MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4376a8d703a99b9d307404d318903a1648bd104dd878001be8086cb1356b96b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AteraAgent


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4376a8d703a99b9d307404d318903a1648bd104dd878001be8086cb1356b96b
SHA3-384 hash: 174c66f3ca260a68c8806033001bc49980d264e6431b0d7dab2cfcf1f1de572c8df435b17158945e5e31905566f50f7a
SHA1 hash: 8a19d9bd1de5fcf32246e0c7fc7220671fe7add2
MD5 hash: 455bf264e54b9c7b8d0ff9b37443930f
humanhash: hot-seventeen-triple-two
File name:2503.msi
Download: download sample
Signature AteraAgent
Create hunting rule
File size:2'994'176 bytes
First seen:2024-04-29 12:18:50 UTC
Last seen:2024-04-29 13:25:52 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:U+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:U+lUlz9FKbsodq0YaH7ZPxMb8tT
Threatray 58 similar samples on MalwareBazaar
TLSH T1A7D523117584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76FB3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter NDA0E
Tags:AteraAgent msi signed

Code Signing Certificate

Organisation:Atera Networks Ltd
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2024-02-15T00:00:00Z
Valid to:2025-03-18T23:59:59Z
Serial number: 0a28499978e5898df40a238eb8a552e8
Intelligence: 70 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f166bf0cc1fb75ea35db8fb76143a4946a63ff5b1720f787b99014d4777d81d7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
NDA0E
http://91.215.85.18:9380/2503.msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm certreq cmd expand lolbin lolbin remote rundll32 shell32
Link:
https://www.filescan.io/uploads/662f903d75339da04fa67a7a/reports/2fe7023c-66f9-43a6-ba8a-76f5a354c0af/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/e4376a8d703a99b9d307404d318903a1648bd104dd878001be8086cb1356b96b
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e4376a8d703a99b9d307404d318903a1648bd104dd878001be8086cb1356b96b
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AteraAgent
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1433328
Signature
Creates files in the system32 config directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected AteraAgent
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1433328 Sample: 2503.msi Startdate: 29/04/2024 Architecture: WINDOWS Score: 84 95 ps.pndsn.com 2->95 97 ps.atera.com 2->97 99 5 other IPs or domains 2->99 107 Multi AV Scanner detection for dropped file 2->107 109 Multi AV Scanner detection for submitted file 2->109 111 Yara detected AteraAgent 2->111 113 2 other signatures 2->113 9 msiexec.exe 82 43 2->9         started        12 AteraAgent.exe 2->12         started        16 msiexec.exe 5 2->16         started        signatures3 process4 dnsIp5 81 C:\Windows\Installer\MSI80B8.tmp, PE32 9->81 dropped 83 C:\Windows\Installer\MSI54A2.tmp, PE32 9->83 dropped 85 C:\Windows\Installer\MSI4251.tmp, PE32 9->85 dropped 93 19 other files (16 malicious) 9->93 dropped 18 msiexec.exe 9->18         started        20 AteraAgent.exe 6 19 9->20         started        24 msiexec.exe 9->24         started        101 54.175.191.203, 443, 49766, 49767 AMAZON-AESUS United States 12->101 103 ps.pndsn.com 54.175.191.204, 443, 49746, 49747 AMAZON-AESUS United States 12->103 105 2 other IPs or domains 12->105 87 C:\...87ewtonsoft.Json.dll, PE32 12->87 dropped 89 C:\...\Atera.AgentPackage.Common.dll, PE32 12->89 dropped 91 C:\...\AgentPackageAgentInformation.exe, PE32 12->91 dropped 121 Creates files in the system32 config directory 12->121 123 Reads the Security eventlog 12->123 125 Reads the System eventlog 12->125 26 AgentPackageAgentInformation.exe 12->26         started        28 sc.exe 12->28         started        30 AgentPackageAgentInformation.exe 12->30         started        32 5 other processes 12->32 file6 signatures7 process8 file9 34 rundll32.exe 15 9 18->34         started        37 rundll32.exe 7 18->37         started        39 rundll32.exe 8 18->39         started        41 rundll32.exe 18->41         started        77 C:\Windows\System32\InstallUtil.InstallLog, Unicode 20->77 dropped 79 C:\...\AteraAgent.InstallLog, Unicode 20->79 dropped 115 Creates files in the system32 config directory 20->115 117 Reads the Security eventlog 20->117 119 Reads the System eventlog 20->119 49 2 other processes 24->49 43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        51 5 other processes 32->51 signatures10 process11 file12 59 C:\Windows\Installer\...59ewtonsoft.Json.dll, PE32 34->59 dropped 69 3 other files (1 malicious) 34->69 dropped 61 C:\Windows\Installer\...61ewtonsoft.Json.dll, PE32 37->61 dropped 63 C:\...\AlphaControlAgentInstallation.dll, PE32 37->63 dropped 71 2 other files (none is malicious) 37->71 dropped 73 4 other files (2 malicious) 39->73 dropped 65 C:\Windows\Installer\...65ewtonsoft.Json.dll, PE32 41->65 dropped 67 C:\...\AlphaControlAgentInstallation.dll, PE32 41->67 dropped 75 2 other files (none is malicious) 41->75 dropped 53 conhost.exe 49->53         started        55 conhost.exe 49->55         started        57 net1.exe 1 49->57         started        process13
Score:
20%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/e4376a8d703a99b9d307404d318903a1648bd104dd878001be8086cb1356b96b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4376a8d703a99b9d307404d318903a1648bd104dd878001be8086cb1356b96b/
Threat name:
Win32.Trojan.Atera
Create hunting rule
Status:
Malicious
First seen:
2024-04-20 15:02:53 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4q3wvdlqhkm3tuyhibgtdcidufsixuie3wdyaan6qcdmwe2wxfvq._file
Verdict:
unknown
Similar samples:
3871a8c00ec780da7a1908d3a7f1de8bfa14bcc9ad6f37fdcf335ea741bd6e1e
AteraAgent
638c7a4f833dc95dbab5f0a81ef03b7d83704e30b5cdc630702475cc9fff86a2
AteraAgent
66ea27e2e043adcfca5352089e2cbe7d4349f1f7e78dd4acefaf451b8c9585c4
AteraAgent
a351667f67eb70281d579acf5ba66157717281def9fa002e2e1747e11e18c2dc
AteraAgent
e89f48a7351c01cbf2f8e31c65a67f76a5ead689bb11e9d4918090a165d4425f
AteraAgent
+ 48 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/240429-pg6z6aac54/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Drops file in System32 directory
Enumerates connected drives
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4376a8d703a99b9d307404d318903a1648bd104dd878001be8086cb1356b96b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AteraAgent_RemoteAdmin_April_2024
Create hunting rule
Author:NDA0
Description:Detects AteraAgent Remote Admin Tool
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MSI_AteraAgent_RemoteAdmin_April_2024
Create hunting rule
Author:NDA0N
Description:Detects AteraAgent Remote Admin Tool
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2831245/

Comments