Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Blogs

Stumbling Upon XehookStealer C2 Instances

While recently re-evaluating C2 fingerprints I was checking the logic of Agniane Stealer which could be discovered with the following query.

 

services: (http.response.favicons.md5_hash=”ef05ae61e6cfce0f261635b68bacd524″ and http.response.body: “https://t.me/agniane”)

Historical Virtual Host – Running on Cloudflare

 

We haven’t seen any Agniane Stealer in some time so I decided to look at hosts with the string “https://t[.]me/agniane” in the HTTP body. I got 11 results but none of them were labeled as Agniane Stealer. 

However, only one was a raw host that wasn’t behind Cloudflare, 193.149.190[.]2.

Looking at the Markdown preview I am able to see there is a header “xehook.stealer” and the same Telegram channel /agniane. XehookStealer is a piece of known malware as a service infostealer that targets Windows systems. It also uses SmokeLoader binaries for distribution. It has overlapping code with Agniane Stealer, that I now confidently can confirm that it has the same author.

Using urlscan I am able to safely capture a screenshot of the login page.

Then I looked at the favicon to find it was a literal hook icon, I went to check the host table view to find the favicon MD5 hash 63e939086ab01ddefcef0cfd052b7368.

I could then pivot on the hash to see how common that favicon is. I was then presented with the same results as my first search. Those same 11 hosts all have the same favicon, strings in the HTTP body, and the same HTTP endpoint of /login. Those factors lead me to this final query.

 

services: ((http.response.favicons.md5_hash=”63e939086ab01ddefcef0cfd052b7368″ or http.response.body: “<span class=\”fs-1\”>xehook.stealer</span>”) and http.response.body: “https://t.me/agniane” and http.request.uri: “/login”)

 

About the Author

Aidan Holland
Security Researcher
Aidan is a Security Researcher on the Research team working to use our data to enrich the workflows of security professionals everywhere. Aidan specializes in open-source development and cybersecurity engineering.

Similar Content

Back to Resources Hub
Attack Surface Management Solutions
Learn more