Date: 06/20/2025
Severity: High
Summary
Our team has identified a newly rebranded information stealer named Amatera Stealer, derived from ACR Stealer and delivered through complex web inject-based attack chains. Much of its code overlaps with known ACR Stealer samples, and it is currently offered as a malware-as-a-service (MaaS) and remains under active development. Recent versions of Amatera Stealer feature enhanced anti-analysis techniques and have moved away from using Steam/Telegram as dead drops for C2 communication. As stealer malware continues to gain traction, timely detection, reverse engineering, and analysis are essential for defense.
Indicators of Compromise (IOC) List
Domains\URLs : | amaprox.icu b1.talismanoverblown.com https://cv.cbrw.ru/t.csproj https://tt.cbrw.ru/vb7to8.psd https://cv.cbrw.ru/init1.bin |
IP Address : | 104.21.80.1 172.67.178.5 |
Hash : | 120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2
7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea
35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af
2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991
ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55
055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs: | domainname like "https://tt.cbrw.ru/vb7to8.psd" or url like "https://tt.cbrw.ru/vb7to8.psd" or siteurl like "https://tt.cbrw.ru/vb7to8.psd" or domainname like "https://cv.cbrw.ru/t.csproj" or url like "https://cv.cbrw.ru/t.csproj" or siteurl like "https://cv.cbrw.ru/t.csproj" or domainname like "b1.talismanoverblown.com" or url like "b1.talismanoverblown.com" or siteurl like "b1.talismanoverblown.com" or domainname like "https://cv.cbrw.ru/init1.bin" or url like "https://cv.cbrw.ru/init1.bin" or siteurl like "https://cv.cbrw.ru/init1.bin" or domainname like "amaprox.icu" or url like "amaprox.icu" or siteurl like "amaprox.icu" |
IP Address : | dstipaddress IN ("104.21.80.1","172.67.178.5") or srcipaddress IN ("104.21.80.1","172.67.178.5") |
Hash : | sha256hash IN ("120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2","35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af","7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea","ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55","2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991","055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b")
|
Reference:
https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication