MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bbae6f0ed00957fd51f4bdd7c4b007e5bd3c86790c324e8d97fb71afd38170d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AmateraStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	1bbae6f0ed00957fd51f4bdd7c4b007e5bd3c86790c324e8d97fb71afd38170d
SHA3-384 hash:	401157a66bd282caa47388f92d1d827ebc688bffe53832ec1a8d4468c879f986c691d839abbb5131e19d0b6c275d75a5
SHA1 hash:	dd889f9a80023ae9c071b6a95edee4cec80cd34a
MD5 hash:	d9fd2030f61cd3f2f8ba3f76ee1ad9a3
humanhash:	pizza-beryllium-red-steak
File name:	blind.hta
Download:	download sample
Signature	AmateraStealer Create hunting rule
File size:	52'773 bytes
First seen:	2026-03-01 13:58:30 UTC
Last seen:	Never
File type:	hta
MIME type:	text/html
ssdeep	1536:+X0X9ztiF0LY0e0uZr5o97NR9UBEUpchAA1rGzRwR7MK56b0Q0gpGM2l0UN0vhb5:2
Threatray	4 similar samples on MalwareBazaar
TLSH	T15C333B5CF1D992A02047A57BC6307DC19E24B12FD5677CE87EF8428058F8E2A3F9E592
TrID	66.6% (.HTML) HyperText Markup Language (UTF-8) (6000/1/1) 33.3% (.TXT) Text - UTF-8 encoded (3000/1)
Magika	html
Reporter	aachum
Tags:	185-121-235-118 ACRStealer AmateraStealer ClickFix FakeCaptcha hta

iamaachum

http://185.193.89.158/blind.wav

ACRStealer C2: 185.121.235.118

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a446358fffa866e3b3cc4e

Tags:

infosteal rapid

Result

Verdict:

Malicious

File Type:

HTA File - Malicious

Link:

https://app.docguard.net/1bbae6f0ed00957fd51f4bdd7c4b007e5bd3c86790c324e8d97fb71afd38170d/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/69a4463210e80629d4f761f5/reports/31393d6b-a1e8-410c-ae74-ec542560dd18/overview

Verdict:

Malicious

Labled as:

GT:VB.Corona.4

Link:

https://www.hybrid-analysis.com/sample/1bbae6f0ed00957fd51f4bdd7c4b007e5bd3c86790c324e8d97fb71afd38170d

Result

Gathering data

Verdict:

Malicious

File Type:

hta

Link:

https://opentip.kaspersky.com/1bbae6f0ed00957fd51f4bdd7c4b007e5bd3c86790c324e8d97fb71afd38170d/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1876501

Signature

Detected unpacking (creates a PE file in dynamic memory)

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Powershell drops PE file

Sigma detected: Suspicious MSHTA Child Process

Suspicious powershell command line found

Yara detected Powershell decode and execute

Behaviour

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/1bbae6f0ed00957fd51f4bdd7c4b007e5bd3c86790c324e8d97fb71afd38170d

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1bbae6f0ed00957fd51f4bdd7c4b007e5bd3c86790c324e8d97fb71afd38170d/

Verdict:

Malicious

Threat:

Trojan.Win32.PowerShell

Link:

https://tip.neiki.dev/file/1bbae6f0ed00957fd51f4bdd7c4b007e5bd3c86790c324e8d97fb71afd38170d

Threat name:

Win32.Trojan.Corona

Status:

Malicious

First seen:

2026-03-01 13:22:47 UTC

File Type:

Text (HTML)

Extracted files:

AV detection:

6 of 36 (16.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=do5on4hnackx7vi7jpoxysyapzn5hsdhsdbsj2gzp63rv7jyc4gq._file

Verdict:

malicious

Label(s):

amaterastealer

AmateraStealer

5775367d227515a556a10cb29fe0272509911b26699f3c59681cae9bc3886d03

AmateraStealer

9f3c3388c6ce825295a8c36a7668a215b4f0defdd2335e9fc29810d4a5a0b1cd

AmateraStealer

deb5aedab0620df85aa174e6bb5c8a22eb31e4108509c21565a5140c5f375608

AmateraStealer

error

AmateraStealer

Result

Malware family:

sectoprat

Score:

10/10

Tags:

family:sectoprat discovery execution persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/260301-ragsssct4g/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

SectopRAT

SectopRAT payload

Sectoprat family

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AmateraStealer

hta 1bbae6f0ed00957fd51f4bdd7c4b007e5bd3c86790c324e8d97fb71afd38170d

(this sample)

AmateraStealer

exe 5775367d227515a556a10cb29fe0272509911b26699f3c59681cae9bc3886d03

AmateraStealer

ps1 deb5aedab0620df85aa174e6bb5c8a22eb31e4108509c21565a5140c5f375608

Link

https://tria.ge/260301-q6y7aab16b/behavioral2

Delivery method

Distributed via web download

Dropping

SHA256 deb5aedab0620df85aa174e6bb5c8a22eb31e4108509c21565a5140c5f375608

Dropping

MD5 37a6ce70c55dc32d4f4748023343b6af

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample