Keypoints
- Agniane Stealer (C#) creates a random subfolder in %TEMP% to stage stolen data and extracts a hardcoded C2 URL from Base64 to exfiltrate logs.
- The malware harvests stored credentials and cookies from Chromium/Gecko browsers, targets ~70+ crypto extensions and 10+ wallets, and collects Telegram, Discord, Steam, WinSCP, and FileZilla sessions.
- It uses numerous anti-analysis methods: CheckRemoteDebuggerPresent, tick-count timing, memory checks for analysis tools, DLL handle tricks, WMI queries for VM detection, and hosting-provider geolocation checks to abort execution if suspicious.
- Agniane dynamically downloads SQLite DLL dependencies from its C2, captures screenshots, enumerates installed apps and files (.txt, .doc, .rdp, .db), archives results, then uploads via HTTP POST to the C2 and deletes local traces.
- The builder/panel (advertised on Telegram) allows operators to configure protections (disable on VMs/sandboxes, fake errors, Telegram notifications, domain filters) and to produce packed/obfuscated builds for distribution.
MITRE Techniques
- [T1555.003] Credentials from Web Browsers – Steals stored browser credentials and cookies from Chromium/Gecko browsers and targets browser crypto extensions/wallets: ‘Supports stealing passwords and cookies from browsers based on Chromium and Gecko.’
- [T1041] Exfiltration Over C2 Channel – Uploads archived stolen data to a remote C2 server via HTTP POST: ‘Agniane Stealer uploads all the exfiltrated data to: hxxps[:]//central-cee-doja.ru/TEST.php?…’
- [T1071.001] Application Layer Protocol: Web Protocols – Uses HTTP/HTTPS POST requests for C2 communication and file transfer to the host: ‘POST Request Host Name ZIP file payload PK header indicates the transmission of an archive file.’
- [T1497] Virtualization/Sandbox Evasion – Detects debuggers, sandboxes, emulators and analysis tools and exits if found: ‘The malware sample calls the CheckRemoteDebuggerPresent Windows API to check if it’s being run in a debugger.’
- [T1027] Obfuscated Files or Information – Uses packers and ConfuserEx to obfuscate and harden builds, complicating analysis: ‘the latest version of the Agniane Stealer uses ConfuserEx Protector.’
- [T1047] Windows Management Instrumentation – Uses WMI queries to detect VMs and to collect system details (OS, GPU, CPU): ‘Agniane Stealer utilizes the WMI queries to detect whether it is running inside a virtual environment.’
- [T1113] Screen Capture – Captures screenshots of the user’s desktop for additional reconnaissance: ‘Saving screenshots from all monitors with detailed information about them.’
- [T1105] Ingress Tool Transfer – Downloads SQLite dependency DLLs from the C2 to enable runtime capabilities: ‘Agniane Stealer downloads the SQLite dependency DLL.’
- [T1070] Indicator Removal on Host – Removes local staging folder after successful exfiltration to delete traces: ‘After uploading the stolen data to a remote server, the Agniane Stealer removes its traces from the victim’s system by deleting the sub-folder.’
- [T1083] File and Directory Discovery – Enumerates Desktop and Documents folders to collect files with specific extensions (.txt, .doc, .rdp, .db): ‘Agniane Stealer enumerates the users Desktop and the Documents folder for the files with .txt,.doc,.mafile,.rdp, and .db extension.’
- [T1082] System Information Discovery – Gathers OS version, bitness, external IP, installed applications, CPU/GPU and RAM using WMI and registry queries: ‘Agniane Stealer gets the external IP address… collects victims Windows version using SELECT * FROM win32_operatingsystem.’
- [T1552.001] Unsecured Credentials: Credentials in Files – Extracts session/credential data from WinSCP registry entries and FileZilla recent servers XML: ‘pilfers WinSCP to collect Hostname, username, and password… reads FileZillarecentservers.xml and searches for the tag.’
- [T1518.001] Security Software Discovery – Queries installed antivirus products via WMI to decide execution flow: ‘Collects all installed antivirus software with the WMI query Select * from AntivirusProduct.’
- [T1036] Masquerading – Uses legitimate DLL handles obtained via GetModuleHandle to obscure its presence: ‘Agniane Stealer tries to obtain the handle of several DLLs using the GetModuleHandle function.’
Indicators of Compromise
- [MD5 Hash] Agniane Stealer samples – 522101881b87ccda4d78fac30e951d19, 0d20e90382f881116201ac7c9298aab6, and 5 more hashes
- [Domain/Host & URL] Command-and-control server and upload endpoint – central-cee-doja.ru; example C2 upload: hxxps[:]//central-cee-doja.ru/TEST.php?ownerid=REPLACEUSER1D&buildid=spriteuser&…
- [File names] Local artifacts and logs – execution log.txt, Important Detects.txt, Installed Apps.txt
- [Files / Registry Paths] Credential storage locations – FileZilla recentservers.xml (for FTP credentials), WinSCP sessions registry entry SoftwareMartin PrikrylWinSCP 2Sessions
Agniane Stealer is a compact C# information stealer that, on execution, generates a random 32‑character folder name in %TEMP% to stage data, decodes a hardcoded Base64 string to obtain its C2 URL, and downloads runtime dependencies (SQLite DLLs) from that C2. It collects extensive system and user data—OS and bitness via WMI/registry, external IP via web lookup, installed applications, CPU/GPU/RAM, screenshots (Bitmap), and enumerates Desktop/Documents for files with .txt/.doc/.rdp/.db extensions—storing results in files such as Installed Apps.txt and execution log.txt before archiving.
The stealer exfiltrates credentials and sessions: it parses browser stores (Chromium/Gecko) for passwords and cookies (including ~70+ crypto extensions and 10+ wallet clients), captures Telegram/Discord/Steam sessions, extracts WinSCP and FileZilla credentials from registry and recentservers.xml, and can clip/harvest clipboard/crypto data. For operational security it performs many anti‑analysis checks—CheckRemoteDebuggerPresent, tick‑count timing, memory scans for analysis tools, GetModuleHandle-based DLL handle checks, WMI queries for VM detection, and hosting-provider geolocation checks—and will abort if indicators suggest sandboxing or hosting infrastructure.
After collection, Agniane archives the stolen data and sends it to the C2 via HTTP POST (web protocol) and then removes its temporary subfolder to hide traces; recent builds are increasingly packed/obfuscated (ConfuserEx) to evade detection and are distributed via a builder/panel advertised on Telegram that allows operators to configure VM/sandbox protections, fake errors, and notification settings. Read more: https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-web-s-crypto-threat