Skip to main content

While reevaluating the VIPER C2 fingerprint after reading this topic. (Shout out @fopwn)

 

 

I started checking the logic of Agniane Stealer which could be discovered with the following query.

 

services: (http.response.favicons.md5_hash="ef05ae61e6cfce0f261635b68bacd524" and http.response.body: "https://t.me/agniane")

 

AD_4nXdymtjATeGTMSXl6ansFWwCxMOT9pOgwEJHt_0gteWXdfqTy4aKcxULuIJP9ywG5iJEQSEoQd-mZmKerY8ClMS5YIT2wWTQvAVDaRGVn5EFWDZ5k6ypeopi1V1GAgqJ0M7v2kre_NfZ6-glpeSQyAJ-FZZd?key=i1YAjHoiWFajZ2ZlLaVNYw

Historical Virtual Host - Running on Cloudflare

 

We haven’t seen any Agniane Stealer in some time so I decided to look at hosts with the string "https://tt.]me/agniane" in the HTTP body. I got 11 results but none of them were labeled as Agniane Stealer. 

 

AD_4nXdI6VYTRlJSgFgbOMFhwYwN8SKbTCkErj8fZMMj1ymbhcHT314NIa462GIro9Du5tIQT-PY1z_CpivPVoDXaGL5XEShRd0LK6vynQp5bfWvBVdi16GBEdl0bWIs0egjqdsyVtD_AiyPt2lLDisBVXzz_Izk?key=i1YAjHoiWFajZ2ZlLaVNYw

 

 

However, only one was a raw host that wasn’t behind Cloudflare, 193.149.190<.]2.

 

AD_4nXfZ-YRWgJ1icO_QdGmRkJtgXG6KABOi2T8mUrbZCv-CabOrXfzhIRI0WBd2EjPVxm7ln2iTBs3e7lmsMEiWBWsAeTPBWITqZEX4LdKzb2_slAAdZhU7GraIdZtAJEEYjRUJiZ_iRNBtdbLmmcmYXJuzIHQ7?key=i1YAjHoiWFajZ2ZlLaVNYw

 

Looking at the Markdown preview I am able to see there is a header “xehook.stealer” and the same Telegram channel /agniane. XehookStealer is a piece of known malware as a service infostealer that targets Windows systems. It also uses SmokeLoader binaries for distribution. It has overlapping code with Agniane Stealer, that I now confidently can confirm that it has the same author.

 

AD_4nXd6a6n9610eRm2PzfItgbFqE6UfLUdSMNYxyB7zNUCcQIAjcnHvWoFrdmINWHIC5JlVzPvIPsK0DpPAQ5ef6or0yUIx8jcI27asxTkvuQ7FCf-Av-Yyhtwdjag7UGjNE42LvPKahBG6EdtSBo1pEzVC0glR?key=i1YAjHoiWFajZ2ZlLaVNYw

 

Using urlscan I am able to safely capture a screenshot of the login page.

 

AD_4nXdQ8p0bYcsuLEhnd4cOmv3s4h0LMwX2XvLF88R84ynqVC_a01TXnY1PQtnlluzclxFe-GCM0UYmbhGTr-HUZhwyZqn_NsghRdZURTLInuWzh3DXUzR_a4gL80J00asmWsU36Q4ufabO1z3IlK-ORiAOsy8?key=i1YAjHoiWFajZ2ZlLaVNYw

AD_4nXcDuiB21yFLnCZbMXFksJfRyFIkbiQpQnwWXbTwuFVj9AaPVIzjcziL8ZFqUIhlldZ2W1BoF0SW129UVxQi0fK5YIcTDpibPsS2wyfwzeWCf2_-1N8mBOhjoys8sO7QkDhDa-NSKgIrcdb2yA_8iX_lM6kW?key=i1YAjHoiWFajZ2ZlLaVNYw

Then I looked at the favicon to find it was a literal hook icon, I went to check the host table view to find the favicon MD5 hash 63e939086ab01ddefcef0cfd052b7368.

 

AD_4nXecOqSXT-g6XISYFjqI0YvRdpgOQAX_JVjtl-QJT_ePlg6FxU4Dt0VKI3p5h1LG9KSCkyGjXIdTX8hHw9dgarbKkAdOfy199CLK8YETiF-RVhgBR3xIlpZ-p8Igor4Q6DnWo9Tfpd8kwmzUWqkHZms_zdqr?key=i1YAjHoiWFajZ2ZlLaVNYw

 

I could then pivot on the hash to see how common that favicon is. I was then presented with the same results as my first search. Those same 11 hosts all have the same favicon, strings in the HTTP body, and the same HTTP endpoint of /login. Those factors lead me to this final query.

 

services: ((http.response.favicons.md5_hash="63e939086ab01ddefcef0cfd052b7368" or http.response.body: "<span class=\"fs-1\">xehook.stealer</span>") and http.response.body: "https://t.me/agniane" and http.request.uri: "/login")

Not sure if it’s related but the author of this stealer is trying to sell it. https://x.com/russianpanda9xx/status/1818873740437921851


Interesting point 


Reply