◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
⬡
ᛏ
1
ᚱ
ᚷ
◉
ᛋ
0
ᚠ
ᚦ
ᛁ
ᚠ
ᚱ
ᚦ
ᚷ
ᛁ
◉
◉
◉
◉
⬡
⬡
0x0000000029A
0xBAADF00D666 0000
ᚠ HOME ᚱ DISPATCH ᚦ ARSENAL ᚷ DOSSIER ᛁ GENESIS
Toggle theme AmateraStealer Malware Analysis Malware Analysis
Reverse Engineering
Stealer
RAT
◉
What is Amatera? "Amatera is a stealer written in C++. It conducts anti-sandbox analysis before enumerating browsers, exfiltrating found cryptocurrency files/wallets and possibly credentials."
-malpedia
Static Analysis Headers Starting out with analysis, I use CFF explorer to find out some capabilities.
It is a 64 bit PE compiled using Visual Studio, written in C/C++.
NX (non-executable stack) is on for this executable.
Sections: .text, .rdata, .data, .pdata, .reloc.
One important finding was imports of the executable, it only imports 2 functions from KERNEL32.dll: LoadLibraryW and GetProcAddress, we already know it resolves API dynamically
Strings Looking at the strings, it can be seen, some of them are encrypted, which might need to let malware execute and decrypt them by itself.
But there are still some clear strings, which exposes some functionalities of malware:
Anti-Debug/Anti-VM Detection Functions
Address String Description 14000a020 IsDebuggerPresent Detects if debugger is attached 14000a038 GetCurrentProcess Gets current process handle 14000a050 CheckRemoteDebuggerPresent Checks for remote debugging
Virtualization/Sandbox Detection Strings
Address String Description 14000a070 VirtualBox VM detection string 14000a07c VMware VM detection string 14000a098 Hyper-V VM detection string 14000a0a0 Microsoft VM vendor detection
Registry Access Functions
Address String Description 14000a0e8 RegGetValueA Registry value retrieval (ANSI) 14000a138 RegGetValueA Registry value retrieval (ANSI) 14000a188 RegGetValueA Registry value retrieval (ANSI) 14000a2a8 RegGetValueW Registry value retrieval (Unicode) 14000a318 RegGetValueW Registry value retrieval (Unicode) 14000ae50 RegOpenKeyExW Opens registry key (Unicode) 14000ae78 RegGetValueW Registry value retrieval (Unicode) 14000aea0 RegGetValueW Registry value retrieval (Unicode) 14000aec0 RegCloseKey Closes registry key 14000b448 RegOpenKeyExW Opens registry key (Unicode) 14000b458 RegEnumKeyExW Enumerates registry keys 14000b480 RegGetValueW Registry value retrieval (Unicode) 14000b4a8 RegGetValueW Registry value retrieval (Unicode) 14000b4d0 RegCloseKey Closes registry key
Registry Keys - System Information
Address String Description 14000a0c0 HARDWARE\DESCRIPTION\System\BIOS BIOS information registry path 14000a110 HARDWARE\DESCRIPTION\System\BIOS BIOS information registry path 14000a160 HARDWARE\DESCRIPTION\System\BIOS BIOS information registry path 14000ae10 SOFTWARE\Microsoft\Cryptography Cryptography registry path 14000af50 SOFTWARE\Microsoft\Windows NT\CurrentVersion Windows version registry path 14000afe0 SOFTWARE\Microsoft\Windows NT\CurrentVersion Windows version registry path 14000b080 SOFTWARE\Microsoft\Windows NT\CurrentVersion Windows version registry path 14000b240 HARDWARE\DESCRIPTION\System\CentralProcessor\0 CPU information registry path 14000b2e0 HARDWARE\DESCRIPTION\System\CentralProcessor\0 CPU information registry path 14000b3e0 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Installed software registry path
Registry Values - System Information
Address String Description 14000a0b0 BIOSVendor BIOS vendor registry value 14000a0f8 SystemProductName System product name registry value 14000a148 SystemManufacturer System manufacturer registry value 14000ae60 MachineGuid Machine GUID registry value 14000ae88 MachineGuid Machine GUID registry value 14000af30 ProductName Product name registry value 14000afc0 ProductName Product name registry value 14000b060 InstallDate Installation date registry value 14000b210 ProcessorNameString Processor name registry value 14000b2b0 ProcessorNameString Processor name registry value 14000b468 DisplayName Display name registry value 14000b490 DisplayName Display name registry value
Network Communication
Address String Description 14000a1c0 Authorization: HTTP authorization header 14000a1d8 /core/createSession API endpoint for session creation 14000a1f0 afdprox.icu C&C server domain 14000a208 /core/sendPart API endpoint for data transmission 14000a220 afdprox.icu C&C server domain
Internet/HTTP Functions
Address String Description 14000a9d0 InternetOpenA Opens internet connection 14000a9e0 InternetConnectA Connects to internet server 14000a9f8 HttpOpenRequestA Opens HTTP request 14000aa10 HttpSendRequestA Sends HTTP request 14000aa28 InternetReadFile Reads internet file 14000aa40 InternetCloseHandle Closes internet handle 14000aa58 InternetCloseHandle Closes internet handle 14000aa70 InternetCloseHandle Closes internet handle
Application Paths - Steam
Address String Description 14000a240 InstallPath Steam installation path value 14000a260 SOFTWARE\WOW6432Node\Valve\Steam Steam registry path 14000a2b8 InstallPath Steam installation path value 14000a2d0 SOFTWARE\WOW6432Node\Valve\Steam Steam registry path 14000a328 \config Steam config directory 14000a338 *.vdf Steam VDF files pattern 14000a348 Steam Steam identifier
Application Paths - Telegram
Address String Description 14000a360 %appdata%\Telegram Desktop\tdata Telegram data directory 14000a3b0 dumps Telegram dumps directory 14000a3c0 emoji Telegram emoji directory 14000a3d0 tdummy Telegram dummy files 14000a3e0 temp Telegram temp directory 14000a3f0 user_data Telegram user data 14000a408 Telegram Telegram identifier
Browser Data Paths
Address String Description 14000a420 applications Browser applications 14000a440 \Local State Browser local state file 14000a460 state_key Browser state key 14000a478 files Browser files 14000a488 chromium_apps Chromium applications 14000a4a8 \Local State Browser local state file 14000a4c8 state_key Browser state key 14000a4f0 app_bound_key Browser app-bound key 14000a518 \Local Extension Settings\ Browser extension settings path 14000a558 files Browser files 14000a568 extensions Browser extensions 14000a580 profiles Browser profiles 14000a598 chromium Chromium identifier 14000a958 \Profiles Browser profiles directory 14000a978 gecko Gecko browser engine
Cryptographic Functions
Address String Description 14000a5b0 CryptUnprotectData Windows DPAPI decryption 14000a5c8 LocalFree Frees local memory 14000a5d8 "encrypted_key":" JSON key for encrypted data 14000a658 "app_bound_encrypted_key":" JSON key for app-bound encrypted data
Process Management Functions
Address String Description 14000a5f0 CreateToolhelp32Snapshot Creates process snapshot 14000a610 Process32FirstW Gets first process 14000a620 OpenProcess Opens process handle 14000a630 TerminateProcess Terminates process 14000a648 Process32NextW Gets next process 14000a678 CreateProcessW Creates new process 14000a688 msedge.exe Microsoft Edge executable 14000aa88 OpenProcess Opens process handle 14000ab00 CloseHandle Closes handle 14000ab10 WaitForSingleObject Waits for object 14000b4e0 CreateToolhelp32Snapshot Creates process snapshot 14000b500 Process32FirstW Gets first process 14000b510 Process32NextW Gets next process 14000b520 CloseHandle Closes handle
Memory Management Functions
Address String Description 14000a998 HeapAlloc Allocates heap memory 14000a9a8 HeapReAlloc Reallocates heap memory 14000a9b8 HeapFree Frees heap memory 14000aa98 VirtualAllocEx Allocates virtual memory in process 14000aaa8 VirtualFreeEx Frees virtual memory in process 14000aab8 WriteProcessMemory Writes to process memory 14000aad0 ReadProcessMemory Reads from process memory 14000aae8 CreateRemoteThread Creates thread in remote process 14000ac40 GetProcessHeap Gets process heap
File System Functions
Address String Description 14000a850 FindFirstFileW Finds first file 14000a870 FindNextFileW Finds next file 14000a888 FindFirstFileW Finds first file 14000a8b0 FindNextFileW Finds next file 14000a8d0 FindFirstFileW Finds first file 14000a8f0 FindNextFileW Finds next file 14000a900 GetFileSize Gets file size 14000a910 CreateFileW Creates/opens file 14000a920 CloseHandle Closes handle 14000a930 ReadFile Reads from file 14000a940 GetFileAttributesW Gets file attributes
System Information Functions
Address String Description 14000a198 GetPhysicallyInstalledSystemMemory Gets installed RAM 14000aed0 GetComputerNameW Gets computer name 14000af08 GetUserNameW Gets username 14000b110 GetUserDefaultLocaleName Gets system locale 14000b140 GetDynamicTimeZoneInformation Gets timezone info 14000b1a0 EnumDisplaySettingsW Gets display settings 14000b1d8 EnumDisplayDevicesW Enumerates display devices 14000b368 GetPhysicallyInstalledSystemMemory Gets installed RAM 14000b3a8 GetModuleFileNameW Gets module filename 14000b550 EnumDisplaySettingsW Gets display settings
Screenshot and Clipboard Functions
Address String Description 14000b568 GetDC Gets device context 14000b570 CreateCompatibleDC Creates compatible DC 14000b588 CreateCompatibleBitmap Creates compatible bitmap 14000b5a0 SelectObject Selects object into DC 14000b5b0 BitBlt Bit block transfer 14000b5b8 GetObjectA Gets object information 14000b5c8 GetDIBits Gets bitmap bits 14000b5f0 SelectObject Selects object into DC 14000b600 DeleteObject Deletes object 14000b610 DeleteDC Deletes device context 14000b620 ReleaseDC Releases device context 14000b630 OpenClipboard Opens clipboard 14000b640 GetClipboardData Gets clipboard data 14000b658 CloseClipboard Closes clipboard 14000b668 GlobalLock Locks global memory 14000b678 CloseClipboard Closes clipboard 14000b6a0 GlobalUnlock Unlocks global memory 14000b6b0 CloseClipboard Closes clipboard
String Conversion Functions
Address String Description 14000a6a0 MultiByteToWideChar Converts multibyte to wide char 14000a6b8 WideCharToMultiByte Converts wide char to multibyte 14000a6d0 WideCharToMultiByte Converts wide char to multibyte 14000b6d8 ExpandEnvironmentStringsW Expands environment variables
Environment Functions
Address String Description 14000a768 APPDATA APPDATA environment variable 14000a778 GetEnvironmentVariableW Gets environment variable 14000a7b0 GetEnvironmentVariableW Gets environment variable 14000a7e8 GetEnvironmentVariableW Gets environment variable 14000a818 GetEnvironmentVariableW Gets environment variable
Dynamic Loading Functions
Address String Description 14000ab28 GetModuleHandleA Gets module handle 14000ab40 RtlInitUnicodeString Initializes Unicode string 14000ab58 LdrLoadDll Loads DLL 14000b99c LoadLibraryW Loads library (Unicode) 14000b98a GetProcAddress Gets procedure address 14000d4e6 GetProcAddress Gets procedure address 14000d4f8 LoadLibraryA Loads library (ANSI)
System DLLs
Address String Description 14000ab68 Kernel32.dll Windows kernel library 14000ab88 Crypt32.dll Cryptography library 14000aba0 User32.dll User interface library 14000abb8 Advapi32.dll Advanced Windows API 14000abd8 Wininet.dll Windows internet library 14000abf0 Gdi32.dll Graphics device interface 14000ac08 Ole32.dll Object linking and embedding 14000ac20 OleAut32.dll OLE automation library 14000b9aa KERNEL32.dll Windows kernel library 14000d21c ole32.dll Object linking and embedding 14000d27c oleaut32.dll OLE automation library 14000d506 KERNEL32.dll Windows kernel library
COM Functions
Address String Description 14000d22c CoInitializeEx Initializes COM library 14000d23c CoUninitialize Uninitializes COM library 14000d24c CoCreateInstance Creates COM object instance 14000d264 CoSetProxyBlanket Sets COM proxy security 14000d28c SysAllocStringByteLen Allocates BSTR 14000d2a4 SysFreeString Frees BSTR
Configuration/Target Data
Address String Description 14000ac50 session_id Session identifier 14000ac60 grabber_rules Data grabbing rules 14000ac88 gecko_paths Firefox browser paths 14000aca0 gecko_files Firefox browser files 14000acb8 chromium_browsers Chromium-based browsers 14000ad38 chromium_files Chromium browser files 14000ad50 chromium_extensions Chromium extensions 14000ad70 chromium_apps Chromium applications 14000ada8 applications Applications target 14000add8 desktop_wallets Desktop wallet applications 14000a6e8 desktop_wallets Desktop wallet applications
System Information Fields
Address String Description 14000aeb0 guid Machine GUID 14000aee8 computer_name Computer name 14000af18 username Username 14000b050 os_name Operating system name 14000b0f0 install_date OS installation date 14000b130 locale System locale 14000b160 timezone_name Timezone name 14000b180 timezone_bias Timezone bias 14000b1c0 resolution Screen resolution 14000b1f0 video_card_name Graphics card name 14000b350 cpu_name CPU name 14000b390 total_ram Total RAM 14000b3c0 start_path Executable start path 14000b4b8 software Installed software 14000b530 process_list Running processes 14000b5d8 screenshot Screenshot data 14000b688 clipboard Clipboard content 14000b6c0 system_info System information
Miscellaneous
Address String Description 14000a1fc Sleep Sleep function 14000a22c Sleep Sleep function 14000a4e0 NONE None value 14000a708 ExitProcess Exit process function 14000a718 b0b12e32-2f73-41fc-9031-307e8fdbc5d4 GUID identifier 14000a740 test_5 Test identifier 14000a750 build_id Build identifier 14000a988 grabber Grabber identifier 14000ad98 true Boolean true value 14000adc8 true Boolean true value 14000adf8 true Boolean true value 14000d478 ElevatorShell.exe Executable name 14000d48a ?pData@@3PEAXEA C++ mangled symbol
Section Names
Address String Description 14000c9fb .rdata Read-only data section 14000ca4c .pdata Exception handling data 14000d340 .rdata Read-only data section 14000d350 .rdata$voltmd Compiler metadata 14000d390 .edata Export data section 14000d3f0 .data Data section 14000d400 .pdata Exception handling data
Disassembly/Decompilation To statically analyze executable, I will use ghidra.
Starting out, the first (custom) function that executable calls loads all libraries needed:
As LoadLibraryW returns handles to these DLLs, later on as you can see, it can use these handles to call functions, for example in this case it is "GetProcessHeap". TO have understanding of how it looks like:
It is simple, get address of function and call it, there are also other functions (different for each function) to handle arguments too.
Moving on, malware calls another (custom) function that tries to create session with "afdprox.ciu" domain using authorization key of: "b0b12e32-2f73-41fc-9031-307e8fdbc5d4"
param_2 is "b0b12e32-2f73-41fc-9031-307e8fdbc5d4" and it sleeps for 10000ms (10 secs) and waits for an answer (it has to return 0).
and it tries to read 0x7ff bytes of data, which I would expect it to be either strings or a file dropped by malware later for some functionalities.
Dynamic Analysis Sadly, as the domain this malware uses is down right now, it will not be possible to see full functionality of malware but as I listed strings before, nearly all of them explain whole purpose of malware, starting with:
Check if executable is being debugged.
Check if currently inside of a VM (checking registry keys)
Create session using hardcoded authorization key
Steal data such as Steam, telegram, chromium, gecko (firefox)
Other information that malware looks for: Computer name, Username, ProductName, Os_Name, InstallDate, timezone, resolution, video card name, cpu name etc. it checks all these using registry.
Another functionality of malware is taking screenshot:
(function is a little bit longer), this is just part of the screenshot to show it retrives information about graphic modes.
It can get Clipboard data:
And at the end, sends all these data parts by sending POST request to /core/sendPart to afdprox.icu domain.
