Xehook Stealer Technical Analysis

This blog post comes from the Xehook Stealer Technical Analysis report. If you want to download it as a PDF click here

Executive Summary

The digital realm has witnessed the emergence of a new and formidable player in the landscape of cyber threats: the Xehook Stealer malware. Recently developed and offered for sale on the “xss.is” cybercrime forum, a notorious platform for cybercriminal activity, Xehook Stealer has quickly gained attention for its potential to inflict significant harm on individuals and organizations.

Xehook Stealer is a malware designed to exfiltrate sensitive information from compromised systems. This malicious software is engineered to stealthily infiltrate computer systems, harvest a wide array of personal and financial data, and transmit the stolen information to the threat actors controlling the operation.

This report aims to provide a comprehensive technical analysis of the Xehook Stealer malware, dissecting its components, functionality, and methodologies for perpetrating data theft. By unraveling the technical intricacies of this malware, the report seeks to offer valuable insights into its operational mechanics, threat capabilities, and broader implications for cybersecurity. The analysis will examine the malware’s codebase, execution flow, communication mechanisms, and data exfiltration techniques.


FiletypeWin32 EXE
Written Language.NET
First Seen / Detection Date2024-02-24
Initial Infection VectorUnknown
Table 1
FiletypeWin32 EXE
Written Language.NET
First Seen / Detection Date2024-02-24
Initial Infection VectorLoader Malware
Table 2

MITRE ATTA&CK Threat Matrix

  • TA0001 Initial Access
    • T1566 Phishing
  • TA0002 Execution
    • T1204 User Execution
  • TA0005 Defense Evasion
    • T1055 Process Injection
    • T1070 Indicator Removal
    • T1497 Virtualization/Sandbox Evasion
    • T1027 Obfuscated Files or Information
  • TA0006 Credential Access
    • T1555 Credentials from Password Stores
  • TA0007 Discovery
    • T1497 Virtualization/Sandbox Evasion
    • T1614 System Location Discovery
  • TA0009 Collection
    • T1560 Archive Collected Data
  • TA0011 Command And Control
    • T1071 Application Layer Protocol

Mitigation Strategies

It creates a randomly generated 32-character ZIP archive file with no extensions in the AppDatadirectory, all in uppercase letters. This file contains the seized information. You can check the presence of such files in your system in the directory we specified.

Avoid downloading files or clicking on links from unknown or suspicious sources. Be cautious of phishing emails or websites that attempt to trick you into disclosing personal information or downloading malware.

Where possible, enable MFA for your online accounts to add an extra layer of security in case login credentials are compromised.

Xehook uses the domain ip-api.com for internet connection control and geolocation information and trecube[.]com for C2 communication. You can monitor web requests made to these two domains.


The Xehook Stealer represents an advanced threat in the cybercrime landscape, evolving from the Cinoshi project to targeting a wide array of cryptocurrencies and 2FA extensions. Its sophisticated capabilities include dynamic data collection from various browsers, custom traffic bot creation, and dead Google cookie recovery. The malware demonstrates a clear evolutionary link with previous stealers like Agniane, sharing code and infrastructure.

This blog post comes from the Xehook Stealer Technical Analysis report. If you want to download it as a PDF click here

Share This: