Agniane Stealer: Information stealer targeting cryptocurrency users

The Agniane Stealer is an information-stealing malware that targets cryptocurrency wallets. The article provides a technical analysis of its delivery chain, obfuscation methods, C2 protocol, and new reverse-engineering insights to aid incident response and detection. #AgnianeStealer #ConfuserEx #PowerShell #CryptoWallets

Keypoints

The malware primarily targets cryptocurrency wallets and exfiltrates credentials, files, and wallet data from endpoints.
Delivery begins with ZIP files downloaded from compromised websites, followed by a renamed BAT file and a PowerShell-based payload (passbook.bat.exe).
The PowerShell payload is highly obfuscated, employing techniques similar to ConfuserEx and multi-stage in-memory execution with reflective loading.
The C2 protocol uses a simple domain check to activate communication, followed by a list of active C2 domains and a dynamic getext endpoint to obtain target file extensions.
IOCs include multiple domains (trecube.com, trecube.store, trecube13.ru, imitato23.store, wood100home.ru) and several file hashes associated with the sample.
The malware performs extensive information collection (documents, credentials, browser storage, etc.) and abuses ZIP uploads to a remote server for exfiltration.
Region-based allowlisting and anti-VM/debug techniques indicate evasion efforts and possible geopolitical context hints about the threat actors.

MITRE Techniques

[T1059.003] Windows Command Shell – The payload is executed via cmd.exe after dropping passbook.bat.exe; ‘passbook.bat.exe -noprofile -windowstyle hidden -ep bypass -command $_CASH_esCqq = [System.IO.File]::(‘txeTllAdaeR'[-1..-11] -join ”)(‘C:UsersuserAppDataLocalTemp15Rar$DIa63532.21112passbook.bat’).Split([Environment]::NewLine);…’
[T1059.001] PowerShell – Used to execute obfuscated payload and perform in-memory loading; ‘passbook.bat.exe -noprofile -windowstyle hidden -ep bypass -command …’
[T1027.001] Obfuscated/Compressed Files and Information – The binary is highly obfuscated with control-flow manipulations (ConfuserEx-like); ‘The binary file was highly obfuscated with control flow manipulations, like ConfuserEx.’
[T1620] Reflective Loading – The final payload is loaded reflectively into memory during execution; ‘reflectively load… _CASH_78 C# application’
[T1140] Deobfuscate/Decode Files or Information – Payload is XOR’d and decompressed (GZip) before execution; ‘XOR’d the payload using a static key’ and ‘Decompressed XOR’d payload using GZIP’
[T1584.004] Acquire Infrastructure – Use of compromised websites to host and deliver the malware; ‘Use of compromised websites’
[T1204.002] Malicious File – ZIP file delivered by the browser and executed as part of the infection chain; ‘ZIP file downloaded by the browser’
[T1119] Automated Collection – Scans and collects documents and data from the host; ‘collection of various information from the host’
[T1555] Credentials from Password Stores – Targeting credentials and stored data (wallets, browsers); ‘Targeting of credentials’

Indicators of Compromise

[File Hash] Delivery – 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df
[File Hash] Delivery – e59b14121b64ca353b90c10ec915dbd64c09855bca9af285aa3aeac046538574
[File Hash] Delivery – b2a0c5d52b671e501ea91f8230bd266e1d459350a935ad0689833f522be66f87
[Domain] C2 – trecube[.]com
[Domain] C2 – trecube[.]store
[Domain] C2 – trecube13[.]ru
[Domain] C2 – imitato23[.]store
[Domain] C2 – wood100home[.]ru
[URL] C2/Test endpoints – https://trecube.com/test, https://trecube13.ru/getjson?id=67

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print