{ "id": "1a77050d-74df-4b14-bdb6-c4fba73be2db", "created_at": "2026-04-06T00:06:57.665146Z", "updated_at": "2026-04-10T13:12:54.041005Z", "deleted_at": null, "sha1_hash": "711fdf21b530886b36ca4b1af3b558d718655ebc", "title": "MalwareAnalysisReports/AmateraStealer/Amatera shark.exe.md at main · VenzoV/MalwareAnalysisReports", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 256185, "plain_text": "MalwareAnalysisReports/AmateraStealer/Amatera shark.exe.md\r\nat main · VenzoV/MalwareAnalysisReports\r\nBy VenzoV\r\nArchived: 2026-04-05 14:46:49 UTC\r\nSample\r\nThis sample is pulled from the Amatera config from the C2. It is fetched from the following path:\r\nh4.possumdefense.digital/shark.bin\r\nSHA256\r\n9FC9558C681F0370B1BA1F7B79551B2B253647EAC3C47F10EE4FE96F1FAA8B24\r\nFrom PeStudio we can immedtialy see this is a 32 bit binary compiled with delphi.\r\nChecking for further leads, the resource section contains an unknown data blob which will actually be the next\r\nstage and important to track.\r\nInitial contents of the resource section:\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md\r\nPage 1 of 6\n\nAnalysis First Stage\r\nTo identify the routine responsible for loading and decrypting the resource file, a debugger was initially used to\r\nextract the next stage directly. However, by analyzing the binary in IDR (Interactive Delphi Reconstructor), we\r\ncan gain deeper insight into the internal structure of the Delphi executable.\r\nFor a quick solution, I searched for the resource ID within the strings and identified the function referencing it.\r\nThis function immediately reveals the following sequence:\r\nThe resource is loaded or created.\r\nVirtualAllocis called to allocate memory.\r\nReadBuffer is used to read the resource contents.\r\nA push ecx followed by a ret instruction effectively results in a jmp ecx.\r\nThis pattern strongly suggests that the resource is decrypted in memory and execution is then transferred to the\r\nunpacked second stage.\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md\r\nPage 2 of 6\n\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md\r\nPage 3 of 6\n\nAnalysis Second Stage\r\nThe second stage is pretty short is just used to load another binary which is embedded inside. Once again push +\r\nret is used again to jmp to the code to run.\r\nThird stage\r\nThe third stage of the malware is more intriguing. It can be carved directly from the second stage using any hex\r\neditor. The resulting binary is fairly large, and upon decompilation, it quickly becomes evident that heavy\r\nobfuscation is in play.\r\nInitial string analysis reveals telltale signs of a Go binary, specifically due to the presence of obfuscated .go\r\npackage names and runtime artifacts. Further analysis indicates that the binary has been obfuscated using garble,\r\nan open-source tool for Go code obfuscation. Notably, it appears to have been built using a newer version of\r\nGarble that introduces breaking changes to tools like GoReSym and GoStringUngarbler—both of which failed to\r\nfunction correctly in this context (unless there was a usage error).\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md\r\nPage 4 of 6\n\nTo verify this, I compiled a simple \"Hello, World\" Go program and obfuscated it using the latest version of\r\nGarble. As expected, both GoReSym and GoStringUngarbler were unable to parse or recover symbol and string\r\ninformation, confirming the observed breakage.\r\nEDIT Checking further, I noticed I made a mistake. The literals are NOT encrypted, garble was run without -\r\nliterals tab. The strings can be found inside the binary and are built at runtime.\r\nFollowing the start of a Garbled 32 bit binary.\r\nFor now the only functionlity recovered is that the shark.exe is added as scheduled task for persistence.\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md\r\nPage 5 of 6\n\nAttaching to the running binary the strings in memory contain 1 malicious IP address. Also makes DNS query to\r\nbinance domain\r\ndata-seed-prebsc-2-s1.binance.org\r\n109.172.87.40\r\nMy analysis for now ends here until I am able to fully recover more from the binary.\r\nReferences\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries\r\nhttps://research.openanalysis.net/garble/go/obfuscation/strings/2023/08/03/garble.html\r\nSource: https://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md" ], "report_names": [ "Amatera%20shark.exe.md" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434017, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/711fdf21b530886b36ca4b1af3b558d718655ebc.pdf", "text": "https://archive.orkl.eu/711fdf21b530886b36ca4b1af3b558d718655ebc.txt", "img": "https://archive.orkl.eu/711fdf21b530886b36ca4b1af3b558d718655ebc.jpg" } }