# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: amatera stealer

# Reference: https://x.com/solostalking/status/1867864181514600826

http://45.89.196.115

# Reference: https://x.com/solostalking/status/1885303861130166459
# Reference: https://app.validin.com/detail?find=Amatera%20App&type=raw&ref_id=5c1704d7ffe#tab=host_pairs (# 2025-01-31)

http://84.200.154.182

# Reference: https://x.com/solostalking/status/1907320756595220710

http://194.48.248.57
194.48.248.57:443
amaprox.icu

# Reference: https://x.com/solostalking/status/1930844795330761206
# Reference: https://x.com/BlinkzSec/status/1935749372697817302
# Reference: https://app.validin.com/detail?find=Amatera%20App&type=raw&ref_id=bf97d1b4bbc#tab=host_pairs (# 2025-06-06)

http://91.84.109.91
91.84.109.91:443
adiobast.icu
afdprox.icu
v361422.hosted-by-vdsina.com

# Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2025-05-21-v10932/2752

winthigh.top

# Reference: https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication

talismanoverblown.com
b1.talismanoverblown.com

# Reference: https://x.com/Merlax_/status/1960048599678493033
# Reference: https://www.virustotal.com/gui/file/133d56d17ba934898306f4ad442ee679f9e161e0237c968ff37f2abc487d3f0d/detection

37.27.165.65:1477
62.84.103.78:28352

# Reference: https://x.com/YungBinary/status/1989157220601475134
# Reference: https://www.esentire.com/blog/evalusion-campaign-delivers-amatera-stealer-and-netsupport-rat
# Reference: https://github.com/eSentire/iocs/blob/main/Amatera/Amatera-IoCs-11-12-2025.txt

178.156.176.74:443
91.98.229.246:443

# Reference: https://intel.breakglass.tech/post/acrstealer-dissected-decrypted-kill-chain-stolen-asus-ev-certificate-and-9-live-c2-servers-operating-a-multi-family-stealer-network
# Reference: https://www.virustotal.com/gui/file/8b13261f9f7768f718d7457c5e0c82dca6d678d60594af05e00d9651f21db16a/detection
# Reference: https://www.virustotal.com/gui/file/a1e803d7ce2020eae931617b514f6acbf3733d99f757709957293b76d66cb723/detection
# Reference: https://www.virustotal.com/gui/file/c2475b4b179267d3dd7f9c54d9e9f39b21109baa2c5d7e5acdc5e49d11bb1e95/detection
# Reference: https://www.virustotal.com/gui/file/db38f261a5ffff12334d8e6ed9b4b23808e70518534800b140077b18ab867984/detection
# Reference: https://www.virustotal.com/gui/file/26a0d7f8d051a6b502e59ef797bdf83623f4fd3d5d3a3f2dfb6f6c17df5acc80/detection

46.149.72.226:443
46.149.72.66:443

# Reference: https://intel.breakglass.tech/post/acrstealer-dissected-decrypted-kill-chain-stolen-asus-ev-certificate-and-9-live-c2-servers-operating-a-multi-family-stealer-network
# Reference: https://www.virustotal.com/gui/file/437e7cc3d832717f6f96d65fccb3b9b1cdaf7e5a7d94e1bff1fb42e126300550/detection
# Reference: https://www.virustotal.com/gui/file/03db9caa1a8a271ab28e5b80a649a6074d0c5158d16e3a7d483250dedffbea29/detection
# Reference: https://www.virustotal.com/gui/file/b4907ff0ff305fb916213177bc8d6a777f2d72a05bcc7275fb11a4ef741bd703/detection

144.124.233.47:443
144.124.236.99:443
144.124.246.132:443
146.103.103.78:443
146.103.104.188:443
185.121.235.118:443
193.33.195.37:443
212.118.41.180:443
212.34.155.34:443
77.238.228.60:443
77.91.96.209:443
89.110.118.6:443

# Reference: https://www.virustotal.com/gui/file/7a6c08d6ab4df9eb4d67ad41ece5dd824f2d12a73ffece98546648e5d3433b84/detection

157.180.40.106:443
abaccentre.com
