MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66ea27e2e043adcfca5352089e2cbe7d4349f1f7e78dd4acefaf451b8c9585c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AteraAgent


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 66ea27e2e043adcfca5352089e2cbe7d4349f1f7e78dd4acefaf451b8c9585c4
SHA3-384 hash: 7e534fb97d76883e6e15edacc8c377eb7a3ceb1917a0c36bd77a10dd54f7ab27677e0f72f5ec1a1a97b5386ca1d4525a
SHA1 hash: a05b7bb3931533e0aeeaa4eb48e43befd095b4fb
MD5 hash: 4786b508296d522bde9b35893599f677
humanhash: mexico-potato-california-fish
File name:AdobeAcrobat2.1.2.msi
Download: download sample
Signature AteraAgent
Create hunting rule
File size:2'994'176 bytes
First seen:2024-04-16 18:26:20 UTC
Last seen:2024-04-16 19:35:00 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:h+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:h+lUlz9FKbsodq0YaH7ZPxMb8tT
Threatray 25 similar samples on MalwareBazaar
TLSH T1C0D523127584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76F73
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter FXOLabs
Tags:AteraAgent msi signed

Code Signing Certificate

Organisation:Atera Networks Ltd
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2024-02-15T00:00:00Z
Valid to:2025-03-18T23:59:59Z
Serial number: 0a28499978e5898df40a238eb8a552e8
Intelligence: 70 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f166bf0cc1fb75ea35db8fb76143a4946a63ff5b1720f787b99014d4777d81d7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
BR BR
Vendor Threat Intelligence
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/66ea27e2e043adcfca5352089e2cbe7d4349f1f7e78dd4acefaf451b8c9585c4
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/66ea27e2e043adcfca5352089e2cbe7d4349f1f7e78dd4acefaf451b8c9585c4
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AteraAgent
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1426978
Signature
Bypasses PowerShell execution policy
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries disk data (e.g. SMART data)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
System process connects to network (likely due to code injection or exploit)
Very long command line found
Writes many files with high entropy
Yara detected AteraAgent
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1426978 Sample: AdobeAcrobat2.1.2.msi Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 140 Multi AV Scanner detection for dropped file 2->140 142 Multi AV Scanner detection for submitted file 2->142 144 Yara detected AteraAgent 2->144 146 10 other signatures 2->146 8 AteraAgent.exe 2->8         started        13 msiexec.exe 501 480 2->13         started        15 AteraAgent.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 134 3.162.112.24 AMAZON-02US United States 8->134 100 C:\...\System.Management.dll, PE32 8->100 dropped 102 C:\...102ewtonsoft.Json.dll, PE32 8->102 dropped 104 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 8->104 dropped 112 319 other malicious files 8->112 dropped 160 Installs Task Scheduler Managed Wrapper 8->160 162 Very long command line found 8->162 19 AgentPackageUpgradeAgent.exe 8->19         started        23 AgentPackageSTRemote.exe 8->23         started        26 AgentPackageTicketing.exe 8->26         started        36 11 other processes 8->36 106 C:\Windows\Installer\MSIFB6C.tmp, PE32 13->106 dropped 108 C:\Windows\Installer\MSIE8DD.tmp, PE32 13->108 dropped 110 C:\Windows\Installer\MSIE3A6.tmp, PE32 13->110 dropped 114 313 other files (261 malicious) 13->114 dropped 28 msiexec.exe 13->28         started        30 msiexec.exe 13->30         started        32 AteraAgent.exe 13->32         started        136 54.175.191.205 AMAZON-AESUS United States 15->136 138 3.163.80.117 AMAZON-02US United States 15->138 116 27 other malicious files 15->116 dropped 164 Creates files in the system32 config directory 15->164 166 Reads the Security eventlog 15->166 168 Reads the System eventlog 15->168 34 AgentPackageAgentInformation.exe 15->34         started        38 6 other processes 15->38 file5 signatures6 process7 dnsIp8 118 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->118 82 C:\...\System.ValueTuple.dll, PE32 19->82 dropped 84 C:\Program Files (x86)\...\Pubnub.dll, PE32 19->84 dropped 86 C:\...86ewtonsoft.Json.dll, PE32 19->86 dropped 94 4 other malicious files 19->94 dropped 48 2 other processes 19->48 128 2 other IPs or domains 23->128 88 C:\Windows\Temp\SplashtopStreamer.exe, PE32 23->88 dropped 40 conhost.exe 23->40         started        120 13.107.246.41 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->120 90 C:\...\TicketingTray.exe (copy), PE32 26->90 dropped 42 conhost.exe 26->42         started        50 4 other processes 28->50 44 net.exe 30->44         started        46 taskkill.exe 30->46         started        130 2 other IPs or domains 32->130 96 2 other malicious files 32->96 dropped 152 Creates files in the system32 config directory 32->152 154 Reads the Security eventlog 32->154 156 Reads the System eventlog 32->156 55 3 other processes 34->55 122 104.40.170.64 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->122 124 20.86.89.202 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->124 126 93.184.215.201 EDGECASTUS European Union 36->126 92 C:\Program Files (x86)\...\6-0-26.exe, PE32 36->92 dropped 98 2 other malicious files 36->98 dropped 158 Queries disk data (e.g. SMART data) 36->158 57 12 other processes 36->57 59 6 other processes 38->59 file9 signatures10 process11 dnsIp12 61 conhost.exe 44->61         started        64 net1.exe 44->64         started        66 conhost.exe 46->66         started        132 20.37.139.187 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 50->132 74 C:\Windows\Installer\...74ewtonsoft.Json.dll, PE32 50->74 dropped 76 C:\...\AlphaControlAgentInstallation.dll, PE32 50->76 dropped 78 C:\Windows\Installer\...78ewtonsoft.Json.dll, PE32 50->78 dropped 80 13 other files (5 malicious) 50->80 dropped 148 System process connects to network (likely due to code injection or exploit) 50->148 150 Loading BitLocker PowerShell Module 55->150 68 conhost.exe 55->68         started        70 cscript.exe 55->70         started        72 conhost.exe 55->72         started        file13 signatures14 process15 signatures16 170 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 61->170 172 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 61->172 174 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->174 176 2 other signatures 61->176
Score:
20%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/66ea27e2e043adcfca5352089e2cbe7d4349f1f7e78dd4acefaf451b8c9585c4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/66ea27e2e043adcfca5352089e2cbe7d4349f1f7e78dd4acefaf451b8c9585c4/
Threat name:
Win32.Trojan.Atera
Create hunting rule
Status:
Malicious
First seen:
2024-04-03 10:38:53 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m3vcpyxaiow47sstkiej4lf6pvbut4px46g5jlhpv5crxdevqxca._file
Verdict:
unknown
Similar samples:
3871a8c00ec780da7a1908d3a7f1de8bfa14bcc9ad6f37fdcf335ea741bd6e1e
AteraAgent
638c7a4f833dc95dbab5f0a81ef03b7d83704e30b5cdc630702475cc9fff86a2
AteraAgent
a351667f67eb70281d579acf5ba66157717281def9fa002e2e1747e11e18c2dc
AteraAgent
a70960bf2f6c34be8a5012aac3422e699aa3c10531e04a625c576ad2d466d4ba
AteraAgent
e89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f
AteraAgent
ff2ae62ba88e7068fa142bbe67d7b9398e8ae737a43cf36ace1fcf809776c909
AteraAgent
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
bootkit discovery evasion persistence upx
Link:
https://tria.ge/reports/240416-w3qzdsag6v/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
NSIS installer
Enumerates physical storage devices
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Registers COM server for autorun
Drops file in System32 directory
Downloads MZ/PE file
Enumerates connected drives
Writes to the Master Boot Record (MBR)
UPX packed file
Blocklisted process makes network request
Sets service image path in registry
Stops running service(s)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/66ea27e2e043adcfca5352089e2cbe7d4349f1f7e78dd4acefaf451b8c9585c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments