ateraagent | c2b67e8195a09bb12cf7eeceb484c5248fb1b4f2010dddb149e868eb4a37c36e | Triage

Submit
Reports

Overview

overview

Static

static

e6d41a5c8b...07.msi

windows10-2004-x64

Sharing

General

Target

19792488784.zip
Size

2.6MB
Sample

241106-p67yrasqep
MD5

5da1e88b4627b83108b6c93fea38879d
SHA1

90a6d2be2d6fa1b6f7efee462046dffb6eeb2c78
SHA256

c2b67e8195a09bb12cf7eeceb484c5248fb1b4f2010dddb149e868eb4a37c36e
SHA512

7b4a3a2ac588bb5a876bf32b383d9598c324b9fc6c08e4a97ef2480f22efb26f1243b20db0852e6fa3987ad9122bfd618ac869c6bea1d2dd68f230f96da44c74
SSDEEP

49152:R9YrkLr1QibuWbaDEbblwn6xyFsP14aJwibqGx/GPaO6oESU2KxEEti8Okst1Y+r:RuoVvSvDENEQbP1Jwi2E4airKxVo8Ilr

Score

10^/10

ateraagent bootkit discovery persistence privilege_escalation rat upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

e6d41a5c8b4ee4d298da209f75f5ff678bfec84d8ac4a4dbf11d17e6b6aa7007.msi

Resource

win10v2004-20241007-en

ateraagent bootkit discovery persistence privilege_escalation rat upx

windows10-2004-x64

33 signatures

1200 seconds

Malware Config

Targets

- Target
  
  e6d41a5c8b4ee4d298da209f75f5ff678bfec84d8ac4a4dbf11d17e6b6aa7007
- Size
  
  2.9MB
- MD5
  
  c5d6f1dbaaa149c1037f2e88d824a759
- SHA1
  
  46facb96e7a2332c44e412cc8aca7d2b9aca497a
- SHA256
  
  e6d41a5c8b4ee4d298da209f75f5ff678bfec84d8ac4a4dbf11d17e6b6aa7007
- SHA512
  
  5edf7f578c5cedd6cbd12f8904019a52a85ac819b2d87eb47e2300a0e95fd891a220b32790587eec6c93b4a0c88a0f554301e17bca2c78801fbb55381ad3c7e0
- SSDEEP
  
  49152:g+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:g+lUlz9FKbsodq0YaH7ZPxMb8tT
Score

10^/10

ateraagent bootkit discovery persistence privilege_escalation rat upx
- AteraAgent
  AteraAgent is a remote monitoring and management tool.
  rat ateraagent
- Ateraagent family
  ateraagent
- Detects AteraAgent
- Blocklisted process makes network request
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Component Object Model Hijacking

Installer Packages

Pre-OS Boot

Bootkit

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Installer Packages

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Subvert Trust Controls

Install Root Certificate

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Time Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ateraagentbootkitdiscoverypersistenceprivilege_escalationratupx

© 2018-2024

Terms | Privacy