MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76fd57765b2c5d5a8b939f1eca35633f11d830b2700f828b06c26fb707035156. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AteraAgent


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76fd57765b2c5d5a8b939f1eca35633f11d830b2700f828b06c26fb707035156
SHA3-384 hash: fcd2c41e2dad8cb8f1e715e289c80f9d329f954d2549cc4eef80a449fee5d22f8e9ad78c252b9ac4f2fec727186db77f
SHA1 hash: b576b9970aad194bc905037deee063fcbe47e820
MD5 hash: 8f4281a5be8e35598a87058c94542b45
humanhash: ten-edward-eleven-carbon
File name:Nf-Nota--278.msi
Download: download sample
Signature AteraAgent
Create hunting rule
File size:2'994'176 bytes
First seen:2025-05-22 11:34:34 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:9+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:9+lUlz9FKbsodq0YaH7ZPxMb8tT
Threatray 239 similar samples on MalwareBazaar
TLSH T10FD523117584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76FB3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter FXOLabs
Tags:AteraAgent msi signed

Code Signing Certificate

Organisation:Atera Networks Ltd
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-01-23T00:00:00Z
Valid to:2026-01-22T23:59:59Z
Serial number: 09d3cbf84332886ff689b04baf7f768c
Intelligence: 45 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 9e1bec8810871217689196b90d12b43e62df343f2c8d886bf588f9d37a8d8d9a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
BR BR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Program.RemoteAdminNET.1.9662.24411.UNOFFICIAL
Create hunting rule

PUA.Win.File.AteraRemoteAdmin-9942568-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682f0d09c28c67d666446410
Tags:
shellcode virus msil
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm base64 cmd expand expired-cert fingerprint installer lolbin lolbin reconnaissance rundll32 signed
Link:
https://www.filescan.io/uploads/682f0c3c985349514e5cd72a/reports/b76975d4-3308-4935-bdd9-df05e30f167f/overview
Verdict:
Suspicious
Labled as:
Unwanted/BIN.RemoteAdmin
Link:
https://www.hybrid-analysis.com/sample/76fd57765b2c5d5a8b939f1eca35633f11d830b2700f828b06c26fb707035156
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/76fd57765b2c5d5a8b939f1eca35633f11d830b2700f828b06c26fb707035156
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AteraAgent
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1696802
Signature
Creates files in the system32 config directory
Detected unpacking (creates a PE file in dynamic memory)
Enables network access during safeboot for specific services
Installs Task Scheduler Managed Wrapper
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Writes many files with high entropy
Yara detected AteraAgent
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1696802 Sample: Nf-Nota--278.msi Startdate: 22/05/2025 Architecture: WINDOWS Score: 100 153 Malicious sample detected (through community Yara rule) 2->153 155 Multi AV Scanner detection for dropped file 2->155 157 Multi AV Scanner detection for submitted file 2->157 159 10 other signatures 2->159 9 msiexec.exe 501 920 2->9         started        13 AteraAgent.exe 2->13         started        16 AteraAgent.exe 2->16         started        18 3 other processes 2->18 process3 dnsIp4 103 C:\Windows\Installer\...\ARPPRODUCTICON.exe, PE32 9->103 dropped 105 C:\Windows\Installer\MSIF22A.tmp, PE32 9->105 dropped 107 C:\Windows\Installer\MSIF1BC.tmp, PE32 9->107 dropped 115 463 other malicious files 9->115 dropped 171 Sample is not signed and drops a device driver 9->171 20 msiexec.exe 9->20         started        24 msiexec.exe 9->24         started        26 AteraAgent.exe 9->26         started        29 msiexec.exe 9->29         started        145 18.154.144.97 AMAZON-02US United States 13->145 109 System.Runtime.Com...Services.Unsafe.dll, PE32 13->109 dropped 111 C:\Program Files (x86)\...\System.Memory.dll, PE32 13->111 dropped 113 C:\...\System.Management.dll, PE32 13->113 dropped 117 374 other malicious files 13->117 dropped 173 Installs Task Scheduler Managed Wrapper 13->173 37 3 other processes 13->37 147 23.32.1.209 ROGERS-COMMUNICATIONSCA United States 16->147 149 18.154.144.23 AMAZON-02US United States 16->149 151 52.9.63.135 AMAZON-02US United States 16->151 119 48 other malicious files 16->119 dropped 175 Creates files in the system32 config directory 16->175 177 Reads the Security eventlog 16->177 179 Reads the System eventlog 16->179 31 AgentPackageSTRemote.exe 16->31         started        33 AgentPackageAgentInformation.exe 16->33         started        35 AgentPackageAgentInformation.exe 16->35         started        39 4 other processes 16->39 file5 signatures6 process7 dnsIp8 81 C:\...\SRCredentialProvider.dll (copy), PE32+ 20->81 dropped 83 C:\Windows\Temp\...\_isres_0x0409.dll, PE32 20->83 dropped 85 C:\Windows\Temp\...\_is64A7.exe, PE32+ 20->85 dropped 95 14 other malicious files 20->95 dropped 161 Enables network access during safeboot for specific services 20->161 49 9 other processes 20->49 41 rundll32.exe 24->41         started        51 3 other processes 24->51 141 72.247.234.254 AKAMAI-ASUS United States 26->141 87 C:\Windows\System32\InstallUtil.InstallLog, Unicode 26->87 dropped 89 C:\...\AteraAgent.InstallLog, Unicode 26->89 dropped 163 Reads the Security eventlog 26->163 165 Reads the System eventlog 26->165 54 2 other processes 29->54 143 52.223.39.232 AMAZONEXPANSIONGB United States 31->143 91 C:\Windows\Temp\SplashtopStreamer.exe, PE32 31->91 dropped 93 C:\Program Files (x86)\...\log.txt, ASCII 31->93 dropped 167 Creates files in the system32 config directory 31->167 56 2 other processes 31->56 169 Tries to detect sandboxes / dynamic malware analysis system (Installed program check) 33->169 58 3 other processes 33->58 45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        60 4 other processes 39->60 file9 signatures10 process11 dnsIp12 121 C:\Windows\...\System.Management.dll, PE32 41->121 dropped 123 C:\Windows\Installer\...123ewtonsoft.Json.dll, PE32 41->123 dropped 125 Microsoft.Deployme...indowsInstaller.dll, PE32 41->125 dropped 127 C:\...\AlphaControlAgentInstallation.dll, PE32 41->127 dropped 181 System process connects to network (likely due to code injection or exploit) 41->181 62 Conhost.exe 41->62         started        139 20.37.139.187 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 51->139 129 C:\Windows\...\System.Management.dll, PE32 51->129 dropped 131 C:\Windows\Installer\...131ewtonsoft.Json.dll, PE32 51->131 dropped 133 Microsoft.Deployme...indowsInstaller.dll, PE32 51->133 dropped 137 9 other malicious files 51->137 dropped 64 conhost.exe 54->64         started        66 net1.exe 54->66         started        68 conhost.exe 54->68         started        135 C:\Windows\Temp\unpack\PreVerCheck.exe, PE32 56->135 dropped 70 PreVerCheck.exe 56->70         started        73 conhost.exe 58->73         started        75 conhost.exe 58->75         started        77 cscript.exe 58->77         started        file13 signatures14 process15 file16 97 C:\Windows\Temp\unpack\libssl-3.dll, PE32 70->97 dropped 99 C:\Windows\Temp\unpack\libcrypto-3.dll, PE32 70->99 dropped 101 C:\Windows\Temp\unpack\SRSocketCtrl.dll, PE32 70->101 dropped 79 msiexec.exe 70->79         started        process17
Score:
18%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/76fd57765b2c5d5a8b939f1eca35633f11d830b2700f828b06c26fb707035156
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76fd57765b2c5d5a8b939f1eca35633f11d830b2700f828b06c26fb707035156/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o36vo5s3frovvc4tt4pmunldh4i5qmfsoahyfcygyjx3obydkfla._file
Verdict:
malicious
Label(s):
ateraagent
Create hunting rule
Similar samples:
44f4a65edf7ae3ce4fbc50b03bc034b27d699e7a17cbd130cac07d78ce171985
AteraAgent
48c6727171424afc2789ed1af0197a3e700ea5039c4b7a3683724c46739f61c2
AteraAgent
9104930a661af5e641ad911fc30c0887433713ea589e389f06cbd5bb0a7ed5ad
AteraAgent
99943cbf5119b45787f6d349e0c8f65768360253e00451b9050923bfe4618e06
AteraAgent
a6b86df4bdf042ad8fd4b5662d93b0359bb3e2f747081f7ca31408d5d9e4bda7
AteraAgent
error
AteraAgent
+ 229 additional samples on MalwareBazaar
Result
Malware family:
ateraagent
Create hunting rule
Score:
  10/10
Tags:
family:ateraagent bootkit discovery execution persistence privilege_escalation rat upx
Link:
https://tria.ge/reports/250522-np576aspw8/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Time Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
UPX packed file
Downloads MZ/PE file
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Blocklisted process makes network request
Drops file in Drivers directory
AteraAgent
Ateraagent family
Detects AteraAgent
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c29716ec-c7f1-4c6a-a8a7-7287b6b595d7
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76fd57765b2c5d5a8b939f1eca35633f11d830b2700f828b06c26fb707035156

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AteraAgent_RemoteAdmin_April_2024
Create hunting rule
Author:NDA0
Description:Detects AteraAgent Remote Admin Tool
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments