Xehook Stealer: Evolution of Cinoshi’s Project Targeting Over 100 Cryptocurrencies and 2FA Extensions

Xehook Stealer is a .NET Windows stealer discovered in January 2024 that supports dynamic collection from Chromium-based browsers, targets 110+ cryptocurrency and 2FA extensions, and is commonly distributed via SmokeLoader. Analysis links Xehook to the Agniane and Cinoshi projects and shows techniques including obfuscation, process injection into RegAsm.exe, anti-analysis checks, C2 communication with trecube[.]com, and log exfiltration. #XehookStealer #Agniane

Keypoints

Xehook Stealer is a .NET-based Windows stealer supporting dynamic data collection from Chromium-based browsers and many wallet/2FA extensions.
The malware is sold/subscribed via a web panel and integrates Telegram for notifications and an API for custom bots.
Evidence links Xehook to earlier projects Agniane and Cinoshi (shared web-panel design, configuration similarities, and shared C2 servers).
Distribution has been observed via SmokeLoader; a SmokeLoader sample downloads ketamine.exe which installs the Xehook loader.
Technical flow: 32-bit obfuscated .NET loader (time-limited) decrypts and injects a 64-bit .NET stealer into RegAsm.exe using VirtualAlloc/WriteProcessMemory.
Stealer performs anti-analysis (language blacklist, sandbox/VM detection, process checks, tick timing), fetches JSON config from C2, enumerates files/extensions, writes logs to AppDataLocal, POSTs logs to trecube-based endpoints, and deletes local logs.

MITRE Techniques

[T1204] User Execution – Brief: initial execution requires the user to run the delivered file; quote: ‘The user needs to manually execute the   file.’
[T1027] Obfuscated Files or Information – Brief: loader and stealer are obfuscated/packed to hinder analysis; quote: ‘Binary may include packed or crypted data.’
[T1140] Deobfuscate/Decode Files or Information – Brief: malware decodes encrypted strings and payloads at runtime; quote: ‘Decode data using Base64 in .NET’
[T1055] Process Injection – Brief: loader injects the decrypted stealer into a legitimate process to evade detection; quote: ‘Loader injects stealer payload into  RegAsm.exe.’
[T1497] Virtualization/Sandbox Evasion – Brief: stealer checks WMI and strings for virtualization artifacts and terminates if found; quote: ‘terminates itself if it finds strings like “VMware” or “VirtualBox,”‘
[T1083] File and Directory Discovery – Brief: enumerates directories to locate browser profile data and files to exfiltrate; quote: ‘Stealer enumerate files for grabbing.’
[T1005] Data from Local System – Brief: harvests browser cookies, passwords, autofill, desktop wallets and other local files; quote: ‘Tries to harvest and steal browser information (cookies, passwords, etc)’
[T1539] Steal Web Session Cookie – Brief: specifically collects browser cookies and session artifacts for account takeover; quote: ‘gathers cookies’
[T1560] Archive Collected Data – Brief: collected data is packaged for exfiltration (ZIP noted in config); quote: ‘Stealer compress the stolen data with ZIP extension.’
[T1071] Application Layer Protocol – Brief: stealer communicates with C2 via HTTP(S) for configuration and exfiltration; quote: ‘Malware exe communicate to C&C server.’
[T1070] Indicator Removal on Host – Brief: uploaded log files are deleted after successful exfiltration to remove traces; quote: ‘Delete the stealer logs.’

Indicators of Compromise

[SHA256] Loader/Stealer samples – a3882ac90190c7ccbea744dde58f0a107b67e3eea0024b12d18e72faf9a55b1c (loader), daea71a3094e0c90554a77e95b0b354d1515f99e70fa5013f09302a5bb04dde0 (Xehook binary)
[SHA256] Distributor (SmokeLoader) – fa7f5300459c71d70f1f7b0d0c96aa245fad2a98d55d39a53455d2a7191d8cc9 (SmokeLoader used to drop loader)
[URL/Domain] C2 and supporting endpoints – hxxps://trecube[.]com/, hxxps://nc1337[.]online/ (C2 servers used for config and exfiltration)
[URL] Download host / payload – hxxps://45.15.156[.]174/index[.]php/…/ketamine[.]exe (malicious download URL used by SmokeLoader)
[File name] Legitimate process used for injection and payload name – RegAsm.exe (process injected), ketamine.exe (downloaded loader filename)

Xehook’s technical deployment begins with a 32-bit obfuscated .NET loader (often delivered by SmokeLoader). The loader enforces a time-based expiration check, reverses and resolves kernel32.dll function names, decrypts an embedded 64-bit .NET stealer via math/XOR stages, and launches a legitimate RegAsm.exe instance into which it injects the decrypted stealer using VirtualAlloc/VirtualProtect/WriteProcessMemory/CreateThread to evade detection.

Once injected, the stealer decrypts C2 URLs (observed: hxxps://trecube[.]com and hxxps://nc1337[.]online), probes availability via WebClient.DownloadString, and requests configuration (e.g., tricube[.]com/getjson[.]php?id=40). It performs multiple anti-analysis checks (language blacklist for several CIS-region locales, process-name checks for analysis tools, DateTime.Now.Ticks timing checks, and WMI queries to detect VMware/VirtualBox). It also queries ip-api[.]com/json to collect geolocation fields for the victim IP.

The stealer enumerates directories looking for Chromium profile markers (“User DataLocal State”), targets >110 extension IDs and numerous desktop wallet/2FA extensions, extracts cookies, passwords, autofill, messaging sessions, and arbitrary files defined by config fields (including “filext” and “domaindetect”), builds logs in-memory then writes them to AppDataLocal, optionally compresses/stores data (ZIP), and exfiltrates via POST to trecube/gate.php with query parameters. After successful upload it deletes local logs and can display a configurable fake error message to the user.