MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XenoRAT

Vendor detections: 20

Intelligence 20 IOCs 1 YARA 11 File information Comments

SHA256 hash:	09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037
SHA3-384 hash:	d8a7d1dec85cde06e4bd5889992cd7b831eec063386d42044d2d3aad0074647adcda36592301b876320d87ee4d3ecd1d
SHA1 hash:	3ef5e301ff112105898846325965e3c8526275c3
MD5 hash:	0e212705ea4f7291fc042d6ebb6a628b
humanhash:	oxygen-six-angel-don
File name:	file
Download:	download sample
Signature	XenoRAT Create hunting rule
File size:	46'592 bytes
First seen:	2025-12-09 17:51:58 UTC
Last seen:	2025-12-09 17:55:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	768:kdhO/poiiUcjlJIn91H9Xqk5nWEZ5SbTDapuI7CPW5Q:+w+jjgnXH9XqcnW85SbTEuIo
TLSH	T12923094C57AC8923E6AF1ABD98324263C7B3E3669532E38F08CCD4E937973855905397
TrID	58.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 8.4% (.EXE) Win64 Executable (generic) (10522/11/4) 5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 XenoRAT

Bitsight

url: http://178.16.55.189/files/6281589603/Xw7S79t.exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
178.16.53.139:6221	https://threatfox.abuse.ch/ioc/1673777/

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Xeno

Details

Xeno

a c2 socket address, AES-CBC network key, a mutex, and a version number

Link:

https://research.acce.ciphertechsolutions.com/results/9f7906cf-ae10-4ea3-bacc-1fad099ebb31/

Malware family:

n/a

ID:

File name:

09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037.bin.exe

Verdict:

Malicious activity

Analysis date:

2025-12-09 17:54:29 UTC

Tags:

xenorat rat

Link:

https://app.any.run/tasks/482d8276-5cee-4597-b417-27ff8b9033bc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XenoRAT

Link:

https://www.capesandbox.com/analysis/44023/

Detection(s):

Win.Malware.Msilzilla-10023780-0

Win.Packed.Msilzilla-10027509-0

Win.Malware.Jalapeno-10040809-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693861d0bde6a3e5970f6e81

Tags:

dropper virus micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connecting to a non-recommended domain

Connection attempt

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm base64 cmd fingerprint lolbin obfuscated reconnaissance schtasks xenorat

Link:

https://www.filescan.io/uploads/693861cecf690d27f3d9fb21/reports/29d738f4-9e37-473b-8271-1a8f77b6fb68/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-09T03:14:00Z UTC

Last seen:

2025-12-09T04:15:00Z UTC

Hits:

~10

Detections:

Trojan-PSW.Azorult.TCP.C&C Trojan-Dropper.Agent.TCP.ServerRequest Trojan.MSIL.Xeno.sb HEUR:Trojan.MSIL.Xeno.gen HEUR:Backdoor.MSIL.XenoRAT.a HEUR:Backdoor.MSIL.Agent.gen

Link:

https://opentip.kaspersky.com/09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037/results?tab=lookup

Malware family:

MoonPeak

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e25cee83-1cd7-45a0-b9e1-2176a68e83f4

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037

Verdict:

inconclusive

YARA:

11 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.28 Win 32 Exe x86

Link:

https://app.malva.re/file/0e212705ea4f7291fc042d6ebb6a628b

Detection:

xenorat

Link:

https://mwdb.cert.pl/sample/09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037/

Verdict:

Malicious

Threat:

Family.XENORAT

Link:

https://tip.neiki.dev/file/09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037

Threat name:

ByteCode-MSIL.Backdoor.XenoRAT

Status:

Malicious

First seen:

2025-12-09 07:59:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

32 of 38 (84.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bhibukzuvdar7wiqjm53jwi5agxtqvwohpj7genurnrcexcama3q._file

Verdict:

malicious

Label(s):

moonpeak

Similar samples:

error

XenoRAT

Result

Malware family:

xenorat

Score:

10/10

Tags:

family:xenorat discovery rat trojan

Link:

https://tria.ge/reports/251209-wftrrs1qbl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

Detect XenoRat Payload

XenorRat

Xenorat family

Malware Config

C2 Extraction:

178.16.53.139

Verdict:

Malicious

Tags:

Win.Malware.Msilzilla-10023780-0

YARA:

n/a

Link:

https://app.threat.zone/submission/702bdfee-0352-47ef-8c65-b68f6afc040f

Unpacked files

SH256 hash:

09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037

MD5 hash:

0e212705ea4f7291fc042d6ebb6a628b

SHA1 hash:

3ef5e301ff112105898846325965e3c8526275c3

Detections:

win_xenorat_w0

XenoRAT

Link:

https://www.unpac.me/results/7609f45a-5332-4251-a04f-f2358d391799/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_XenoRAT Create hunting rule
Author:	ditekshen
Description:	Detects Blacksuit

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_Xeno_f92ffb82 Create hunting rule
Author:	Elastic Security

Rule name:	win_xenorat_w0 Create hunting rule
Author:	jeFF0Falltrades
Description:	Detects win.xenorat.

Rule name:	xenorat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	xeno_rat Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	Xeno Rat Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XenoRAT

exe 09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3730045/

Cape

https://www.capesandbox.com/analysis/44023/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample