ateraagent | 4a4db999c37c5cc6e098acd2b7dcbdb7c3e7cdf0de9ecb8eaac93b6abcd8f452 | Triage

Submit
Reports

Overview

overview

Static

static

Internatio...ar.msi

windows7-x64

Internatio...ar.msi

windows10-2004-x64

Sharing

General

Target

International webinar.msi
Size

2.9MB
Sample

241118-sczl3atpck
MD5

dc9945e4be642c2a40019008b53800cf
SHA1

4270855a7a9e998a5d57d111d27e35074929badf
SHA256

4a4db999c37c5cc6e098acd2b7dcbdb7c3e7cdf0de9ecb8eaac93b6abcd8f452
SHA512

3fa911b43080e1848cfb2ba7ecedbcc7cca3fae9de6534334dabacbcc9de09feb6df43199c39bd6932ac8b0c29cb510a02fefbbf845afd7e60ccf1b98c0b120d
SSDEEP

49152:Q+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:Q+lUlz9FKbsodq0YaH7ZPxMb8tT

Score

10^/10

ateraagent bootkit discovery persistence privilege_escalation rat upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

International webinar.msi

Resource

win7-20240903-en

ateraagent discovery rat

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

International webinar.msi

Resource

win10v2004-20241007-en

ateraagent bootkit discovery persistence privilege_escalation rat upx

windows10-2004-x64

32 signatures

150 seconds

Malware Config

Targets

- Target
  
  International webinar.msi
- Size
  
  2.9MB
- MD5
  
  dc9945e4be642c2a40019008b53800cf
- SHA1
  
  4270855a7a9e998a5d57d111d27e35074929badf
- SHA256
  
  4a4db999c37c5cc6e098acd2b7dcbdb7c3e7cdf0de9ecb8eaac93b6abcd8f452
- SHA512
  
  3fa911b43080e1848cfb2ba7ecedbcc7cca3fae9de6534334dabacbcc9de09feb6df43199c39bd6932ac8b0c29cb510a02fefbbf845afd7e60ccf1b98c0b120d
- SSDEEP
  
  49152:Q+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:Q+lUlz9FKbsodq0YaH7ZPxMb8tT
Score

10^/10

ateraagent discovery rat bootkit persistence privilege_escalation upx
- AteraAgent
  AteraAgent is a remote monitoring and management tool.
  rat ateraagent
- Ateraagent family
  ateraagent
- Detects AteraAgent
- Blocklisted process makes network request
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Component Object Model Hijacking

Pre-OS Boot

Bootkit

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Time Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ateraagentdiscoveryrat

behavioral2

ateraagentbootkitdiscoverypersistenceprivilege_escalationratupx

© 2018-2024

Terms | Privacy