AtBroker.exe

  • File Path: C:\WINDOWS\system32\AtBroker.exe
  • Description: Windows Assistive Technology Manager

Hashes

Type Hash
MD5 49E416B1E6FC089865E13B95E9BA1E68
SHA1 3134CEC8FC6361DE26DD4ACA6D6F8E1B4A66399C
SHA256 A6546A9741994A1F557C649B70B892D088680BE45D82A56E73946E5292201DA7
SHA384 154A654CB953923135ABC47CF97C69F8B67DDF2D51988E319937AADDCB36B36D73F1C3FAEBF0A65A01FE4D03D9CBCEC8
SHA512 3F83B02AB81EF999F3B8F834F6825A10AE420A6E8F3EF4D4C1B3693BA3726846DE52E8A9E00658A5DB6E382FBDA37D24AFF409886E601CA0E49A85EF1178764C
SSDEEP 1536:XkWH7XzsijMPFzY4753BlIBUJnpCIHISiRZHYPKZgfx9zTBF1aI9W3K3Dp:XkEsijS353BlI6p4SiDQH9aK3Dp
IMP 34D1312802AFB39409FE0BE066FCF443
PESHA1 B694D2B5F23A7D0936EF813C0DAF03E690AD7A37
PE256 2778B1FB94CD3861673614BB4537E9EAB5830EB4772330CB59C486D8A3862F18

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\ADVAPI32.dll
C:\WINDOWS\system32\AtBroker.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ATBroker.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/a6546a9741994a1f557c649b70b892d088680be45d82a56e73946e5292201da7/detection

Possible Misuse

The following table contains possible examples of AtBroker.exe being misused. While AtBroker.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - 'atbroker.exe' DRL 1.0
sigma win_susp_atbroker.yml title: Suspicious Atbroker Execution DRL 1.0
sigma win_susp_atbroker.yml description: Atbroker executing non-deafualt Assistive Technology applications DRL 1.0
sigma win_susp_atbroker.yml - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ DRL 1.0
sigma win_susp_atbroker.yml Image\|endswith: 'AtBroker.exe' DRL 1.0
sigma sysmon_susp_atbroker_change.yml title: Atbroker Registry Change DRL 1.0
sigma sysmon_susp_atbroker_change.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml DRL 1.0
LOLBAS Atbroker.yml Name: Atbroker.exe  
LOLBAS Atbroker.yml - Command: ATBroker.exe /start malware  
LOLBAS Atbroker.yml - Path: C:\Windows\System32\Atbroker.exe  
LOLBAS Atbroker.yml - Path: C:\Windows\SysWOW64\Atbroker.exe  
LOLBAS Atbroker.yml - IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware  
atomic-red-team T1546.008.md * App Switcher: C:\Windows\System32\AtBroker.exe</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.