MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e91b55d8505e22892db37e282dfeca56aa398725f1528ed545c0b77d825be1a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AteraAgent


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e91b55d8505e22892db37e282dfeca56aa398725f1528ed545c0b77d825be1a7
SHA3-384 hash: 65980855c553ba2f1fad42573e50b10c3256165249a4007d4e124f1cac855c4ca8ad72b13a58c1c995db4ae2b79a85ef
SHA1 hash: 6872862713edfdd61e40ad7c459f7e3c9e02853c
MD5 hash: 19d92858c9301af5d47d5973766a0aff
humanhash: ten-may-sixteen-spaghetti
File name:e91b55d8505e22892db37e282dfeca56aa398725f1528ed545c0b77d825be1a7
Download: download sample
Signature AteraAgent
Create hunting rule
File size:2'994'176 bytes
First seen:2024-11-08 12:27:30 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:U+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:U+lUlz9FKbsodq0YaH7ZPxMb8tT
Threatray 150 similar samples on MalwareBazaar
TLSH T18BD523117584483AE3BB0A358D7AD6A05E7DFE605B70CA8E9308741E2D705C1AB76FB3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:AteraAgent msi signed

Code Signing Certificate

Organisation:Atera Networks Ltd
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2024-02-15T00:00:00Z
Valid to:2025-03-18T23:59:59Z
Serial number: 0a28499978e5898df40a238eb8a552e8
Intelligence: 70 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f166bf0cc1fb75ea35db8fb76143a4946a63ff5b1720f787b99014d4777d81d7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'178
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
PUA.Win.File.AteraRemoteAdmin-9942568-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672e03df96bcb959b48d73bc
Tags:
shellcode exploit virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd expand installer lolbin lolbin packed rundll32
Link:
https://www.filescan.io/uploads/672e03de83eea00c657253fd/reports/ce3891c5-cb99-4b27-baed-d0d3579215c6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e91b55d8505e22892db37e282dfeca56aa398725f1528ed545c0b77d825be1a7
Result
Threat name:
AteraAgent
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1552151
Signature
AI detected suspicious sample
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Installs Task Scheduler Managed Wrapper
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1552151 Sample: IwmwOaVHnd.msi Startdate: 08/11/2024 Architecture: WINDOWS Score: 100 143 Multi AV Scanner detection for dropped file 2->143 145 Multi AV Scanner detection for submitted file 2->145 147 Yara detected AteraAgent 2->147 149 7 other signatures 2->149 9 msiexec.exe 501 887 2->9         started        13 AteraAgent.exe 2->13         started        16 AteraAgent.exe 2->16         started        18 3 other processes 2->18 process3 dnsIp4 109 C:\Windows\Installer\...\ARPPRODUCTICON.exe, PE32 9->109 dropped 111 C:\Windows\Installer\MSIEA6F.tmp, PE32 9->111 dropped 113 C:\Windows\Installer\MSIE885.tmp, PE32 9->113 dropped 121 465 other files (402 malicious) 9->121 dropped 165 Sample is not signed and drops a device driver 9->165 20 msiexec.exe 9->20         started        24 msiexec.exe 9->24         started        26 AteraAgent.exe 9->26         started        29 msiexec.exe 9->29         started        135 18.66.112.49 MIT-GATEWAYSUS United States 13->135 137 93.184.221.240 EDGECASTUS European Union 13->137 115 C:\...\System.Management.dll, PE32 13->115 dropped 117 C:\...117ewtonsoft.Json.dll, PE32 13->117 dropped 119 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 13->119 dropped 123 278 other malicious files 13->123 dropped 167 Installs Task Scheduler Managed Wrapper 13->167 37 2 other processes 13->37 139 18.66.112.10 MIT-GATEWAYSUS United States 16->139 141 35.157.63.227 AMAZON-02US United States 16->141 125 31 other malicious files 16->125 dropped 169 Creates files in the system32 config directory 16->169 171 Reads the Security eventlog 16->171 173 Reads the System eventlog 16->173 31 AgentPackageSTRemote.exe 16->31         started        33 AgentPackageAgentInformation.exe 16->33         started        35 AgentPackageMonitoring.exe 16->35         started        39 4 other processes 16->39 file5 signatures6 process7 dnsIp8 89 C:\...\SRCredentialProvider.dll (copy), PE32+ 20->89 dropped 91 C:\Windows\Temp\...\_isres_0x0409.dll, PE32 20->91 dropped 93 C:\Windows\Temp\...\_is440E.exe, PE32+ 20->93 dropped 101 14 other malicious files 20->101 dropped 157 Enables network access during safeboot for specific services 20->157 47 6 other processes 20->47 49 4 other processes 24->49 129 192.229.221.95 EDGECASTUS United States 26->129 95 C:\Windows\System32\InstallUtil.InstallLog, Unicode 26->95 dropped 97 C:\...\AteraAgent.InstallLog, Unicode 26->97 dropped 159 Reads the Security eventlog 26->159 161 Reads the System eventlog 26->161 41 Conhost.exe 26->41         started        54 2 other processes 29->54 131 52.223.39.232 AMAZONEXPANSIONGB United States 31->131 133 13.35.58.89 AMAZON-02US United States 31->133 99 C:\Windows\Temp\SplashtopStreamer.exe, PE32 31->99 dropped 163 Creates files in the system32 config directory 31->163 56 2 other processes 31->56 58 2 other processes 33->58 43 conhost.exe 35->43         started        45 conhost.exe 37->45         started        60 5 other processes 39->60 file9 signatures10 process11 dnsIp12 62 Conhost.exe 43->62         started        127 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 49->127 79 C:\...\AlphaControlAgentInstallation.dll, PE32 49->79 dropped 81 C:\...\AlphaControlAgentInstallation.dll, PE32 49->81 dropped 83 C:\...\AlphaControlAgentInstallation.dll, PE32 49->83 dropped 87 13 other files (1 malicious) 49->87 dropped 151 System process connects to network (likely due to code injection or exploit) 49->151 64 conhost.exe 54->64         started        66 net1.exe 54->66         started        68 conhost.exe 54->68         started        85 C:\Windows\Temp\unpack\PreVerCheck.exe, PE32 56->85 dropped 70 PreVerCheck.exe 56->70         started        153 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 58->153 155 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 58->155 73 conhost.exe 58->73         started        75 cscript.exe 58->75         started        file13 signatures14 process15 file16 103 C:\Windows\Temp\unpack\libssl-3.dll, PE32 70->103 dropped 105 C:\Windows\Temp\unpack\libcrypto-3.dll, PE32 70->105 dropped 107 C:\Windows\Temp\unpack\SRSocketCtrl.dll, PE32 70->107 dropped 77 msiexec.exe 70->77         started        process17
Score:
75%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/e91b55d8505e22892db37e282dfeca56aa398725f1528ed545c0b77d825be1a7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e91b55d8505e22892db37e282dfeca56aa398725f1528ed545c0b77d825be1a7/
Threat name:
Win32.Trojan.Atera
Create hunting rule
Status:
Malicious
First seen:
2024-11-07 21:20:08 UTC
File Type:
Binary (Archive)
Extracted files:
15
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5envlwcqlyrislntpyuc37wkk2vdtbzf6fji5vkfyc3x3as34gtq._file
Verdict:
suspicious
Label(s):
ateraagent
Create hunting rule
Similar samples:
2ba7c24b984423bda7b4982b3b6e230a6c0f2dae44b580c6f02d133e625fd3bb
AteraAgent
33283eed43cb365ae5f4541f387ea4f4e81667573b3c890be5606fc53c5852d5
AteraAgent
3809affad6dc10de4613edb2c172f47b641b0393270a129b24683ccd30fb39d7
AteraAgent
44f4a65edf7ae3ce4fbc50b03bc034b27d699e7a17cbd130cac07d78ce171985
AteraAgent
55af6a90ac8863f27b3fcaa416a0f1e4ff02fb42aa46a7274c6b76aa000aacc2
AteraAgent
615ba2f7363ac61f75d05171c3c02fceefe1e7ab328295be8e4dc55691416c25
AteraAgent
8c684bf0b13e4bc010d63490bd53593cd627be43e8178117c80e4b836881dad6
AteraAgent
9104930a661af5e641ad911fc30c0887433713ea589e389f06cbd5bb0a7ed5ad
AteraAgent
e7d97013314341bbdb5abd3bdade00039a87ec865efc3df4a72feab27f82bf52
AteraAgent
error
AteraAgent
fab822cc1d5b10a959de748250badb0f1244964942814046b74c41b8887c8c00
AteraAgent
+ 140 additional samples on MalwareBazaar
Result
Malware family:
ateraagent
Create hunting rule
Score:
  10/10
Tags:
family:ateraagent discovery persistence privilege_escalation rat
Link:
https://tria.ge/reports/241108-pnb4cs1pdy/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Drops file in System32 directory
Enumerates connected drives
Blocklisted process makes network request
AteraAgent
Ateraagent family
Detects AteraAgent
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8e8c9fc7-118e-4508-b227-b37e1a65ab6b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e91b55d8505e22892db37e282dfeca56aa398725f1528ed545c0b77d825be1a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AteraAgent_RemoteAdmin_April_2024
Create hunting rule
Author:NDA0
Description:Detects AteraAgent Remote Admin Tool
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments