MalwareAnalysisReports/AmateraStealer/Amatera shark.exe.md
at main · VenzoV/MalwareAnalysisReports
By VenzoV
Archived: 2026-04-05 14:46:49 UTC
Sample
This sample is pulled from the Amatera config from the C2. It is fetched from the following path:
h4.possumdefense.digital/shark.bin
SHA256
9FC9558C681F0370B1BA1F7B79551B2B253647EAC3C47F10EE4FE96F1FAA8B24
From PeStudio we can immedtialy see this is a 32 bit binary compiled with delphi.
Checking for further leads, the resource section contains an unknown data blob which will actually be the next
stage and important to track.
Initial contents of the resource section:
https://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md
Page 1 of 6

Analysis First Stage
To identify the routine responsible for loading and decrypting the resource file, a debugger was initially used to
extract the next stage directly. However, by analyzing the binary in IDR (Interactive Delphi Reconstructor), we
can gain deeper insight into the internal structure of the Delphi executable.
For a quick solution, I searched for the resource ID within the strings and identified the function referencing it.
This function immediately reveals the following sequence:
The resource is loaded or created.
VirtualAllocis called to allocate memory.
ReadBuffer is used to read the resource contents.
A push ecx followed by a ret instruction effectively results in a jmp ecx.
This pattern strongly suggests that the resource is decrypted in memory and execution is then transferred to the
unpacked second stage.
https://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md
Page 2 of 6

https://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md
Page 3 of 6

Analysis Second Stage
The second stage is pretty short is just used to load another binary which is embedded inside. Once again push +
ret is used again to jmp to the code to run.
Third stage
The third stage of the malware is more intriguing. It can be carved directly from the second stage using any hex
editor. The resulting binary is fairly large, and upon decompilation, it quickly becomes evident that heavy
obfuscation is in play.
Initial string analysis reveals telltale signs of a Go binary, specifically due to the presence of obfuscated .go
package names and runtime artifacts. Further analysis indicates that the binary has been obfuscated using garble,
an open-source tool for Go code obfuscation. Notably, it appears to have been built using a newer version of
Garble that introduces breaking changes to tools like GoReSym and GoStringUngarbler—both of which failed to
function correctly in this context (unless there was a usage error).
https://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md
Page 4 of 6

To verify this, I compiled a simple "Hello, World" Go program and obfuscated it using the latest version of
Garble. As expected, both GoReSym and GoStringUngarbler were unable to parse or recover symbol and string
information, confirming the observed breakage.
EDIT Checking further, I noticed I made a mistake. The literals are NOT encrypted, garble was run without -
literals tab. The strings can be found inside the binary and are built at runtime.
Following the start of a Garbled 32 bit binary.
For now the only functionlity recovered is that the shark.exe is added as scheduled task for persistence.
https://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md
Page 5 of 6

Attaching to the running binary the strings in memory contain 1 malicious IP address. Also makes DNS query to
binance domain
data-seed-prebsc-2-s1.binance.org
109.172.87.40
My analysis for now ends here until I am able to fully recover more from the binary.
References
https://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries
https://research.openanalysis.net/garble/go/obfuscation/strings/2023/08/03/garble.html
Source: https://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md
https://github.com/VenzoV/MalwareAnalysisReports/blob/main/AmateraStealer/Amatera%20shark.exe.md
Page 6 of 6