MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 048cb24a6ac4cbc00361a9fd4dffff7cf299d7d12f0053aac558acc2d7b82c2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AmateraStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 048cb24a6ac4cbc00361a9fd4dffff7cf299d7d12f0053aac558acc2d7b82c2f
SHA3-384 hash: 9f64012cda6c1aff4f4db5ea0eaa486cdf5aa7366282d7ad031cc97564b753f697ffd28c85614d03a67a949622bfa28f
SHA1 hash: 5c084e3191bd78b3d9e3bf6c180f9426ab4e41da
MD5 hash: 9922ecba48c0eb234cf9d0816a2db29f
humanhash: stream-april-robin-november
File name:ProtonVPN.exe
Download: download sample
Signature AmateraStealer
Create hunting rule
File size:10'755'274 bytes
First seen:2026-03-05 18:46:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1508fea733fa48505bdb2ca1c300984 (1 x AmateraStealer)
ssdeep 98304:o3PnnehNU76F5Rd0QMp4Jyj/rLWlICoC7O:4nnM59d0QMVjDL0S
Threatray 1 similar samples on MalwareBazaar
TLSH T195B65B213761C52AE1E2DFB3193D956E1C297DE20774E0C792885A5E9CB7AC20E35F23
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:AmateraStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
dubha.ps1
Verdict:
Malicious activity
Analysis date:
2026-03-05 15:36:32 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/3af20128-7342-4481-878c-fa6401c1b7e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55735/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a9a815002d37d5c9841c76
Tags:
micro hype sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 crypto expired-cert explorer fingerprint lolbin microsoft_visual_cc overlay packed
Link:
https://www.filescan.io/uploads/69a9cf78cd25bfe1dfe16fea/reports/2a67613d-a04d-43bf-83d2-d95748f33b89/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/048cb24a6ac4cbc00361a9fd4dffff7cf299d7d12f0053aac558acc2d7b82c2f
Verdict:
Malicious
File Type:
exe x32
Detections:
UDS:DangerousObject.Multi.Generic Trojan.Win32.Shelma.chpm Trojan-PSW.Win32.Amatera.sb Trojan.Win32.Shelma.sb
Link:
https://opentip.kaspersky.com/048cb24a6ac4cbc00361a9fd4dffff7cf299d7d12f0053aac558acc2d7b82c2f/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f8401c49-21bc-4966-8669-40be43945999
Result
Threat name:
Amatera Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1879180
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to hide a thread from the debugger
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Amatera Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1879180 Sample: ProtonVPN.exe Startdate: 05/03/2026 Architecture: WINDOWS Score: 100 34 Suricata IDS alerts for network traffic 2->34 36 Antivirus detection for URL or domain 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 2 other signatures 2->40 7 ProtonVPN.exe 2->7         started        11 elevation_service.exe 2->11         started        process3 dnsIp4 28 46.149.77.24, 443, 49699, 49700 ASARTTELECOMRU Russian Federation 7->28 42 Found many strings related to Crypto-Wallets (likely being stolen) 7->42 44 Tries to harvest and steal browser information (history, passwords, etc) 7->44 46 Writes to foreign memory regions 7->46 48 8 other signatures 7->48 13 powershell.exe 14 16 7->13         started        16 powershell.exe 7->16         started        18 powershell.exe 7->18         started        20 chrome.exe 7->20         started        signatures5 process6 dnsIp7 30 194.150.220.218, 80 SAFEGRIDRO Ukraine 13->30 22 conhost.exe 13->22         started        32 91.219.23.145, 49715, 80 POWERNETRU Russian Federation 16->32 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        process8
Score:
62%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/048cb24a6ac4cbc00361a9fd4dffff7cf299d7d12f0053aac558acc2d7b82c2f
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/048cb24a6ac4cbc00361a9fd4dffff7cf299d7d12f0053aac558acc2d7b82c2f/
Verdict:
Malicious
Threat:
Trojan.Win32.Amatera
Link:
https://tip.neiki.dev/file/048cb24a6ac4cbc00361a9fd4dffff7cf299d7d12f0053aac558acc2d7b82c2f
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-05 15:56:34 UTC
File Type:
PE (Exe)
Extracted files:
140
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=asglestkytf4aa3bvh6u3777ptzjtv6rf4afhkwflcwmfv5yfqxq._file
Verdict:
malicious
Label(s):
unc_loader_053
Create hunting rule
Similar samples:
048cb24a6ac4cbc00361a9fd4dffff7cf299d7d12f0053aac558acc2d7b82c2f
AmateraStealer
error
AmateraStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/260305-xerfpafs7q/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Unpacked files
SH256 hash:
048cb24a6ac4cbc00361a9fd4dffff7cf299d7d12f0053aac558acc2d7b82c2f
MD5 hash:
9922ecba48c0eb234cf9d0816a2db29f
SHA1 hash:
5c084e3191bd78b3d9e3bf6c180f9426ab4e41da
Link:
https://www.unpac.me/results/009651af-77c1-40a8-9e0b-d9136c1e0e0a/
SH256 hash:
ea69ae3af1cffd5e895c79e8fbed7ab0885911df63f187ff2069c6b8e2236fce
MD5 hash:
ee357e811f82b3703fb601fb3b781ee1
SHA1 hash:
a9ff29bf2b1000b6fbca14b3406309fa7058a746
Link:
https://www.unpac.me/results/009651af-77c1-40a8-9e0b-d9136c1e0e0a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/048cb24a6ac4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/048cb24a6ac4cbc00361a9fd4dffff7cf299d7d12f0053aac558acc2d7b82c2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/55735/

Comments