Christmas Tree and Wishes.exe – AgentTesla Stealer

February 1, 2024

SHA256: 57653821b3827abd3779dcfc3a2d03f480eccf8beab8bc541ecda5aa9dc1bdcc

Summary

Christmas Tree and Wishes.exe is a .NET compiled AgentTesla spyware/stealer that collects information by colecting OS information, credentials, and user data from a variety of applications. This .NET compiled binary unpacks and injects shellcode into the running process which in turn executes the stealer and exfiltration process. After collecting the data it will make a HTTPS connection to api.ipify[.]org to obtain IP addresses information. The data is then exfiltrated via SMTP over port 587 from info@aranybarany[.]hu to the mail server mail.aranybarany[.]hu.

Analysis

Using Dnspy we can look at the main function which uses Application.Run on a new frmLogin. The frmLogin function then calls the InitializeComponent function. Here we can then see a long string of hex characters with server occurrences of ‘[]’ within the string, which are then replaced by ’00’. This string is converted into a byte array which the resulting shellcode is reflectively loaded into memory, and an instance is activated with the extracted code.

This shellcode gets injected into the memory of the running process with RWX privileges.

The executed shellcode will then collect OS information credentials, and user data from a variety of applications such as mail, databases, browsers, and VPN.

It will set registry values for internet settings and make a HTTPS connection to api.ipify[.]org to obtain IP addresses information.

Data is then exfiltrated via SMTP over port 587 from info@aranybarany[.]hu to mail.aranybarany[.]hu.

IOCs

SHA256 File Hash:

57653821b3827abd3779dcfc3a2d03f480eccf8beab8bc541ecda5aa9dc1bdcc

Files:

cCqCvc.exe
Christmas Tree and Wishes.exe
f39e3a97-df98-49e3-a940-178abcc960d9.exe

Network:

Domains:
api.ipify[.]org
aranybarany[.]hu

Ports:
443
587

HTTPS:
https://api.ipify[.]org

SMTP:
mail.aranybarany[.]hu
info@aranybarany[.]hu

Strings

/log.tmp
CPU:
User Name:
RAM:
Time:
IP Address:
OSFullName:
Computer Name:
https://api.ipify.org
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
mail.aranybarany.hu
[email protected]
18Szalloda94
[email protected]
appdata
Mcndx
Mcndx.exe
{KEYLEFT}
{F7}
{F5}
{F2}
{F11}
{F6}
{F8}
{KEYUP}
{CAPSLOCK}
{ALT+F4}
{Insert}
{PageUp}
{F10}
{DEL}
{F9}
{F4}
{END}
{PageDown}
{BACK}
{CTRL}
{NumLock}
{F3}
{KEYDOWN}
{HOME}
control
{ENTER}
{ESC}
{TAB}
{KEYRIGHT}
{F1}
{F12}
{ALT+TAB}
{Win}
Copied Text:
IE/Edge
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
UC Browser
UCBrowser\
Login Data
journal
wow_logins
Safari for Windows
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
\fixed_keychain.xml”
\Microsoft\Credentials\
\Microsoft\Protect\
credential
QQ Browser
Profile
\Default\EncryptedStorage
\EncryptedStorage
Tencent\QQBrowser\User Data
entries
category
Password
password_value
IncrediMail
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
SmtpServer
EmailAddress
Eudora
Software\Qualcomm\Eudora\CommandLine\
current
Settings
SavePasswordText
ReturnAddress
Falkon Browser
\falkon\profiles\
profiles.ini
\browsedata.db
autofill
ClawsMail
\clawsrc
\Claws-mail
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
\accountrc
smtp_server
\passwordstorerc
{(.),(.)}(.) Flock Browser APPDATA \Flock\Browser\ signons3.txt DynDns ALLUSERSPROFILE Dyn\Updater\config.dyndns username= password= https://account.dyn.com/ t6KzXhCh Dyn\Updater\daemon.cfg accounts account. username password Psi/Psi+ \Psi\profiles \Psi+\profiles OpenVPN Software\OpenVPN-GUI\configs Software\OpenVPN-GUI\configs\ auth-data remote USERPROFILE \OpenVPN\config\ NordVPN NordVpn.exe user.config Private Internet Access privateinternetaccess.com %ProgramW6432% Private Internet Access\data ProgramFiles(x86) \Private Internet Access\data FileZilla \FileZilla\recentservers.xml CoreFTP SOFTWARE\FTPWare\COREFTP\Sites hdfzpysvpzimorhk WinSCP SOFTWARE\Martin Prikryl\WinSCP 2\Sessions HostName UserName PublicKeyFile PortNumber Flash FXP quick.dat \FlashFXP\ Sites.dat yA36zA48dEhfrvghGRg57h5UlDv3 FTP Navigator SystemDrive \FTP Navigator\Ftplist.txt Server No Password SmartFTP SmartFTP\Client 2.0\Favorites\Quick Connect WS_FTP Ipswitch\WS_FTP\Sites\ws_ftp.ini HOST PWD= FtpCommander ;Server= ;Port= ;User= ;Anonymous= ;Password= \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt \Program Files (x86)\FTP Commander\Ftplist.txt \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt \cftp\Ftplist.txt FTPGetter \FTPGetter\servers.xml The Bat! \The Bat! \Account.CFN +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz Becky! HKEY_CURRENT_USER\Software\RimArts\B2\Settings DataDir Folder.lst \Mailbox.ini Account PassWd SMTPServer MailAddress Outlook 9375CFF0413111d3B88A00104B2A6676 Software\Microsoft\Office\11.0\Outlook\Profiles Software\Microsoft\Office\12.0\Outlook\Profiles Software\Microsoft\Office\14.0\Outlook\Profiles Software\Microsoft\Office\15.0\Outlook\Profiles Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676 Software\Microsoft\Office\16.0\Outlook\Profiles Email IMAP Password POP3 Password HTTP Password SMTP Password Windows Mail App COMPlus_legacyCorruptedStateExceptionsPolicy Software\Microsoft\ActiveSync\Partners syncpassword mailoutgoing FoxMail HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview Executable HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1 FoxmailPath \Storage\ \mail \VirtualStore\Program Files\Foxmail\mail \VirtualStore\Program Files (x86)\Foxmail\mail \Accounts\Account.rec0 \Account.stg POP3Host SMTPHost IncomingServer POP3Password Opera Mail \Opera Mail\Opera Mail\wand.dat opera:
PocoMail
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
eM Client
eM Client\accounts.dat
Accounts
“Username”:”
“Secret”:”
72905C47-F4FD-4CF7-A489-4E8121A155BD
“ProviderName”:”
o6806642kbM7c5
Mailbird
SenderIdentities
\Mailbird\Store\Store.db
Server_Host
Username
EncryptedPassword
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
RealVNC 4.x
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TigerVNC
Software\TigerVNC\Server
TightVNC ControlPassword
ControlPassword
UltraVNC
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
JDownloader 2.0
JDownloader 2.0\cfg
org.jdownloader.settings.AccountSettings.accounts.ejs
jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Paltalk
Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
nickname
paltalk.com
Pidgin
Trillian
\Trillian\users\global\accounts.dat
trillian.im
MysqlWorkbench
\MySQL\Workbench\workbench_user_data.dat
Internet Downloader Manager
Software\DownloadManager\Passwords\
EncPassword
Discord
discord.com
Discord Token
*.ldb
*.log
discordcanary
discordptb
Local Storage\leveldb
origin_url
username_value
Opera Stable
\Local State
\Login Data
\Default\Login Data
key4.db
metaData
nssPrivate
a102
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
oauth
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
Application:
Host:
Username:
Password:
Postbox
\Postbox\
K-Meleon
\K-Meleon\
Chromium
Chromium\User Data
Liebao Browser
liebao\User Data
Orbitum
Orbitum\User Data
Torch Browser
Torch\User Data
WaterFox
\Waterfox\
Chrome
Google\Chrome\User Data
Chedot
Chedot\User Data
SeaMonkey
\Mozilla\SeaMonkey\
CyberFox
\8pecxstudios\Cyberfox\
Elements Browser
Elements Browser\User Data
Yandex Browser
Yandex\YandexBrowser\User Data
Vivaldi
Vivaldi\User Data
QIP Surf
QIP Surf\User Data
Thunderbird
\Thunderbird\
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Firefox
\Mozilla\Firefox\
Coccoc
CocCoc\Browser\User Data
Epic Privacy
Epic Privacy Browser\User Data
Flock
Coowon
Coowon\Coowon\User Data
Comodo Dragon
Comodo\Dragon\User Data
Amigo
Amigo\User Data
7Star
7Star\7Star\User Data
BlackHawk
\NETGATE Technologies\BlackHawk\
CentBrowser
CentBrowser\User Data
Opera Browser
Opera Software\Opera Stable
Sputnik
Sputnik\Sputnik\User Data
Iridium Browser
Iridium\User Data
Citrio
CatalinaGroup\Citrio\User Data
Kometa
Kometa\User Data
Uran
uCozMedia\Uran\User Data
IceCat
\Mozilla\icecat\
Edge Chromium
Microsoft\Edge\User Data
Cool Novo
MapleStudio\ChromePlus\User Data
IceDragon
\Comodo\IceDragon\
Brave
BraveSoftware\Brave-Browser\User Data
360 Browser
360Chrome\Chrome\User Data
PaleMoon
\Moonchild Productions\Pale Moon\
Berkelet DB
SQLite format 3
Windows Credential
chrome
Microsoft Primitive Provider
:Zone.Identifier
SELECT * FROM Win32_Processor
win32_processor
processorID
960a7e96-95ff-42af-8b4f-a8dc4824418d
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
05cad825-0ca3-466e-b82f-cbdf413906bd
Win32_BaseBoard
SerialNumber
a2f5ceb8-289e-48f9-a76b-40515d53cd49
\Device\LanmanRedirector\
f39e3a97-df98-49e3-a940-178abcc960d9.exe