{ "id": "bc25b1d4-7769-4c3b-ae94-f380a62b485a", "created_at": "2026-04-06T00:17:25.274181Z", "updated_at": "2026-04-10T03:36:48.457765Z", "deleted_at": null, "sha1_hash": "686e4f6063df65d024de32409732694be662c24c", "title": "MalwareAnalysisReports/AmateraStealer/Amatera Stealer v1.md at main · VenzoV/MalwareAnalysisReports", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 458963, "plain_text": "MalwareAnalysisReports/AmateraStealer/Amatera Stealer v1.md\r\nat main · VenzoV/MalwareAnalysisReports\r\nBy VenzoV\r\nArchived: 2026-04-05 15:45:28 UTC\r\nSample\r\nAt the time of analysis, this was the only sample I was able to locate related to the Amatera stealer. I was also\r\nunable to find any prior public reports or technical write-ups on Amatera. The only references I identified (though\r\nothers may exist) were a few posts on X discussing its command-and-control (C2) panel.\r\nWhile drafting this analysis, Proofpoint published a brief blog post noting that Amatera is a rebranded version of\r\nACR Stealer, as previously analyzed by AhnLab.\r\nThe sample referenced in this post is available on MalwareBazaar and VirusTotal.\r\nSHA256\r\n73fd51d4a0959e5c5a82db9be0d765069d02a2b97f51f55f5d6422a7bec01caa\r\nThe sample I analyzed below appears to differ from the one referenced by Proofpoint. It seems to represent an\r\nearlier or test version of the malware, as it lacks significant obfuscation and does not incorporate advanced anti-analysis techniques. Also big give away is the \"build_id\" string set to \"test_5\"\r\nIn the last section I will add the differences and similarties as I got, for now it contains only a quick glance of the\r\nsimilarties found within the shellcode and hashing algorithm.\r\nC2 Communications\r\nThe main features for C2 communications are:\r\nConnects to C2 server at \"afdprox.icu\" on port 443\r\nUses RC4 encryption for data transmission\r\nImplements authorization headers for authentication\r\nSends stolen data via POST requests to \"/core/sendPart\"\r\nReceives config from \"/core/createSession\"\r\nThe two functions that iteract with the C2 are:\r\nmw_C2GetConfig -\u003e Gets JSON config\r\nmw_C2SendData -\u003e Sends Stolend data RC4 encrypted\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nPage 1 of 11\n\nThe stealer will make use of the Authorization header to connect to C2 and receive an encrypted config. The data\r\nwill be base64 decoded and then decrypted. The function mw_ParseC2Data() is evidence that the config is in a\r\nJSON format. Also previous ACR reported by AhnLab shows a very similar json.\r\nFollowing some of the JSON fields the malware looks for and saves the values:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nPage 2 of 11\n\nAs for mw_C2SendData, this function is pretty standard. It will RC4 encrypt stolen data and send it to the C2.\r\nC2 Config Decryption\r\nAfter reviewing other builds—particularly those resembling the ones analyzed in Proofpoint’s research rather than\r\ntest builds—I was able to decrypt the C2 configuration using the following method:\r\ndef xor_decrypt_exact(encrypted: bytes, key: bytes) -\u003e bytes:\r\n if len(key) != 10:\r\n raise ValueError(\"Key must be exactly 10 bytes\")\r\n decrypted = bytearray(len(encrypted))\r\n for i in range(len(encrypted)):\r\n decrypted[i] = encrypted[i] ^ key[i % 10]\r\n return bytes(decrypted)\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nPage 3 of 11\n\nThe key can be found right at the start of the code:\r\nFollowing the c2 config:\r\nAmatera Config:\r\n{\"b\":[{\"n\":\"b\\\\c8\",\"p\":\"\\\\Local\\\\Google\\\\Chrome\\\\User Data\",\"t\":1,\"pn\":\"chrome.exe\"},{\"n\":\"b\\\\c8\",\"p\r\nSystem Information Harvesting\r\nThe malware comprehensively profiles the victim's system by collecting:\r\nMachine GUID and hardware identifiers\r\nHostname and username\r\nOperating system details and locale information\r\nInstallation date and timezone\r\nDisplay/monitor information\r\nProcessor details and total RAM\r\nList of installed software and running processes\r\nTakes screenshots of the desktop\r\nSteals clipboard contents\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nPage 4 of 11\n\nData Theft\r\nThe malware specifically targets Chromium-based browsers:\r\nExtracts Chrome/Chromium encryption keys from Local State files\r\nSteals stored passwords, cookies, and browsing data\r\nHarvests browser extension data (likely targeting cryptocurrency wallet extensions)\r\nProcesses app-bound encryption keys for newer Chrome versions\r\nAlso targets Mozilla Firefox data\r\nSearches for and steals desktop cryptocurrency wallet files\r\nSteals Telegram Desktop session files and data\r\nHarvests Steam account information\r\nShellcode\r\nFirst Shellcode\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nPage 5 of 11\n\nWhile analyzing Chrome-related files, the malware invokes a function tasked with injecting shellcode into the\r\ntarget browser, based on parameters defined in its configuration. The shellcode is executed by creating a new\r\nthread within the browser process.\r\nNotably, the payload consists of a two-stage shellcode, both stages embedded within the sample itself. The first\r\nstage is responsible for locating, parsing, and decompressing the second-stage shellcode. This process involves\r\nscanning memory for specific patterns used to identify and extract the embedded payload.\r\nThe first-stage shellcode employs a custom hashing algorithm to obfuscate the API functions it requires. It\r\nperforms classic PEB (Process Environment Block) walking to dynamically resolve the addresses of these\r\nfunctions at runtime, a common technique used to evade static analysis and avoid reliance on import tables.\r\nOnce the necessary APIs are resolved, the shellcode searches memory for a predefined marker indicating the\r\nlocation of the second-stage shellcode. It then constructs the appropriate entry point and transfers execution to it.\r\nAdditionally, the shellcode appears to support both RC4 encryption and RTL compression for the embedded\r\npayloads. However, in this particular sample, neither of these obfuscation methods is applied—the payload is in\r\nplain or minimally encoded form.\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nPage 6 of 11\n\nFollowing the python version of the hashing algorithm:\r\ndef ror(value, bits, width=32):\r\n return ((value \u003e\u003e bits) | (value \u003c\u003c (width - bits))) \u0026 (2**width - 1)\r\ndef compute_hash(utf16le_bytes):\r\n result = 0\r\n i = 0\r\n while i + 1 \u003c len(utf16le_bytes):\r\n char = utf16le_bytes[i]\r\n next_byte = utf16le_bytes[i+1]\r\n # Check for UTF-16 null terminator (two null bytes)\r\n if char == 0x00 and next_byte == 0x00:\r\n break\r\n byte = char # only low byte used (so ASCII-safe)\r\n byte_1 = byte - 0x20\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nPage 7 of 11\n\nif byte \u003c 0x61:\r\n byte_1 = byte\r\n result = ror(result, 0xc) + byte_1\r\n i += 2 # move to next UTF-16 char\r\n return result\r\nSecond Shellcode\r\nThis shellcode uses a COM API to steal browser data and to change security context.\r\nThe COM infrastructure is initialized by loading essential libraries such as ole32.dll and oleaut32.dll, which\r\nprovide access to COM functionality. Key COM functions like CoInitializeEx, CoUninitialize, CoCreateInstance,\r\nand CoSetProxyBlanket are resolved. Additionally, BSTR functions for handling strings, such as\r\nSysAllocStringByteLen and SysFreeString, are also resolved to facilitate memory management and string\r\noperations.\r\nThe COM object is then created and configured by calling CoInitializeEx(0, 2), which sets the apartment\r\nthreading model for the process. The COM instance is instantiated using CoCreateInstance. To ensure proper\r\nsecurity, the proxy blanket is set with CoSetProxyBlanket, which configures the authentication and authorization\r\nsettings. The proxy blanket is specifically set with RPC_C_AUTHN_LEVEL_PKT_PRIVACY, which provides\r\nthe highest authentication level (combining both integrity and encryption), ensuring the communication is secure.\r\nIt also uses RPC_C_IMP_LEVEL_IMPERSONATE, allowing the process full access to the caller's token.\r\nAdditionally, EOAC_STATIC_CLOAKING is applied, allowing the use of the thread's token silently without\r\nrevealing its identity.\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nPage 8 of 11\n\nn the analyzed non-test build of the malware, several COM CLSIDs were identified as being used to interface with\r\nbrowser elevation services. These CLSIDs correspond to known COM classes and interfaces responsible for\r\nexecuting processes with elevated privileges, often related to browser components.\r\nCLSID: {1FCBE96C-1697-43AF-9140-2897C7C69767}\r\nIdentified as the MicrosoftEdgeElevationService COM class.\r\nResponsible for handling elevation requests for the legacy Microsoft Edge browser.\r\nCLSID: {C9C2B807-7731-4F34-81B7-44FF7779522B}\r\nAssociated with the IElevatorEdge COM interface.\r\nFacilitates elevation operations specific to Edge's elevation broker mechanism.\r\nFurther notes on how this typically works can be found Here\r\nSimilarties with Proofpoint research\r\nUpon analyzing the Proofpoint sample, we observe that the shellcode section exhibits a structure highly\r\nsimilar to that found within the binary.\r\nNotably, the pattern used to locate the initial shellcode—which subsequently loads a secondary payload—is\r\nconsistent across samples. The implementation appears nearly identical, even utilizing the same hash values for\r\nresolving ntdll.dll and kernel32.dll.\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nPage 9 of 11\n\nAdditionally, the string \"Elevator.exe\" is present in the second-stage shellcode, suggesting a shared origin or\r\ntoolkit.\r\nThe following highlights the reuse of the same hashing algorithm within the shellcode:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nPage 10 of 11\n\nSource: https://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20Stealer%20v1.md" ], "report_names": [ "Amatera%20Stealer%20v1.md" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434645, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/686e4f6063df65d024de32409732694be662c24c.pdf", "text": "https://archive.orkl.eu/686e4f6063df65d024de32409732694be662c24c.txt", "img": "https://archive.orkl.eu/686e4f6063df65d024de32409732694be662c24c.jpg" } }