Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication

    Date: 06/20/2025

    Severity: High

    Summary

    Our team has identified a newly rebranded information stealer named Amatera Stealer, derived from ACR Stealer and delivered through complex web inject-based attack chains. Much of its code overlaps with known ACR Stealer samples, and it is currently offered as a malware-as-a-service (MaaS) and remains under active development. Recent versions of Amatera Stealer feature enhanced anti-analysis techniques and have moved away from using Steam/Telegram as dead drops for C2 communication. As stealer malware continues to gain traction, timely detection, reverse engineering, and analysis are essential for defense.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    amaprox.icu

    b1.talismanoverblown.com

    https://cv.cbrw.ru/t.csproj

    https://tt.cbrw.ru/vb7to8.psd

    https://cv.cbrw.ru/init1.bin

    IP Address : 

    104.21.80.1

    172.67.178.5

    Hash : 

    120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2

    7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea

    35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af

    2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991

    ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55

    055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs:

    domainname like "https://tt.cbrw.ru/vb7to8.psd" or url like "https://tt.cbrw.ru/vb7to8.psd" or siteurl like "https://tt.cbrw.ru/vb7to8.psd" or domainname like "https://cv.cbrw.ru/t.csproj" or url like "https://cv.cbrw.ru/t.csproj" or siteurl like "https://cv.cbrw.ru/t.csproj" or domainname like "b1.talismanoverblown.com" or url like "b1.talismanoverblown.com" or siteurl like "b1.talismanoverblown.com" or domainname like "https://cv.cbrw.ru/init1.bin" or url like "https://cv.cbrw.ru/init1.bin" or siteurl like "https://cv.cbrw.ru/init1.bin" or domainname like "amaprox.icu" or url like "amaprox.icu" or siteurl like "amaprox.icu"

    IP Address : 

    dstipaddress IN ("104.21.80.1","172.67.178.5") or srcipaddress IN ("104.21.80.1","172.67.178.5")

    Hash :

    sha256hash IN ("120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2","35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af","7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea","ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55","2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991","055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b")

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication


    Tags

    MalwareAmatera StealerMaaSACR Stealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags