{ "id": "96d8dfaa-5c77-4406-9697-66415637860a", "created_at": "2026-04-06T00:22:30.328316Z", "updated_at": "2026-04-10T03:36:48.500424Z", "deleted_at": null, "sha1_hash": "a18c9754cd836c74b2d23f6c91475f372cb6f00e", "title": "Agniane Stealer | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 532864, "plain_text": "Agniane Stealer | ThreatLabz\r\nBy Mallikarjun Piddannavar\r\nPublished: 2023-08-22 · Archived: 2026-04-05 16:29:25 UTC\r\nStealer Capabilities \r\nAgniane Stealer possesses several form-grabbing capabilities. Let’s dive into those.\r\nSidesteps dependencies\r\nUpon execution, Agniane Stealer, with a compact sample size, adeptly operates on both 32 and 64-bit systems, sidestepping\r\nany reliance on pre-existing dependencies. \r\nIntriguingly, it dynamically retrieves a set of 5 DLLs from its C\u0026C servers, leveraging legitimate third-party DLLs to\r\nenhance its functionalities and capabilities. It employs the following:\r\nSQLite.dll\r\nSQLite.EF6.dll\r\nSQLite.Linq.dll\r\nSQLite.Interop.dll(x86 \u0026 x64bit)\r\nSteals from the following areas:\r\nAREAS DETAILS\r\nTelegram and\r\nSteam\r\nSessions\r\nSteals user tokens for logged-in Discord and Steam sessions, and OpenVPN profiles; sends\r\ndata to threat actors.\r\nTries to search Telegram software under the “\\\\AppData\\\\Roaming\\\\Telegram” directory. If\r\nfound, Agniane Stealer steals Telegram Sessions  and archives it.\r\nTries to locate the Telegram process. If found, the malware kills the process and grabs all the\r\nTelegram files except emojis and user_data. Then, Agniane Stealer archives all remaining\r\ndirectories.\r\nBrowser\r\ncookies\r\nAgniane Stealer targets login data, history, and web data from the following browsers:\r\nOperaGX\r\nChrome\r\nOpera\r\nFireFox\r\nVivaldi\r\nBrave\r\nEdge\r\nYandex\r\nChromium\r\nDomains\r\nAgniane Stealer tries to harvest login credentials and cookies from following domains:\r\nVK.com\r\nfacebook.com\r\ninstagram.com\r\nmail.ru\r\nIf any passwords are found in the domains listed above, then Agniane Stealer places them into the\r\nImportant Detects.txt file and archives them.\r\nSSH File\r\nTransfer\r\nProtocol\r\nAgniane Stealer pilfers WinSCP to collect Hostname, username, and password from all sessions by\r\ntraversing through Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions registry entry.\r\nFilezilla FTP\r\nSoftware\r\nAgniane Stealer reads FileZilla\\\\recentservers.xml and searches for the tag. If available, then\r\nAgniane Stealer grabs Hostname, username, and password. If the XML path was not found, then\r\nAgniane Stealer logs that it was unable to find the FileZilla session.\r\nhttps://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat\r\nPage 1 of 4\n\nAREAS DETAILS\r\nComputer\r\nSystem\r\nAgniane Stealer gets the external IP address of the victim's machine using https://ipwho.is/?\r\noutput=xml.\r\nIn addition, Agniane Stealer collects victims Windows version using SELECT * FROM\r\nwin32_operatingsystem. Then, it obtains the bit version of the machine using Windows Registry and\r\nchecks the value. If the value matches, then it is x86 but if it doesn’t then that indicates a x64bit\r\nmachine.\r\nUses WMI to collect\r\nInstalled Antiviruses: Collects all installed antivirus software with the WMI query Select * from AntivirusProduct.\r\nGPUName: Using WMI query SELECT * FROM Win32_VideoController and GetEnumerator() method Compares\r\nwith \"VMware SVGA 3D\"\r\nCPU name: Using WMI query SELECT * FROM Win32_Processor tries to access the CPU name of the victim's\r\nmachine.\r\nCaptures a screenshot\r\nAgniane Stealer captures a screenshot of the victim’s desktop using Bitmap.\r\nChecks RAM\r\nBy querying WMI to Select * From Win32_ComputerSystem, Agniane Stealer calculates RAM allocated to the victim's\r\nmachine. \r\nExfiltrates data\r\nAgniane Stealer enumerates the users Desktop and the Documents folder for the files with .txt,.doc,.mafile,.rdp, and .db\r\nextension. The discovered files are then copied to the previously created subfolder under the %TEMP% location.\r\nFinds installed applications\r\nAgniane Stealer collects all applications installed on the victim’s machine by querying the Registry Key\r\nSOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall. Then, it stores that information in the Installed Apps.txt file,\r\nas you can see in the image below.\r\nFigure 9: Example information collected by Agniane Stealer\r\nAgniane Stealer keeps a record of its actions in a file named execution log.txt, which documents all the operations executed\r\nand associated information.\r\nExfiltrates crypto data\r\nIn addition to form-grabbing, Agniane Stealer also utilizes clipper qualities to exfiltrate cryptocurrency data. \r\nAgniane Stealer is a prolific cryptocurrency data exfiltrator with extensive support for nearly 70+ crypto extensions and 10+\r\ncrypto wallets. See the Crypto Extension \u0026 Wallet table at the bottom of this blog for a complete list.\r\nHow it works\r\nAgniane Stealer uploads all the exfiltrated data to: \r\nhxxps[:]//central-cee-doja.ru/TEST.php?\r\nownerid=REPLACEUSER1D\u0026buildid=spriteuser\u0026countp=2\u0026countc=29\u0026username=saturn\u0026country=IN\u0026ipaddr=XX.XX.XX.XX\u0026BSSID=XXXXXX\r\nhttps://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat\r\nPage 2 of 4\n\nAfter uploading the stolen data to a remote server, the Agniane Stealer removes its traces from the victim’s system by\r\ndeleting the sub-folder.\r\nWe observed that the latest version of the Agniane Stealer uses ConfuserEx Protector. Also, the recent variant employs more\r\nobfuscation techniques when compared to the earlier version, which makes it harder for security modules to detect. \r\nIn the images below, Figure 10 is from the earlier version of Agniane Stealer where the code is human-readable, and Figure\r\n11 is from the latest version of Agniane Stealer where the same code is obfuscated through ConfuserEx Protector. The\r\nFigure 12 is showing the de-obfuscated code.\r\nHuman-readable code\r\nFigure 10: Human-readable Agniane Stealer sample code\r\nObfuscated code\r\nFigure 11: Obfuscated Agniane Stealer code sample\r\nDeobfuscated code\r\nhttps://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat\r\nPage 3 of 4\n\nFigure 12: Deobfuscated Agniane Stealer code sample\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat\r\nhttps://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat" ], "report_names": [ "agniane-stealer-dark-webs-crypto-threat" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434950, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a18c9754cd836c74b2d23f6c91475f372cb6f00e.pdf", "text": "https://archive.orkl.eu/a18c9754cd836c74b2d23f6c91475f372cb6f00e.txt", "img": "https://archive.orkl.eu/a18c9754cd836c74b2d23f6c91475f372cb6f00e.jpg" } }