AtBroker.exe

  • File Path: C:\Windows\system32\AtBroker.exe
  • Description: Windows Assistive Technology Manager

Hashes

Type Hash
MD5 0E175C40A722407F804F30BFB45CEDA8
SHA1 5B9938BC8FB5158043063C55EB795884BE6F621C
SHA256 6837E1C70823796EB24D9E5E0209BEA5C857A34F70B936D6D1CF5791C4F74961
SHA384 6287D56143A13D0E41923A4055FBA5BA7CF62232813951FCB4CCC9076CDB3EC695E6CCB04B4AE5A23E910BC15B50686F
SHA512 742D088A8559D0C6DD13B5B5C21453BF736E5F0EDA2071F279401595F360195677D7053106969CC41852096B357B0A88986603B00A01977124641C5A38A1E0A5
SSDEEP 1536:U58+Dquaetf7kqOMFsi8ZkHbto3W94e3er7JENPUjdJa/YGO:UyIF/f3X+BZCtCZr7JEaj/OYGO
IMP 587B1C3FD47818346FB8557408E17403
PESHA1 EA32733357843029F570463FBEAF7E380247D907
PE256 FD427027C62AE45B2314D59CC47812C1437499356152A1FB49F3B1DF66DD4CD8

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ATBroker.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/6837e1c70823796eb24d9e5e0209bea5c857a34f70b936d6d1cf5791c4f74961/detection/

Possible Misuse

The following table contains possible examples of AtBroker.exe being misused. While AtBroker.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_install_reg_debugger_backdoor.yml - 'atbroker.exe' DRL 1.0
sigma proc_creation_win_susp_atbroker.yml title: Suspicious Atbroker Execution DRL 1.0
sigma proc_creation_win_susp_atbroker.yml description: Atbroker executing non-deafualt Assistive Technology applications DRL 1.0
sigma proc_creation_win_susp_atbroker.yml - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ DRL 1.0
sigma proc_creation_win_susp_atbroker.yml Image\|endswith: 'AtBroker.exe' DRL 1.0
sigma registry_event_susp_atbroker_change.yml title: Atbroker Registry Change DRL 1.0
sigma registry_event_susp_atbroker_change.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml DRL 1.0
LOLBAS Atbroker.yml Name: Atbroker.exe  
LOLBAS Atbroker.yml - Command: ATBroker.exe /start malware  
LOLBAS Atbroker.yml - Path: C:\Windows\System32\Atbroker.exe  
LOLBAS Atbroker.yml - Path: C:\Windows\SysWOW64\Atbroker.exe  
LOLBAS Atbroker.yml - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware  
atomic-red-team T1546.008.md * App Switcher: C:\Windows\System32\AtBroker.exe</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.