ffeab7e5fe1cdf9abc507fc7c528e712c375a2b924d6966b3b4fb6baf0079365

Sharing

Copy URL

Twitter E-mail

General

Target

master.zip
Size

17KB
Sample

241202-tmsf6sxjhj
MD5

aba11c18fdda9eb7f790cd0ef4dc351a
SHA1

38d9fb341732815811cccb1d96af988bdf081f30
SHA256

ffeab7e5fe1cdf9abc507fc7c528e712c375a2b924d6966b3b4fb6baf0079365
SHA512

dec7d8f789c0836a3c651ed7a0945632d41ccdd8f95d5d038960b639aa83690c142c87a383d0862c9b79ff5952279aef0b785219de70d559c9c92c9fb4cbde3d
SSDEEP

384:YHauf4CeEspR57qB2q4rQ3X/wtNXKxpFs6WLzl:Nmnwpvn/I4tNKHs6Kzl

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://app.atera.com/api/v3

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://chocolatey.org/install.ps1

Targets

- Target
  
  atera-scripts-master/000Install-AteraAgent.ps1
- Size
  
  3KB
- MD5
  
  982009079201c1aa52b0f337c775dd8f
- SHA1
  
  78cbe0e16d98979fd6d2b93487567b54e2afea40
- SHA256
  
  a19be2f732333f77b513be02a81406d13316ca30ebc073b5206844cb31d1f2ab
- SHA512
  
  688520b074802a13b604ec033d509f6bdd3a78a012e8728d7e2e8d544c999526e635d4eac022a826dc2e76b2b862e6407d76784fa24b3b404772f502c630db4d
Score

3^/10

execution
behavioral1 behavioral2
- Target
  
  atera-scripts-master/ActiveDirectory/Get-ADInactiveComputers.ps1
- Size
  
  945B
- MD5
  
  6dfeafd4d046f4f6cc41eb4c84bb9a9e
- SHA1
  
  11e3decd05582e53558590a06bc7cc192f34ecdf
- SHA256
  
  93d24eb59bac8d0947f6e4ee4dff5a1b85e830fd052ddd10b442e4bd2e0fdeb0
- SHA512
  
  e5415af7343dad48066e5a6d4db77e22d31237fe5f08496f3c1485209c137f8462c75770a10d23847abda5efad01037080b98064a9f696a8a73df0b966b884e7
Score

3^/10

execution
behavioral3 behavioral4
- Target
  
  atera-scripts-master/ActiveDirectory/Get-ADInactiveUsers.ps1
- Size
  
  893B
- MD5
  
  57dea6470aaedc6f4d2bbcbadcb1a89d
- SHA1
  
  7d89569655add0941798489f8dc971315b62fe7d
- SHA256
  
  22a6a52c0237982b92adf3220f869ef9c4d98cb757001e966229cf85f889bedb
- SHA512
  
  7b2ccecabd629f2fdc9cd2ac9300cd62068ab532cf7691698dab4fae62480f390c788eab9ad9cb3c07a3eab832ba5454068b9aaaa29cfd5ddbb6d06799ee33ad
Score

3^/10

execution
behavioral5 behavioral6
- Target
  
  atera-scripts-master/ActiveDirectory/Set-ADAccountPassword.ps1
- Size
  
  501B
- MD5
  
  d57612e711ab203695712adf3d7bfc65
- SHA1
  
  a1d12bdd08b673048cbe14967073f3441eb44439
- SHA256
  
  91f27094025252e30c613fe93aa4072850343b73537b6c5ea25300ea0021db27
- SHA512
  
  59ad6bf0d25664ca710e90b357cf156a47b887850d24823af0f8b26f286b397d034a9948b1a9584c085f0007718c625cb6f7263eae7f03462419f4b0dacbd0e6
Score

6^/10

execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral7 behavioral8
- Target
  
  atera-scripts-master/Atera/New-MachineAlert.ps1
- Size
  
  2KB
- MD5
  
  d0665759b4517b58caff36cac88df892
- SHA1
  
  3f22caf5ed240c7c4729edde1c26171f2725c08f
- SHA256
  
  cb2952dfbbb89f68fe376789da07c7c0df9e3117c69dabbc514eae42c88845f4
- SHA512
  
  0a1e11843fb2243cba113068c20c035f65d860e2d0d6f8b237ac2139a9f8b872620909c1a08ee0059f4ce19f37a29d0772d8640ea4fe6f4cc62cb750ed360b16
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  atera-scripts-master/Networking/Enable-RDP.ps1
- Size
  
  370B
- MD5
  
  795d86d5fb3aa1562d0d5493f0e1ebbb
- SHA1
  
  9e1c01a376047b1ee0c27d4003d50884490c5ed2
- SHA256
  
  9765d00502a997ebcd02c7e797afbd3b2005f51b261069bd74c3066cadfddf1f
- SHA512
  
  07084277297f5dec4bd6db799e04b7e93979f678b0f4dfe370a860f194a63ec83255a2a9331eeb4b48a7198e813d1e4d7c1e69be65a9a74bed50878ca8064056
Score

9^/10

evasion execution lateral_movement persistence privilege_escalation
- Remote Service Session Hijacking: RDP Hijacking
  Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
  lateral_movement
- Modifies Windows Firewall
  evasion
behavioral11 behavioral12
- Target
  
  atera-scripts-master/Networking/New-L2TPVPNConnection.ps1
- Size
  
  722B
- MD5
  
  130bb2a3f2887d863c2f8897da3e0cf8
- SHA1
  
  e58a85676d1df2843c9e6c1639e98cb4d14c945b
- SHA256
  
  5e6280de85bf67a97f1590a97d92f008816e179ba3ac7209e8dfcdf73ef0470d
- SHA512
  
  a69c6d31ac6d3e820066a6a59f9c6c09a420f16d2bacd10084690c8ab24119255cb8cad4e4130e318518b93523833462d956fc08c3053f3e55c4e9d3bdbe267c
Score

3^/10

execution
behavioral13 behavioral14
- Target
  
  atera-scripts-master/Printing/Add-HPPrinters.ps1
- Size
  
  2KB
- MD5
  
  e751d49f73fe7b1c0fa2df829a2b56ae
- SHA1
  
  7738064f78d12ff968d2fee4ac43408380b0d7d9
- SHA256
  
  f5647a107d418c13d38cf8a73ed2a01dd08a48ddeec5ae2fdbaf1ddbabe36502
- SHA512
  
  84645a391f67e166a2f4a616d1348a8d65721892f764fb4deac2ea1511acb49933d74851f1c8a6f993eddc23aad0793c5e995c066ec71045a0e78364746eede9
Score

8^/10

execution
- Blocklisted process makes network request
behavioral15 behavioral16
- Target
  
  atera-scripts-master/Printing/Clear-PrintQueue.ps1
- Size
  
  322B
- MD5
  
  198e0c84bae51dbb78da517b89506202
- SHA1
  
  b142a5c3cfcb1305b527327c4416907b0ae64626
- SHA256
  
  6f0e9124616eb5de27e9f6848dbb4878cfffd0d09e58153f9546977e8bdb3ddf
- SHA512
  
  a8904943337521a3444a5de39d19e793ff579c8dbec59f8900a2aab8f0834e1af267eb6d69289838a92c6227786f2d8e5b4738b8a8597c743054a404ead3bca3
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Port Monitors
  Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
  persistence
behavioral17 behavioral18
- Target
  
  atera-scripts-master/Software/Choco-Install.ps1
- Size
  
  422B
- MD5
  
  c7e8209157356a6a07b69971e16b42ee
- SHA1
  
  a31d810530ecfbd21a97db78266aa5b86c75996b
- SHA256
  
  33ee2eb60312d99671115fb03849371955b777869634ec7686aa24681e44f6c7
- SHA512
  
  b6fff847587057bf5e05ca0c2ffa82a3cd1b82ee501b835873c11d0a1ba2285290b6f1aea483bc251cf476bf3e0f89eeb7970e063f7c2919d9b8f4a237c63577
Score

8^/10

execution
- Blocklisted process makes network request
- Executes dropped EXE
behavioral19 behavioral20
- Target
  
  atera-scripts-master/Software/Fix-SplashtopName.ps1
- Size
  
  630B
- MD5
  
  eaecf2100e1577232c7aeae30ec78104
- SHA1
  
  dd9bb26aa9af21bca72de4464f5e6968d9cdcd72
- SHA256
  
  9c1e7e2b1cb8e18bea331a8734894faddf591837c1cfd7b3aadea0130860e0ca
- SHA512
  
  d526c91ca5d63f514b830e472de6af34df3e9af98cbac05a5ce768ae839d3cca34f2539b50289de1cfd4f871d268108f0d5704ec95621b986dd9814ef3a4177f
Score

3^/10

execution
behavioral21 behavioral22
- Target
  
  atera-scripts-master/Windows/Activate-Windows.ps1
- Size
  
  865B
- MD5
  
  ea034b1ae69a053ebe8928a74a53aba1
- SHA1
  
  0f8088521f008d76400059e1bf23edd49d946d66
- SHA256
  
  d412ce1ff295efd37bf06675122834c4488591e80f7c0b26acdc5a32156096b2
- SHA512
  
  b085d8778b84f75418f17f27eded6625e2837772aa66c422c66abc6dbd95f45d8b02953b9673d977340c0f0dc8c403ce6e6b529075b858f8b85f9cc6bf6e36eb
Score

3^/10

execution
behavioral23 behavioral24