← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Amatera Stealer: Rebranded ACR Stealer With Improved Evasion, Sophistication
WHITE PetrP.73 2025-06-23 Modified: 2025-06-23
45
IOCs
MEDIUM VOLUME
Proofpoint has identified Amatera Stealer, a new variant of the ACR Stealer, rebranded and marketed as malware-as-a-service (MaaS) with advanced features and sophisticated anti-analysis capabilities. This malware enhances its stealth by employing NTSockets for communication with its command and control server and utilizes complex HTTP requests that avoid traditional DNS resolution. Amatera Stealer is distributed through ClearFake, which injects malicious scripts into legitimate sites, using techniques such as EtherHiding and ClickFix to deceive users and extract sensitive information from web browsers, cryptocurrency wallets, and messaging applications while evading detection. The overarching development of Amatera Stealer highlights a significant evolution in the threat landscape posed by information stealers, particularly amid increased competition from other malware solutions.
amatera stealerproofpointacr stealerpowershellclearfakentsocketsmaaswindowsip addresscloudflaretelegramlumma stealerstealeraprilrhadamanthysjunevirustotaldwordsteamgrmsklummaclickfixacramatera
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
GrMsk Lumma ClickFix ClearFake ACR Amatera
Indicators of Compromise (45)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname URL
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 1b4a67d5fc078f87ab5574c970c297f4 MD5 of 120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2 2025-06-23
FileHash-MD5 5751851c33b98c544d60038d6f3893e3 MD5 of 7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea 2025-06-23
FileHash-MD5 ddc0168342a8d1e263d778a65bb47088 MD5 of ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55 2025-06-23
FileHash-MD5 df75806b466c937b58d121b07a8d9079 MD5 of 35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af 2025-06-23
FileHash-MD5 fec6e80f71f291006e96a9f7d759f964 MD5 of 2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991 2025-06-23
FileHash-SHA1 4407f8dd797155cdd55fc00946151c76a4d5f852 SHA1 of ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55 2025-06-23
FileHash-SHA1 5ad8e200a629a8b99357582f83a9c2728e885c42 SHA1 of 35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af 2025-06-23
FileHash-SHA1 da9825ec812af43e4177c25b0fc98917a1e5fd99 SHA1 of 120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2 2025-06-23
FileHash-SHA1 e4a664fffb4b3de32723ffef883c056038bdbaca SHA1 of 7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea 2025-06-23
FileHash-SHA1 f323e92b1cce0e528aea163674479b4c8b401bd4 SHA1 of 2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991 2025-06-23
FileHash-SHA256 055a883f18ffcc413973fa45383e72e998aae87909af5f9507b6384bfec34a5b 2025-06-23
FileHash-SHA256 120316ecaf06b76a564ce42e11f7074c52df6d79b85d3526c5b4e9f362d2f1c2 2025-06-23
FileHash-SHA256 2960d5f8a3d9b0a21d6b744092fe3089517ecf2e49169683f754bfe9800e3991 2025-06-23
FileHash-SHA256 35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af 2025-06-23
FileHash-SHA256 7d91a585583f4aa1a3ab3cb808d7bc351d6140b3ae1deeef9d51c6414c11baea 2025-06-23
FileHash-SHA256 ad9ffd624e27070092ff18a10e33fa9e2784b2c75ac9ac4540fa81cf5bd84e55 2025-06-23
domain amaprox.icu 2025-06-23
domain badnesspandemic.shop 2025-06-23
domain overplanteasiest.top 2025-06-23
hostname b1.talismanoverblown.com 2025-06-23
hostname cv.cbrw.ru 2025-06-23
hostname tt.cbrw.ru 2025-06-23
URL http://badnesspandemic.shop/Up 2025-06-23
URL http://badnesspandemic.shop/Up/b 2025-06-23
URL http://badnesspandemic.shop/Up/p 2025-06-23
URL http://badnesspandemic.shop/ujs/1ebc820c-f85b-4421-8937-ddd717154b24 2025-06-23
URL http://badnesspandemic.shop/up/b 2025-06-23
URL https://amaprox.icu/sign-in 2025-06-23
domain cbrw.ru 2025-06-23
URL https://cv.cbrw.ru/init1.bin 2025-06-23
URL https://cv.cbrw.ru/t.csproj 2025-06-23
URL http://overplanteasiest.top/Up 2025-06-23
URL https://overplanteasiest.top/Up 2025-06-23
URL https://overplanteasiest.top/Up8 2025-06-23
URL https://overplanteasiest.top/ujs/1ebc820c-f85b-4421-8937-ddd717154b24 2025-06-23
domain talismanoverblown.com 2025-06-23
URL https://b1.talismanoverblown.com/Up/b 2025-06-23
URL https://tt.cbrw.ru/vb7to8.psd 2025-06-23
URL http://cv.cbrw.ru 2025-06-23
URL http://cv.cbrw.ru/ 2025-06-23
URL http://tt.cbrw.ru 2025-06-23
URL https://cv.cbrw.ru 2025-06-23
URL https://cv.cbrw.ru/ 2025-06-23
URL https://tt.cbrw.ru 2025-06-23
URL https://tt.cbrw.ru/ 2025-06-23
References (1)
↗ https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication