“Amatera is a stealer written in C++. It conducts anti-sandbox analysis before enumerating browsers, exfiltrating found cryptocurrency files/wallets and possibly credentials.”
-malpedia
Starting out with analysis, I use CFF explorer to find out some capabilities.
It is a 64 bit PE compiled using Visual Studio, written in C/C++.
NX (non-executable stack) is on for this executable.
Sections: .text, .rdata, .data, .pdata, .reloc.
One important finding was imports of the executable, it only imports 2 functions from KERNEL32.dll: LoadLibraryW and GetProcAddress, we already know it resolves API dynamically
Looking at the strings, it can be seen, some of them are encrypted, which might need to let malware execute and decrypt them by itself.
But there are still some clear strings, which exposes some functionalities of malware:
Address String Description
14000a020 IsDebuggerPresent Detects if debugger is attached 14000a038 GetCurrentProcess Gets current process handle 14000a050 CheckRemoteDebuggerPresent Checks for remote debugging
Address String Description
14000a070 VirtualBox VM detection string 14000a07c VMware VM detection string 14000a098 Hyper-V VM detection string 14000a0a0 Microsoft VM vendor detection
Address String Description
14000a0e8 RegGetValueA Registry value retrieval (ANSI) 14000a138 RegGetValueA Registry value retrieval (ANSI) 14000a188 RegGetValueA Registry value retrieval (ANSI) 14000a2a8 RegGetValueW Registry value retrieval (Unicode) 14000a318 RegGetValueW Registry value retrieval (Unicode) 14000ae50 RegOpenKeyExW Opens registry key (Unicode) 14000ae78 RegGetValueW Registry value retrieval (Unicode) 14000aea0 RegGetValueW Registry value retrieval (Unicode) 14000aec0 RegCloseKey Closes registry key 14000b448 RegOpenKeyExW Opens registry key (Unicode) 14000b458 RegEnumKeyExW Enumerates registry keys 14000b480 RegGetValueW Registry value retrieval (Unicode) 14000b4a8 RegGetValueW Registry value retrieval (Unicode) 14000b4d0 RegCloseKey Closes registry key
Address String Description
14000a0c0 HARDWARE\DESCRIPTION\System\BIOS BIOS information registry path 14000a110 HARDWARE\DESCRIPTION\System\BIOS BIOS information registry path 14000a160 HARDWARE\DESCRIPTION\System\BIOS BIOS information registry path 14000ae10 SOFTWARE\Microsoft\Cryptography Cryptography registry path 14000af50 SOFTWARE\Microsoft\Windows NT\CurrentVersion Windows version registry path 14000afe0 SOFTWARE\Microsoft\Windows NT\CurrentVersion Windows version registry path 14000b080 SOFTWARE\Microsoft\Windows NT\CurrentVersion Windows version registry path 14000b240 HARDWARE\DESCRIPTION\System\CentralProcessor\0 CPU information registry path 14000b2e0 HARDWARE\DESCRIPTION\System\CentralProcessor\0 CPU information registry path 14000b3e0 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Installed software registry path
Address String Description
14000a0b0 BIOSVendor BIOS vendor registry value 14000a0f8 SystemProductName System product name registry value 14000a148 SystemManufacturer System manufacturer registry value 14000ae60 MachineGuid Machine GUID registry value 14000ae88 MachineGuid Machine GUID registry value 14000af30 ProductName Product name registry value 14000afc0 ProductName Product name registry value 14000b060 InstallDate Installation date registry value 14000b210 ProcessorNameString Processor name registry value 14000b2b0 ProcessorNameString Processor name registry value 14000b468 DisplayName Display name registry value 14000b490 DisplayName Display name registry value
Address String Description
14000a1c0 Authorization: HTTP authorization header 14000a1d8 /core/createSession API endpoint for session creation 14000a1f0 afdprox.icu C&C server domain 14000a208 /core/sendPart API endpoint for data transmission 14000a220 afdprox.icu C&C server domain
Address String Description
14000a9d0 InternetOpenA Opens internet connection 14000a9e0 InternetConnectA Connects to internet server 14000a9f8 HttpOpenRequestA Opens HTTP request 14000aa10 HttpSendRequestA Sends HTTP request 14000aa28 InternetReadFile Reads internet file 14000aa40 InternetCloseHandle Closes internet handle 14000aa58 InternetCloseHandle Closes internet handle 14000aa70 InternetCloseHandle Closes internet handle
Address String Description
14000a240 InstallPath Steam installation path value 14000a260 SOFTWARE\WOW6432Node\Valve\Steam Steam registry path 14000a2b8 InstallPath Steam installation path value 14000a2d0 SOFTWARE\WOW6432Node\Valve\Steam Steam registry path 14000a328 \config Steam config directory 14000a338 *.vdf Steam VDF files pattern 14000a348 Steam Steam identifier
Address String Description
14000a360 %appdata%\Telegram Desktop\tdata Telegram data directory 14000a3b0 dumps Telegram dumps directory 14000a3c0 emoji Telegram emoji directory 14000a3d0 tdummy Telegram dummy files 14000a3e0 temp Telegram temp directory 14000a3f0 user_data Telegram user data 14000a408 Telegram Telegram identifier
Address String Description
14000a420 applications Browser applications 14000a440 \Local State Browser local state file 14000a460 state_key Browser state key 14000a478 files Browser files 14000a488 chromium_apps Chromium applications 14000a4a8 \Local State Browser local state file 14000a4c8 state_key Browser state key 14000a4f0 app_bound_key Browser app-bound key 14000a518 \Local Extension Settings|Browser extension settings path 14000a558 files Browser files 14000a568 extensions Browser extensions 14000a580 profiles Browser profiles 14000a598 chromium Chromium identifier 14000a958 \Profiles Browser profiles directory 14000a978 gecko Gecko browser engine
Address String Description
14000a5b0 CryptUnprotectData Windows DPAPI decryption 14000a5c8 LocalFree Frees local memory 14000a5d8 “encrypted_key”:“ JSON key for encrypted data 14000a658 “app_bound_encrypted_key”:“ JSON key for app-bound encrypted data
Address String Description
14000a5f0 CreateToolhelp32Snapshot Creates process snapshot 14000a610 Process32FirstW Gets first process 14000a620 OpenProcess Opens process handle 14000a630 TerminateProcess Terminates process 14000a648 Process32NextW Gets next process 14000a678 CreateProcessW Creates new process 14000a688 msedge.exe Microsoft Edge executable 14000aa88 OpenProcess Opens process handle 14000ab00 CloseHandle Closes handle 14000ab10 WaitForSingleObject Waits for object 14000b4e0 CreateToolhelp32Snapshot Creates process snapshot 14000b500 Process32FirstW Gets first process 14000b510 Process32NextW Gets next process 14000b520 CloseHandle Closes handle
Address String Description
14000a998 HeapAlloc Allocates heap memory 14000a9a8 HeapReAlloc Reallocates heap memory 14000a9b8 HeapFree Frees heap memory 14000aa98 VirtualAllocEx Allocates virtual memory in process 14000aaa8 VirtualFreeEx Frees virtual memory in process 14000aab8 WriteProcessMemory Writes to process memory 14000aad0 ReadProcessMemory Reads from process memory 14000aae8 CreateRemoteThread Creates thread in remote process 14000ac40 GetProcessHeap Gets process heap
Address String Description
14000a850 FindFirstFileW Finds first file 14000a870 FindNextFileW Finds next file 14000a888 FindFirstFileW Finds first file 14000a8b0 FindNextFileW Finds next file 14000a8d0 FindFirstFileW Finds first file 14000a8f0 FindNextFileW Finds next file 14000a900 GetFileSize Gets file size 14000a910 CreateFileW Creates/opens file 14000a920 CloseHandle Closes handle 14000a930 ReadFile Reads from file 14000a940 GetFileAttributesW Gets file attributes
Address String Description
14000a198 GetPhysicallyInstalledSystemMemory Gets installed RAM 14000aed0 GetComputerNameW Gets computer name 14000af08 GetUserNameW Gets username 14000b110 GetUserDefaultLocaleName Gets system locale 14000b140 GetDynamicTimeZoneInformation Gets timezone info 14000b1a0 EnumDisplaySettingsW Gets display settings 14000b1d8 EnumDisplayDevicesW Enumerates display devices 14000b368 GetPhysicallyInstalledSystemMemory Gets installed RAM 14000b3a8 GetModuleFileNameW Gets module filename 14000b550 EnumDisplaySettingsW Gets display settings
Address String Description
14000b568 GetDC Gets device context 14000b570 CreateCompatibleDC Creates compatible DC 14000b588 CreateCompatibleBitmap Creates compatible bitmap 14000b5a0 SelectObject Selects object into DC 14000b5b0 BitBlt Bit block transfer 14000b5b8 GetObjectA Gets object information 14000b5c8 GetDIBits Gets bitmap bits 14000b5f0 SelectObject Selects object into DC 14000b600 DeleteObject Deletes object 14000b610 DeleteDC Deletes device context 14000b620 ReleaseDC Releases device context 14000b630 OpenClipboard Opens clipboard 14000b640 GetClipboardData Gets clipboard data 14000b658 CloseClipboard Closes clipboard 14000b668 GlobalLock Locks global memory 14000b678 CloseClipboard Closes clipboard 14000b6a0 GlobalUnlock Unlocks global memory 14000b6b0 CloseClipboard Closes clipboard
Address String Description
14000a6a0 MultiByteToWideChar Converts multibyte to wide char 14000a6b8 WideCharToMultiByte Converts wide char to multibyte 14000a6d0 WideCharToMultiByte Converts wide char to multibyte 14000b6d8 ExpandEnvironmentStringsW Expands environment variables
Address String Description
14000a768 APPDATA APPDATA environment variable 14000a778 GetEnvironmentVariableW Gets environment variable 14000a7b0 GetEnvironmentVariableW Gets environment variable 14000a7e8 GetEnvironmentVariableW Gets environment variable 14000a818 GetEnvironmentVariableW Gets environment variable
Address String Description
14000ab28 GetModuleHandleA Gets module handle 14000ab40 RtlInitUnicodeString Initializes Unicode string 14000ab58 LdrLoadDll Loads DLL 14000b99c LoadLibraryW Loads library (Unicode) 14000b98a GetProcAddress Gets procedure address 14000d4e6 GetProcAddress Gets procedure address 14000d4f8 LoadLibraryA Loads library (ANSI)
Address String Description
14000ab68 Kernel32.dll Windows kernel library 14000ab88 Crypt32.dll Cryptography library 14000aba0 User32.dll User interface library 14000abb8 Advapi32.dll Advanced Windows API 14000abd8 Wininet.dll Windows internet library 14000abf0 Gdi32.dll Graphics device interface 14000ac08 Ole32.dll Object linking and embedding 14000ac20 OleAut32.dll OLE automation library 14000b9aa KERNEL32.dll Windows kernel library 14000d21c ole32.dll Object linking and embedding 14000d27c oleaut32.dll OLE automation library 14000d506 KERNEL32.dll Windows kernel library
Address String Description
14000d22c CoInitializeEx Initializes COM library 14000d23c CoUninitialize Uninitializes COM library 14000d24c CoCreateInstance Creates COM object instance 14000d264 CoSetProxyBlanket Sets COM proxy security 14000d28c SysAllocStringByteLen Allocates BSTR 14000d2a4 SysFreeString Frees BSTR
Address String Description
14000ac50 session_id Session identifier 14000ac60 grabber_rules Data grabbing rules 14000ac88 gecko_paths Firefox browser paths 14000aca0 gecko_files Firefox browser files 14000acb8 chromium_browsers Chromium-based browsers 14000ad38 chromium_files Chromium browser files 14000ad50 chromium_extensions Chromium extensions 14000ad70 chromium_apps Chromium applications 14000ada8 applications Applications target 14000add8 desktop_wallets Desktop wallet applications 14000a6e8 desktop_wallets Desktop wallet applications
Address String Description
14000aeb0 guid Machine GUID 14000aee8 computer_name Computer name 14000af18 username Username 14000b050 os_name Operating system name 14000b0f0 install_date OS installation date 14000b130 locale System locale 14000b160 timezone_name Timezone name 14000b180 timezone_bias Timezone bias 14000b1c0 resolution Screen resolution 14000b1f0 video_card_name Graphics card name 14000b350 cpu_name CPU name 14000b390 total_ram Total RAM 14000b3c0 start_path Executable start path 14000b4b8 software Installed software 14000b530 process_list Running processes 14000b5d8 screenshot Screenshot data 14000b688 clipboard Clipboard content 14000b6c0 system_info System information
Address String Description
14000a1fc Sleep Sleep function 14000a22c Sleep Sleep function 14000a4e0 NONE None value 14000a708 ExitProcess Exit process function 14000a718 b0b12e32-2f73-41fc-9031-307e8fdbc5d4 GUID identifier 14000a740 test_5 Test identifier 14000a750 build_id Build identifier 14000a988 grabber Grabber identifier 14000ad98 true Boolean true value 14000adc8 true Boolean true value 14000adf8 true Boolean true value 14000d478 ElevatorShell.exe Executable name 14000d48a ?pData@@3PEAXEA C++ mangled symbol
Address String Description
14000c9fb .rdata Read-only data section 14000ca4c .pdata Exception handling data 14000d340 .rdata Read-only data section 14000d350 .rdata$voltmd Compiler metadata 14000d390 .edata Export data section 14000d3f0 .data Data section 14000d400 .pdata Exception handling data
To statically analyze executable, I will use ghidra.
Starting out, the first (custom) function that executable calls loads all libraries needed:
As LoadLibraryW returns handles to these DLLs, later on as you can see, it can use these handles to call functions, for example in this case it is “GetProcessHeap”. TO have understanding of how it looks like:
It is simple, get address of function and call it, there are also other functions (different for each function) to handle arguments too.
Moving on, malware calls another (custom) function that tries to create session with “afdprox.ciu” domain using authorization key of: “b0b12e32-2f73-41fc-9031-307e8fdbc5d4”
param_2 is “b0b12e32-2f73-41fc-9031-307e8fdbc5d4” and it sleeps for 10000ms (10 secs) and waits for an answer (it has to return 0).
and it tries to read 0x7ff bytes of data, which I would expect it to be either strings or a file dropped by malware later for some functionalities.
Sadly, as the domain this malware uses is down right now, it will not be possible to see full functionality of malware but as I listed strings before, nearly all of them explain whole purpose of malware, starting with:
Check if executable is being debugged.
Check if currently inside of a VM (checking registry keys)
Create session using hardcoded authorization key
Steal data such as Steam, telegram, chromium, gecko (firefox)
Other information that malware looks for: Computer name, Username, ProductName, Os_Name, InstallDate, timezone, resolution, video card name, cpu name etc. it checks all these using registry.
Another functionality of malware is taking screenshot:
(function is a little bit longer), this is just part of the screenshot to show it retrives information about graphic modes.
It can get Clipboard data:
And at the end, sends all these data parts by sending POST request to /core/sendPart to afdprox.icu domain.
