AmateraStealer Malware Analysis
August 31, 2025
Fuad Aliyev
Malware Analysis
Reverse Engineering
Stealer
RAT
What is Amatera?
"Amatera is a stealer written in C++. It conducts anti-sandbox analysis before enumerating browsers, exfiltrating found cryptocurrency files/wallets and possibly credentials." -malpedia
Static Analysis
Headers
Starting out with analysis, I use CFF explorer to find out some capabilities. It is a 64 bit PE compiled using Visual Studio, written in C/C++. NX (non-executable stack) is on for this executable. Sections: .text, .rdata, .data, .pdata, .reloc. One important finding was imports of the executable, it only imports 2 functions from KERNEL32.dll: LoadLibraryW and GetProcAddress, we already know it resolves API dynamically
Strings
Looking at the strings, it can be seen, some of them are encrypted, which might need to let malware execute and decrypt them by itself. But there are still some clear strings, which exposes some functionalities of malware:
Anti-Debug/Anti-VM Detection Functions
| Address | String | Description |
|---|---|---|
| 14000a020 | IsDebuggerPresent | Detects if debugger is attached |
| 14000a038 | GetCurrentProcess | Gets current process handle |
| 14000a050 | CheckRemoteDebuggerPresent | Checks for remote debugging |
Virtualization/Sandbox Detection Strings
| Address | String | Description |
|---|---|---|
| 14000a070 | VirtualBox | VM detection string |
| 14000a07c | VMware | VM detection string |
| 14000a098 | Hyper-V | VM detection string |
| 14000a0a0 | Microsoft | VM vendor detection |
Registry Access Functions
| Address | String | Description |
|---|---|---|
| 14000a0e8 | RegGetValueA | Registry value retrieval (ANSI) |
| 14000a138 | RegGetValueA | Registry value retrieval (ANSI) |
| 14000a188 | RegGetValueA | Registry value retrieval (ANSI) |
| 14000a2a8 | RegGetValueW | Registry value retrieval (Unicode) |
| 14000a318 | RegGetValueW | Registry value retrieval (Unicode) |
| 14000ae50 | RegOpenKeyExW | Opens registry key (Unicode) |
| 14000ae78 | RegGetValueW | Registry value retrieval (Unicode) |
| 14000aea0 | RegGetValueW | Registry value retrieval (Unicode) |
| 14000aec0 | RegCloseKey | Closes registry key |
| 14000b448 | RegOpenKeyExW | Opens registry key (Unicode) |
| 14000b458 | RegEnumKeyExW | Enumerates registry keys |
| 14000b480 | RegGetValueW | Registry value retrieval (Unicode) |
| 14000b4a8 | RegGetValueW | Registry value retrieval (Unicode) |
| 14000b4d0 | RegCloseKey | Closes registry key |
Registry Keys - System Information
| Address | String | Description |
|---|---|---|
| 14000a0c0 | HARDWARE\DESCRIPTION\System\BIOS | BIOS information registry path |
| 14000a110 | HARDWARE\DESCRIPTION\System\BIOS | BIOS information registry path |
| 14000a160 | HARDWARE\DESCRIPTION\System\BIOS | BIOS information registry path |
| 14000ae10 | SOFTWARE\Microsoft\Cryptography | Cryptography registry path |
| 14000af50 | SOFTWARE\Microsoft\Windows NT\CurrentVersion | Windows version registry path |
| 14000afe0 | SOFTWARE\Microsoft\Windows NT\CurrentVersion | Windows version registry path |
| 14000b080 | SOFTWARE\Microsoft\Windows NT\CurrentVersion | Windows version registry path |
| 14000b240 | HARDWARE\DESCRIPTION\System\CentralProcessor\0 | CPU information registry path |
| 14000b2e0 | HARDWARE\DESCRIPTION\System\CentralProcessor\0 | CPU information registry path |
| 14000b3e0 | SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | Installed software registry path |
Registry Values - System Information
| Address | String | Description |
|---|---|---|
| 14000a0b0 | BIOSVendor | BIOS vendor registry value |
| 14000a0f8 | SystemProductName | System product name registry value |
| 14000a148 | SystemManufacturer | System manufacturer registry value |
| 14000ae60 | MachineGuid | Machine GUID registry value |
| 14000ae88 | MachineGuid | Machine GUID registry value |
| 14000af30 | ProductName | Product name registry value |
| 14000afc0 | ProductName | Product name registry value |
| 14000b060 | InstallDate | Installation date registry value |
| 14000b210 | ProcessorNameString | Processor name registry value |
| 14000b2b0 | ProcessorNameString | Processor name registry value |
| 14000b468 | DisplayName | Display name registry value |
| 14000b490 | DisplayName | Display name registry value |
Network Communication
| Address | String | Description |
|---|---|---|
| 14000a1c0 | Authorization: | HTTP authorization header |
| 14000a1d8 | /core/createSession | API endpoint for session creation |
| 14000a1f0 | afdprox.icu | C&C server domain |
| 14000a208 | /core/sendPart | API endpoint for data transmission |
| 14000a220 | afdprox.icu | C&C server domain |
Internet/HTTP Functions
| Address | String | Description |
|---|---|---|
| 14000a9d0 | InternetOpenA | Opens internet connection |
| 14000a9e0 | InternetConnectA | Connects to internet server |
| 14000a9f8 | HttpOpenRequestA | Opens HTTP request |
| 14000aa10 | HttpSendRequestA | Sends HTTP request |
| 14000aa28 | InternetReadFile | Reads internet file |
| 14000aa40 | InternetCloseHandle | Closes internet handle |
| 14000aa58 | InternetCloseHandle | Closes internet handle |
| 14000aa70 | InternetCloseHandle | Closes internet handle |
Application Paths - Steam
| Address | String | Description |
|---|---|---|
| 14000a240 | InstallPath | Steam installation path value |
| 14000a260 | SOFTWARE\WOW6432Node\Valve\Steam | Steam registry path |
| 14000a2b8 | InstallPath | Steam installation path value |
| 14000a2d0 | SOFTWARE\WOW6432Node\Valve\Steam | Steam registry path |
| 14000a328 | \config | Steam config directory |
| 14000a338 | *.vdf | Steam VDF files pattern |
| 14000a348 | Steam | Steam identifier |
Application Paths - Telegram
| Address | String | Description |
|---|---|---|
| 14000a360 | %appdata%\Telegram Desktop\tdata | Telegram data directory |
| 14000a3b0 | dumps | Telegram dumps directory |
| 14000a3c0 | emoji | Telegram emoji directory |
| 14000a3d0 | tdummy | Telegram dummy files |
| 14000a3e0 | temp | Telegram temp directory |
| 14000a3f0 | user_data | Telegram user data |
| 14000a408 | Telegram | Telegram identifier |
Browser Data Paths
| Address | String | Description |
|---|---|---|
| 14000a420 | applications | Browser applications |
| 14000a440 | \Local State | Browser local state file |
| 14000a460 | state_key | Browser state key |
| 14000a478 | files | Browser files |
| 14000a488 | chromium_apps | Chromium applications |
| 14000a4a8 | \Local State | Browser local state file |
| 14000a4c8 | state_key | Browser state key |
| 14000a4f0 | app_bound_key | Browser app-bound key |
| 14000a518 | \Local Extension Settings\ | Browser extension settings path |
| 14000a558 | files | Browser files |
| 14000a568 | extensions | Browser extensions |
| 14000a580 | profiles | Browser profiles |
| 14000a598 | chromium | Chromium identifier |
| 14000a958 | \Profiles | Browser profiles directory |
| 14000a978 | gecko | Gecko browser engine |
Cryptographic Functions
| Address | String | Description |
|---|---|---|
| 14000a5b0 | CryptUnprotectData | Windows DPAPI decryption |
| 14000a5c8 | LocalFree | Frees local memory |
| 14000a5d8 | "encrypted_key":" | JSON key for encrypted data |
| 14000a658 | "app_bound_encrypted_key":" | JSON key for app-bound encrypted data |
Process Management Functions
| Address | String | Description |
|---|---|---|
| 14000a5f0 | CreateToolhelp32Snapshot | Creates process snapshot |
| 14000a610 | Process32FirstW | Gets first process |
| 14000a620 | OpenProcess | Opens process handle |
| 14000a630 | TerminateProcess | Terminates process |
| 14000a648 | Process32NextW | Gets next process |
| 14000a678 | CreateProcessW | Creates new process |
| 14000a688 | msedge.exe | Microsoft Edge executable |
| 14000aa88 | OpenProcess | Opens process handle |
| 14000ab00 | CloseHandle | Closes handle |
| 14000ab10 | WaitForSingleObject | Waits for object |
| 14000b4e0 | CreateToolhelp32Snapshot | Creates process snapshot |
| 14000b500 | Process32FirstW | Gets first process |
| 14000b510 | Process32NextW | Gets next process |
| 14000b520 | CloseHandle | Closes handle |
Memory Management Functions
| Address | String | Description |
|---|---|---|
| 14000a998 | HeapAlloc | Allocates heap memory |
| 14000a9a8 | HeapReAlloc | Reallocates heap memory |
| 14000a9b8 | HeapFree | Frees heap memory |
| 14000aa98 | VirtualAllocEx | Allocates virtual memory in process |
| 14000aaa8 | VirtualFreeEx | Frees virtual memory in process |
| 14000aab8 | WriteProcessMemory | Writes to process memory |
| 14000aad0 | ReadProcessMemory | Reads from process memory |
| 14000aae8 | CreateRemoteThread | Creates thread in remote process |
| 14000ac40 | GetProcessHeap | Gets process heap |
File System Functions
| Address | String | Description |
|---|---|---|
| 14000a850 | FindFirstFileW | Finds first file |
| 14000a870 | FindNextFileW | Finds next file |
| 14000a888 | FindFirstFileW | Finds first file |
| 14000a8b0 | FindNextFileW | Finds next file |
| 14000a8d0 | FindFirstFileW | Finds first file |
| 14000a8f0 | FindNextFileW | Finds next file |
| 14000a900 | GetFileSize | Gets file size |
| 14000a910 | CreateFileW | Creates/opens file |
| 14000a920 | CloseHandle | Closes handle |
| 14000a930 | ReadFile | Reads from file |
| 14000a940 | GetFileAttributesW | Gets file attributes |
System Information Functions
| Address | String | Description |
|---|---|---|
| 14000a198 | GetPhysicallyInstalledSystemMemory | Gets installed RAM |
| 14000aed0 | GetComputerNameW | Gets computer name |
| 14000af08 | GetUserNameW | Gets username |
| 14000b110 | GetUserDefaultLocaleName | Gets system locale |
| 14000b140 | GetDynamicTimeZoneInformation | Gets timezone info |
| 14000b1a0 | EnumDisplaySettingsW | Gets display settings |
| 14000b1d8 | EnumDisplayDevicesW | Enumerates display devices |
| 14000b368 | GetPhysicallyInstalledSystemMemory | Gets installed RAM |
| 14000b3a8 | GetModuleFileNameW | Gets module filename |
| 14000b550 | EnumDisplaySettingsW | Gets display settings |
Screenshot and Clipboard Functions
| Address | String | Description |
|---|---|---|
| 14000b568 | GetDC | Gets device context |
| 14000b570 | CreateCompatibleDC | Creates compatible DC |
| 14000b588 | CreateCompatibleBitmap | Creates compatible bitmap |
| 14000b5a0 | SelectObject | Selects object into DC |
| 14000b5b0 | BitBlt | Bit block transfer |
| 14000b5b8 | GetObjectA | Gets object information |
| 14000b5c8 | GetDIBits | Gets bitmap bits |
| 14000b5f0 | SelectObject | Selects object into DC |
| 14000b600 | DeleteObject | Deletes object |
| 14000b610 | DeleteDC | Deletes device context |
| 14000b620 | ReleaseDC | Releases device context |
| 14000b630 | OpenClipboard | Opens clipboard |
| 14000b640 | GetClipboardData | Gets clipboard data |
| 14000b658 | CloseClipboard | Closes clipboard |
| 14000b668 | GlobalLock | Locks global memory |
| 14000b678 | CloseClipboard | Closes clipboard |
| 14000b6a0 | GlobalUnlock | Unlocks global memory |
| 14000b6b0 | CloseClipboard | Closes clipboard |
String Conversion Functions
| Address | String | Description |
|---|---|---|
| 14000a6a0 | MultiByteToWideChar | Converts multibyte to wide char |
| 14000a6b8 | WideCharToMultiByte | Converts wide char to multibyte |
| 14000a6d0 | WideCharToMultiByte | Converts wide char to multibyte |
| 14000b6d8 | ExpandEnvironmentStringsW | Expands environment variables |
Environment Functions
| Address | String | Description |
|---|---|---|
| 14000a768 | APPDATA | APPDATA environment variable |
| 14000a778 | GetEnvironmentVariableW | Gets environment variable |
| 14000a7b0 | GetEnvironmentVariableW | Gets environment variable |
| 14000a7e8 | GetEnvironmentVariableW | Gets environment variable |
| 14000a818 | GetEnvironmentVariableW | Gets environment variable |
Dynamic Loading Functions
| Address | String | Description |
|---|---|---|
| 14000ab28 | GetModuleHandleA | Gets module handle |
| 14000ab40 | RtlInitUnicodeString | Initializes Unicode string |
| 14000ab58 | LdrLoadDll | Loads DLL |
| 14000b99c | LoadLibraryW | Loads library (Unicode) |
| 14000b98a | GetProcAddress | Gets procedure address |
| 14000d4e6 | GetProcAddress | Gets procedure address |
| 14000d4f8 | LoadLibraryA | Loads library (ANSI) |
System DLLs
| Address | String | Description |
|---|---|---|
| 14000ab68 | Kernel32.dll | Windows kernel library |
| 14000ab88 | Crypt32.dll | Cryptography library |
| 14000aba0 | User32.dll | User interface library |
| 14000abb8 | Advapi32.dll | Advanced Windows API |
| 14000abd8 | Wininet.dll | Windows internet library |
| 14000abf0 | Gdi32.dll | Graphics device interface |
| 14000ac08 | Ole32.dll | Object linking and embedding |
| 14000ac20 | OleAut32.dll | OLE automation library |
| 14000b9aa | KERNEL32.dll | Windows kernel library |
| 14000d21c | ole32.dll | Object linking and embedding |
| 14000d27c | oleaut32.dll | OLE automation library |
| 14000d506 | KERNEL32.dll | Windows kernel library |
COM Functions
| Address | String | Description |
|---|---|---|
| 14000d22c | CoInitializeEx | Initializes COM library |
| 14000d23c | CoUninitialize | Uninitializes COM library |
| 14000d24c | CoCreateInstance | Creates COM object instance |
| 14000d264 | CoSetProxyBlanket | Sets COM proxy security |
| 14000d28c | SysAllocStringByteLen | Allocates BSTR |
| 14000d2a4 | SysFreeString | Frees BSTR |
Configuration/Target Data
| Address | String | Description |
|---|---|---|
| 14000ac50 | session_id | Session identifier |
| 14000ac60 | grabber_rules | Data grabbing rules |
| 14000ac88 | gecko_paths | Firefox browser paths |
| 14000aca0 | gecko_files | Firefox browser files |
| 14000acb8 | chromium_browsers | Chromium-based browsers |
| 14000ad38 | chromium_files | Chromium browser files |
| 14000ad50 | chromium_extensions | Chromium extensions |
| 14000ad70 | chromium_apps | Chromium applications |
| 14000ada8 | applications | Applications target |
| 14000add8 | desktop_wallets | Desktop wallet applications |
| 14000a6e8 | desktop_wallets | Desktop wallet applications |
System Information Fields
| Address | String | Description |
|---|---|---|
| 14000aeb0 | guid | Machine GUID |
| 14000aee8 | computer_name | Computer name |
| 14000af18 | username | Username |
| 14000b050 | os_name | Operating system name |
| 14000b0f0 | install_date | OS installation date |
| 14000b130 | locale | System locale |
| 14000b160 | timezone_name | Timezone name |
| 14000b180 | timezone_bias | Timezone bias |
| 14000b1c0 | resolution | Screen resolution |
| 14000b1f0 | video_card_name | Graphics card name |
| 14000b350 | cpu_name | CPU name |
| 14000b390 | total_ram | Total RAM |
| 14000b3c0 | start_path | Executable start path |
| 14000b4b8 | software | Installed software |
| 14000b530 | process_list | Running processes |
| 14000b5d8 | screenshot | Screenshot data |
| 14000b688 | clipboard | Clipboard content |
| 14000b6c0 | system_info | System information |
Miscellaneous
| Address | String | Description |
|---|---|---|
| 14000a1fc | Sleep | Sleep function |
| 14000a22c | Sleep | Sleep function |
| 14000a4e0 | NONE | None value |
| 14000a708 | ExitProcess | Exit process function |
| 14000a718 | b0b12e32-2f73-41fc-9031-307e8fdbc5d4 | GUID identifier |
| 14000a740 | test_5 | Test identifier |
| 14000a750 | build_id | Build identifier |
| 14000a988 | grabber | Grabber identifier |
| 14000ad98 | true | Boolean true value |
| 14000adc8 | true | Boolean true value |
| 14000adf8 | true | Boolean true value |
| 14000d478 | ElevatorShell.exe | Executable name |
| 14000d48a | ?pData@@3PEAXEA | C++ mangled symbol |
Section Names
| Address | String | Description |
|---|---|---|
| 14000c9fb | .rdata | Read-only data section |
| 14000ca4c | .pdata | Exception handling data |
| 14000d340 | .rdata | Read-only data section |
| 14000d350 | .rdata$voltmd | Compiler metadata |
| 14000d390 | .edata | Export data section |
| 14000d3f0 | .data | Data section |
| 14000d400 | .pdata | Exception handling data |
Disassembly/Decompilation
To statically analyze executable, I will use ghidra.
Starting out, the first (custom) function that executable calls loads all libraries needed:
As LoadLibraryW returns handles to these DLLs, later on as you can see, it can use these handles to call functions, for example in this case it is "GetProcessHeap". TO have understanding of how it looks like:
It is simple, get address of function and call it, there are also other functions (different for each function) to handle arguments too.
Moving on, malware calls another (custom) function that tries to create session with "afdprox.ciu" domain using authorization key of: "b0b12e32-2f73-41fc-9031-307e8fdbc5d4"
param_2 is "b0b12e32-2f73-41fc-9031-307e8fdbc5d4" and it sleeps for 10000ms (10 secs) and waits for an answer (it has to return 0).
and it tries to read 0x7ff bytes of data, which I would expect it to be either strings or a file dropped by malware later for some functionalities.
Dynamic Analysis
Sadly, as the domain this malware uses is down right now, it will not be possible to see full functionality of malware but as I listed strings before, nearly all of them explain whole purpose of malware, starting with:
- Check if executable is being debugged.
- Check if currently inside of a VM (checking registry keys)
- Create session using hardcoded authorization key
- Steal data such as Steam, telegram, chromium, gecko (firefox)
- Other information that malware looks for: Computer name, Username, ProductName, Os_Name, InstallDate, timezone, resolution, video card name, cpu name etc. it checks all these using registry.
- Another functionality of malware is taking screenshot:
(function is a little bit longer), this is just part of the screenshot to show it retrives information about graphic modes.
- It can get Clipboard data:
- And at the end, sends all these data parts by sending POST request to /core/sendPart to afdprox.icu domain.