MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 903e3b20852eb6b2981336d045befc77286299d461af10658b68b20912d00c00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AmateraStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	903e3b20852eb6b2981336d045befc77286299d461af10658b68b20912d00c00
SHA3-384 hash:	ec9647a122e23b638ed0acb38c7bfabfdbb9d05e1203bd4ae5a26bbbf4cd5bbd6f599267486dc788bd1ff9f14b535c2d
SHA1 hash:	d838f28b59ce1762e15090f273e539e88c7a2c11
MD5 hash:	3b1646a664c69643460c8b53c566200a
humanhash:	bravo-butter-romeo-music
File name:	Win_Driver_SSL_support_v43.22.209.44.exe
Download:	download sample
Signature	AmateraStealer Create hunting rule
File size:	3'423'120 bytes
First seen:	2026-03-05 07:07:37 UTC
Last seen:	2026-03-05 11:54:19 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	20dd26497880c05caed9305b3c8b9109 (31 x Adware.Auslogics, 13 x HijackLoader, 5 x Adware.IObit)
ssdeep	49152:LUQf9mucJZCliSAbFXHrZy0HCxgdjmyZ3xoJt17kLz5P3mucJZCliSAbFXHrZy0j:3fQbClDC9Fj6jkLlP2bClDC9Fjd
TLSH	T148F52312BFDB19B3E312093AAD05D410CD62FAE111D1B1222CB8D78E1DFB8555ABAF52
TrID	34.0% (.EXE) Win64 Executable (generic) (6522/11/2) 23.5% (.EXE) Win32 Executable (generic) (4504/4/1) 10.8% (.EXE) Win16/32 Executable Delphi generic (2072/23) 10.6% (.EXE) OS/2 Executable (generic) (2029/13) 10.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	abuse_ch
Tags:	AmateraStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

Win_Driver_SSL_support_v43.22.209.44.exe

Verdict:

Malicious activity

Analysis date:

2026-03-05 06:23:30 UTC

Tags:

delphi inno installer

Link:

https://app.any.run/tasks/cd6c1169-9896-4a6c-ba1b-f6184c3d2528

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/55618/

Detection(s):

SecuriteInfo.com.W32.ABmTrojan.TYOP-0580.25843.10153.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a92161e1f958bf6683cbcf

Tags:

injection obfusc crypt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

embarcadero_delphi expired-cert fingerprint genheur installer installer-heuristic invalid-signature overlay overlay packed shelma signed soft-404

Link:

https://www.filescan.io/uploads/69a92be197feb4afd66b604e/reports/65c5c299-d3c8-491c-8400-917e8278e2fa/overview

Verdict:

Malicious

Labled as:

Trojan.GenHeur

Link:

https://www.hybrid-analysis.com/sample/903e3b20852eb6b2981336d045befc77286299d461af10658b68b20912d00c00

Result

Gathering data

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan-PSW.Win32.Amatera.sb Trojan-PSW.Win32.ACRstealer.gen Trojan.Win32.Shelma.sb HEUR:Trojan.Win32.Shelma.gen

Link:

https://opentip.kaspersky.com/903e3b20852eb6b2981336d045befc77286299d461af10658b68b20912d00c00/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/e80fbaf2-73c4-4d76-a6a1-79eae449ddbd

Result

Threat name:

Amatera Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1878622

Signature

AI detected suspicious PE digital signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Contains functionality to hide a thread from the debugger

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Unusual module load detection (module proxying)

Writes to foreign memory regions

Yara detected Amatera Stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/903e3b20852eb6b2981336d045befc77286299d461af10658b68b20912d00c00/

Verdict:

Malicious

Threat:

Trojan-PSW.Win32.Shelma

Link:

https://tip.neiki.dev/file/903e3b20852eb6b2981336d045befc77286299d461af10658b68b20912d00c00

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sa7dwieff23lfgatg3ielpx4o4ugfgoumgxrazmlnczasewqbqaa._file

Verdict:

malicious

Label(s):

unc_loader_053

Similar samples:

error

AmateraStealer

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery execution installer spyware stealer

Link:

https://tria.ge/reports/260305-hycz3sg19x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

903e3b20852eb6b2981336d045befc77286299d461af10658b68b20912d00c00

MD5 hash:

3b1646a664c69643460c8b53c566200a

SHA1 hash:

d838f28b59ce1762e15090f273e539e88c7a2c11

Link:

https://www.unpac.me/results/6375f1c2-5051-4fe2-823d-8bffbda5f230/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/903e3b20852e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/903e3b20852eb6b2981336d045befc77286299d461af10658b68b20912d00c00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AmateraStealer

exe 903e3b20852eb6b2981336d045befc77286299d461af10658b68b20912d00c00

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3789365/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/55618/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample