MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7d97013314341bbdb5abd3bdade00039a87ec865efc3df4a72feab27f82bf52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AteraAgent


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7d97013314341bbdb5abd3bdade00039a87ec865efc3df4a72feab27f82bf52
SHA3-384 hash: 5216baacd1065bbb7bce150f0f2eb6521f951fdcc0a1592e062be49dcf4a8df06be7d7af16e7867b04bb5c2fa6aabbba
SHA1 hash: d831219e226b63d4a9394d26333151356539c000
MD5 hash: d3fe8c624c5cf20711ca3d62c66d208c
humanhash: stream-ack-burger-saturn
File name:e7d97013314341bbdb5abd3bdade00039a87ec865efc3df4a72feab27f82bf52
Download: download sample
Signature AteraAgent
Create hunting rule
File size:2'994'176 bytes
First seen:2024-11-08 12:27:26 UTC
Last seen:2024-11-08 14:22:14 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:F+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:F+lUlz9FKbsodq0YaH7ZPxMb8tT
Threatray 150 similar samples on MalwareBazaar
TLSH T129D523117584483AE37B0A358D7ADAA05E7DFE605B70CA8E9308741E2D705C1AB76FB3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:AteraAgent msi signed

Code Signing Certificate

Organisation:Atera Networks Ltd
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2024-02-15T00:00:00Z
Valid to:2025-03-18T23:59:59Z
Serial number: 0a28499978e5898df40a238eb8a552e8
Intelligence: 70 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f166bf0cc1fb75ea35db8fb76143a4946a63ff5b1720f787b99014d4777d81d7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
2'174
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
PUA.Win.File.AteraRemoteAdmin-9942568-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672e03dd96bcb959b48d739d
Tags:
shellcode msil html
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd expand installer lolbin lolbin packed rundll32
Link:
https://www.filescan.io/uploads/672e03dd030d1b0aaf403c3b/reports/32bba2f2-10a4-42ed-af53-9bdb9437619b/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/e7d97013314341bbdb5abd3bdade00039a87ec865efc3df4a72feab27f82bf52
Result
Threat name:
AteraAgent
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1552152
Signature
AI detected suspicious sample
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Installs Task Scheduler Managed Wrapper
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1552152 Sample: kTbv9ZA2x0.msi Startdate: 08/11/2024 Architecture: WINDOWS Score: 100 141 Multi AV Scanner detection for dropped file 2->141 143 Multi AV Scanner detection for submitted file 2->143 145 Yara detected AteraAgent 2->145 147 7 other signatures 2->147 9 msiexec.exe 501 877 2->9         started        13 AteraAgent.exe 2->13         started        16 AteraAgent.exe 2->16         started        18 3 other processes 2->18 process3 dnsIp4 91 C:\Windows\Installer\...\ARPPRODUCTICON.exe, PE32 9->91 dropped 93 C:\Windows\Installer\MSIF9FF.tmp, PE32 9->93 dropped 95 C:\Windows\Installer\MSIF72F.tmp, PE32 9->95 dropped 103 460 other files (397 malicious) 9->103 dropped 159 Sample is not signed and drops a device driver 9->159 20 msiexec.exe 9->20         started        24 msiexec.exe 9->24         started        26 AteraAgent.exe 9->26         started        29 msiexec.exe 9->29         started        135 18.66.112.10 MIT-GATEWAYSUS United States 13->135 97 C:\...\System.Management.dll, PE32 13->97 dropped 99 C:\...99ewtonsoft.Json.dll, PE32 13->99 dropped 101 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 13->101 dropped 105 278 other malicious files 13->105 dropped 161 Installs Task Scheduler Managed Wrapper 13->161 37 2 other processes 13->37 137 18.66.112.74 MIT-GATEWAYSUS United States 16->137 139 35.157.63.227 AMAZON-02US United States 16->139 107 31 other malicious files 16->107 dropped 163 Creates files in the system32 config directory 16->163 165 Reads the Security eventlog 16->165 167 Reads the System eventlog 16->167 31 AgentPackageSTRemote.exe 16->31         started        33 AgentPackageAgentInformation.exe 16->33         started        35 AgentPackageMonitoring.exe 16->35         started        39 4 other processes 16->39 file5 signatures6 process7 dnsIp8 77 C:\...\SRCredentialProvider.dll (copy), PE32+ 20->77 dropped 79 C:\Windows\Temp\...\_isres_0x0409.dll, PE32 20->79 dropped 81 C:\Windows\Temp\...\_isEA75.exe, PE32+ 20->81 dropped 89 14 other malicious files 20->89 dropped 149 Enables network access during safeboot for specific services 20->149 52 9 other processes 20->52 54 4 other processes 24->54 127 192.229.221.95 EDGECASTUS United States 26->127 129 93.184.221.240 EDGECASTUS European Union 26->129 83 C:\Windows\System32\InstallUtil.InstallLog, Unicode 26->83 dropped 85 C:\...\AteraAgent.InstallLog, Unicode 26->85 dropped 151 Reads the Security eventlog 26->151 153 Reads the System eventlog 26->153 58 2 other processes 29->58 131 52.223.39.232 AMAZONEXPANSIONGB United States 31->131 133 13.35.58.31 AMAZON-02US United States 31->133 87 C:\Windows\Temp\SplashtopStreamer.exe, PE32 31->87 dropped 155 Creates files in the system32 config directory 31->155 41 SplashtopStreamer.exe 31->41         started        44 conhost.exe 31->44         started        46 conhost.exe 33->46         started        48 conhost.exe 35->48         started        50 conhost.exe 37->50         started        60 5 other processes 39->60 file9 signatures10 process11 dnsIp12 109 C:\Windows\Temp\unpack\PreVerCheck.exe, PE32 41->109 dropped 62 PreVerCheck.exe 41->62         started        125 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 54->125 111 C:\...\AlphaControlAgentInstallation.dll, PE32 54->111 dropped 113 C:\...\AlphaControlAgentInstallation.dll, PE32 54->113 dropped 115 C:\...\AlphaControlAgentInstallation.dll, PE32 54->115 dropped 117 13 other files (1 malicious) 54->117 dropped 157 System process connects to network (likely due to code injection or exploit) 54->157 65 conhost.exe 58->65         started        67 net1.exe 58->67         started        69 conhost.exe 58->69         started        71 conhost.exe 60->71         started        73 cscript.exe 60->73         started        file13 signatures14 process15 file16 119 C:\Windows\Temp\unpack\libssl-3.dll, PE32 62->119 dropped 121 C:\Windows\Temp\unpack\libcrypto-3.dll, PE32 62->121 dropped 123 C:\Windows\Temp\unpack\SRSocketCtrl.dll, PE32 62->123 dropped 75 msiexec.exe 62->75         started        process17
Score:
75%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/e7d97013314341bbdb5abd3bdade00039a87ec865efc3df4a72feab27f82bf52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7d97013314341bbdb5abd3bdade00039a87ec865efc3df4a72feab27f82bf52/
Threat name:
Win32.Trojan.Atera
Create hunting rule
Status:
Malicious
First seen:
2024-11-08 10:37:13 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47mxaezrina3xw22xu55vxqaaonip3egl36d35fhf7vle74cx5ja._file
Verdict:
suspicious
Label(s):
ateraagent
Create hunting rule
Similar samples:
2ba7c24b984423bda7b4982b3b6e230a6c0f2dae44b580c6f02d133e625fd3bb
AteraAgent
33283eed43cb365ae5f4541f387ea4f4e81667573b3c890be5606fc53c5852d5
AteraAgent
3809affad6dc10de4613edb2c172f47b641b0393270a129b24683ccd30fb39d7
AteraAgent
44f4a65edf7ae3ce4fbc50b03bc034b27d699e7a17cbd130cac07d78ce171985
AteraAgent
55af6a90ac8863f27b3fcaa416a0f1e4ff02fb42aa46a7274c6b76aa000aacc2
AteraAgent
615ba2f7363ac61f75d05171c3c02fceefe1e7ab328295be8e4dc55691416c25
AteraAgent
8c684bf0b13e4bc010d63490bd53593cd627be43e8178117c80e4b836881dad6
AteraAgent
9104930a661af5e641ad911fc30c0887433713ea589e389f06cbd5bb0a7ed5ad
AteraAgent
e91b55d8505e22892db37e282dfeca56aa398725f1528ed545c0b77d825be1a7
AteraAgent
error
AteraAgent
fab822cc1d5b10a959de748250badb0f1244964942814046b74c41b8887c8c00
AteraAgent
+ 140 additional samples on MalwareBazaar
Result
Malware family:
ateraagent
Create hunting rule
Score:
  10/10
Tags:
family:ateraagent bootkit discovery persistence privilege_escalation rat upx
Link:
https://tria.ge/reports/241108-pnbslasdrl/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Time Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
UPX packed file
Downloads MZ/PE file
Enumerates connected drives
Network Service Discovery
Writes to the Master Boot Record (MBR)
Blocklisted process makes network request
Drops file in Drivers directory
Ateraagent family
Detects AteraAgent
AteraAgent
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f82ef1bd-b0db-47ca-abc3-64523df9c905
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7d97013314341bbdb5abd3bdade00039a87ec865efc3df4a72feab27f82bf52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AteraAgent_RemoteAdmin_April_2024
Create hunting rule
Author:NDA0
Description:Detects AteraAgent Remote Admin Tool
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments