MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 768eaad977f0e47869a05f653895ef1c14b3c83905a91e2b8dc56b718e056de6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AteraAgent


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 768eaad977f0e47869a05f653895ef1c14b3c83905a91e2b8dc56b718e056de6
SHA3-384 hash: f5140a26fe12c452b673d47b95cd165415f197e8e383e7f3c7b156d6f742094b40d1817424a4f4f8a927bb24eae39def
SHA1 hash: dd64e5c25c9237b6a52f68dcc6a5777c83c5fef3
MD5 hash: 8b6b0ec93209591b6f987b27b150f803
humanhash: mockingbird-pasta-south-gee
File name:pdf946946.msi
Download: download sample
Signature AteraAgent
Create hunting rule
File size:2'994'176 bytes
First seen:2025-02-15 10:56:16 UTC
Last seen:2025-02-15 11:23:43 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:++1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:++lUlz9FKbsodq0YaH7ZPxMb8tT
TLSH T195D523117584483AE3BB0A358D7AD6A05E7DFE605B70CA8E9308741E2D705C1AB76FB3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter FXOLabs
Tags:AteraAgent msi signed

Code Signing Certificate

Organisation:Atera Networks Ltd
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-01-23T00:00:00Z
Valid to:2026-01-22T23:59:59Z
Serial number: 09d3cbf84332886ff689b04baf7f768c
Intelligence: 45 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 9e1bec8810871217689196b90d12b43e62df343f2c8d886bf588f9d37a8d8d9a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
BR BR
Vendor Threat Intelligence
Detection(s):
PUA.Win.File.AteraRemoteAdmin-9942568-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b0738e28ab76d43a5afaea
Tags:
shellcode
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm cmd expand installer lolbin lolbin obfuscated rundll32 signed
Link:
https://www.filescan.io/uploads/67b07309c24a487ec9d25f8b/reports/ca2dd31f-4c09-4e48-b84a-879e2ac6b499/overview
Verdict:
Suspicious
Labled as:
Unwanted/BIN.RemoteAdmin
Link:
https://www.hybrid-analysis.com/sample/768eaad977f0e47869a05f653895ef1c14b3c83905a91e2b8dc56b718e056de6
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/768eaad977f0e47869a05f653895ef1c14b3c83905a91e2b8dc56b718e056de6
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AteraAgent
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1615756
Signature
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries disk data (e.g. SMART data)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Writes many files with high entropy
Yara detected AteraAgent
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1615756 Sample: pdf946946.msi Startdate: 15/02/2025 Architecture: WINDOWS Score: 100 189 Malicious sample detected (through community Yara rule) 2->189 191 Multi AV Scanner detection for dropped file 2->191 193 Multi AV Scanner detection for submitted file 2->193 195 10 other signatures 2->195 10 msiexec.exe 501 583 2->10         started        14 AteraAgent.exe 2->14         started        17 msiexec.exe 5 2->17         started        19 2 other processes 2->19 process3 dnsIp4 125 C:\Windows\Installer\...\ARPPRODUCTICON.exe, PE32 10->125 dropped 127 C:\Windows\Installer\MSID86.tmp, PE32 10->127 dropped 129 C:\Windows\Installer\MSICA50.tmp, PE32 10->129 dropped 137 400 other malicious files 10->137 dropped 205 Sample is not signed and drops a device driver 10->205 21 msiexec.exe 10->21         started        23 msiexec.exe 10->23         started        25 AteraAgent.exe 10->25         started        185 199.232.210.172 FASTLYUS United States 14->185 187 35.157.63.227 AMAZON-02US United States 14->187 131 C:\...\System.Management.dll, PE32 14->131 dropped 133 C:\...133ewtonsoft.Json.dll, PE32 14->133 dropped 135 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 14->135 dropped 139 375 other malicious files 14->139 dropped 207 Installs Task Scheduler Managed Wrapper 14->207 30 AgentPackageUpgradeAgent.exe 14->30         started        32 AgentPackageMonitoring.exe 14->32         started        34 AgentPackageOsUpdates.exe 14->34         started        36 12 other processes 14->36 file5 signatures6 process7 dnsIp8 38 AteraAgent.exe 21->38         started        53 2 other processes 21->53 43 rundll32.exe 23->43         started        45 rundll32.exe 15 9 23->45         started        55 2 other processes 23->55 167 199.232.214.172 FASTLYUS United States 25->167 169 2.23.77.188 AKAMAI-ASUS European Union 25->169 141 C:\Windows\System32\InstallUtil.InstallLog, Unicode 25->141 dropped 143 C:\...\AteraAgent.InstallLog, Unicode 25->143 dropped 209 Creates files in the system32 config directory 25->209 211 Reads the Security eventlog 25->211 213 Reads the System eventlog 25->213 171 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->171 145 C:\...\System.ValueTuple.dll, PE32 30->145 dropped 147 C:\Program Files (x86)\...\Pubnub.dll, PE32 30->147 dropped 149 C:\...149ewtonsoft.Json.dll, PE32 30->149 dropped 157 4 other malicious files 30->157 dropped 47 conhost.exe 30->47         started        151 C:\Program Files (x86)\...\log.txt, ASCII 32->151 dropped 215 Queries disk data (e.g. SMART data) 32->215 49 conhost.exe 32->49         started        173 20.50.88.232 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->173 51 conhost.exe 34->51         started        175 13.107.246.45 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->175 177 172.202.80.17 IFX18747US United States 36->177 179 2.19.11.114 ELISA-ASHelsinkiFinlandEU European Union 36->179 153 C:\...\TicketingTray.exe (copy), PE32 36->153 dropped 155 C:\Program Files (x86)\...\8-0-11.exe, PE32 36->155 dropped 57 13 other processes 36->57 file9 signatures10 process11 dnsIp12 161 18.66.112.125 MIT-GATEWAYSUS United States 38->161 163 35.157.63.229 AMAZON-02US United States 38->163 119 35 other malicious files 38->119 dropped 197 Creates files in the system32 config directory 38->197 199 Reads the Security eventlog 38->199 201 Reads the System eventlog 38->201 59 AgentPackageSTRemote.exe 38->59         started        64 AgentPackageAgentInformation.exe 38->64         started        66 AgentPackageMonitoring.exe 38->66         started        76 3 other processes 38->76 107 C:\Windows\...\System.Management.dll, PE32 43->107 dropped 109 C:\Windows\Installer\...109ewtonsoft.Json.dll, PE32 43->109 dropped 111 Microsoft.Deployme...indowsInstaller.dll, PE32 43->111 dropped 113 C:\...\AlphaControlAgentInstallation.dll, PE32 43->113 dropped 203 System process connects to network (likely due to code injection or exploit) 43->203 165 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 45->165 121 4 other malicious files 45->121 dropped 68 conhost.exe 53->68         started        70 net1.exe 53->70         started        72 conhost.exe 53->72         started        115 C:\Windows\...\System.Management.dll, PE32 55->115 dropped 117 C:\Windows\Installer\...117ewtonsoft.Json.dll, PE32 55->117 dropped 123 6 other malicious files 55->123 dropped 74 conhost.exe 57->74         started        78 2 other processes 57->78 file13 signatures14 process15 dnsIp16 181 52.223.39.232 AMAZONEXPANSIONGB United States 59->181 183 13.35.58.107 AMAZON-02US United States 59->183 159 C:\Windows\Temp\SplashtopStreamer.exe, PE32 59->159 dropped 217 Creates files in the system32 config directory 59->217 80 SplashtopStreamer.exe 59->80         started        83 conhost.exe 59->83         started        85 conhost.exe 64->85         started        87 conhost.exe 66->87         started        89 cmd.exe 76->89         started        91 conhost.exe 76->91         started        93 powershell.exe 76->93         started        95 2 other processes 76->95 file17 signatures18 process19 file20 105 C:\Windows\Temp\unpack\PreVerCheck.exe, PE32 80->105 dropped 97 conhost.exe 89->97         started        99 cscript.exe 89->99         started        101 Conhost.exe 91->101         started        103 conhost.exe 93->103         started        process21
Score:
75%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/768eaad977f0e47869a05f653895ef1c14b3c83905a91e2b8dc56b718e056de6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/768eaad977f0e47869a05f653895ef1c14b3c83905a91e2b8dc56b718e056de6/
Threat name:
Win32.Trojan.Atera
Create hunting rule
Status:
Malicious
First seen:
2025-02-15 10:57:14 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
10 of 37 (27.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2hkvwlx6dshq2nal5strfppdqklhsbzawur4k4nyvvxddqfnxta._file
Result
Malware family:
ateraagent
Create hunting rule
Score:
  10/10
Tags:
family:ateraagent bootkit discovery execution persistence privilege_escalation rat upx
Link:
https://tria.ge/reports/250215-m2bzeaypfn/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
UPX packed file
Downloads MZ/PE file
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Blocklisted process makes network request
Drops file in Drivers directory
AteraAgent
Ateraagent family
Detects AteraAgent
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/abb3e77b-603d-4428-8e0a-e4e7cba76535
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/768eaad977f0e47869a05f653895ef1c14b3c83905a91e2b8dc56b718e056de6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AteraAgent_RemoteAdmin_April_2024
Create hunting rule
Author:NDA0
Description:Detects AteraAgent Remote Admin Tool
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments