 22->33         started        35 rundll32.exe 22->35         started        37 net.exe 1 24->37         started        39 taskkill.exe 1 24->39         started        41 conhost.exe 26->41         started        signatures10 process11 file12 67 C:\...\AlphaControlAgentInstallation.dll, PE32 28->67 dropped 69 C:\Windows\...\System.Management.dll, PE32 28->69 dropped 77 2 other files (none is malicious) 28->77 dropped 71 C:\...\AlphaControlAgentInstallation.dll, PE32 31->71 dropped 79 3 other files (none is malicious) 31->79 dropped 73 C:\...\AlphaControlAgentInstallation.dll, PE32 33->73 dropped 81 3 other files (none is malicious) 33->81 dropped 75 C:\...\AlphaControlAgentInstallation.dll, PE32 35->75 dropped 83 3 other files (none is malicious) 35->83 dropped 43 conhost.exe 37->43         started        45 net1.exe 1 37->45         started        47 conhost.exe 39->47         started        process13
Score:
75%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/48c6727171424afc2789ed1af0197a3e700ea5039c4b7a3683724c46739f61c2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48c6727171424afc2789ed1af0197a3e700ea5039c4b7a3683724c46739f61c2/
Threat name:
Win32.Trojan.Atera
Create hunting rule
Status:
Malicious
First seen:
2024-11-19 01:44:05 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jddhe4lrijfpyj4j5unpagl2hzya5jidtrfxunudojgem447mhba._file
Verdict:
suspicious
Label(s):
ateraagent
Create hunting rule
Similar samples:
2ba7c24b984423bda7b4982b3b6e230a6c0f2dae44b580c6f02d133e625fd3bb
AteraAgent
33283eed43cb365ae5f4541f387ea4f4e81667573b3c890be5606fc53c5852d5
AteraAgent
3809affad6dc10de4613edb2c172f47b641b0393270a129b24683ccd30fb39d7
AteraAgent
44f4a65edf7ae3ce4fbc50b03bc034b27d699e7a17cbd130cac07d78ce171985
AteraAgent
533becd0cc4cf29897da93ef4c5cedfedcfde7649e69d387e614bd30798db0fc
AteraAgent
55af6a90ac8863f27b3fcaa416a0f1e4ff02fb42aa46a7274c6b76aa000aacc2
AteraAgent
8c684bf0b13e4bc010d63490bd53593cd627be43e8178117c80e4b836881dad6
AteraAgent
9104930a661af5e641ad911fc30c0887433713ea589e389f06cbd5bb0a7ed5ad
AteraAgent
e7d97013314341bbdb5abd3bdade00039a87ec865efc3df4a72feab27f82bf52
AteraAgent
e91b55d8505e22892db37e282dfeca56aa398725f1528ed545c0b77d825be1a7
AteraAgent
error
AteraAgent
+ 147 additional samples on MalwareBazaar
Result
Malware family:
ateraagent
Create hunting rule
Score:
  10/10
Tags:
family:ateraagent bootkit discovery persistence privilege_escalation rat upx
Link:
https://tria.ge/reports/241119-b48wdaybre/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Time Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
UPX packed file
Downloads MZ/PE file
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Blocklisted process makes network request
Drops file in Drivers directory
AteraAgent
Ateraagent family
Detects AteraAgent
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/add84352-fa58-4c0e-816b-e21125c1783a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AteraAgent_RemoteAdmin_April_2024
Create hunting rule
Author:NDA0
Description:Detects AteraAgent Remote Admin Tool
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments