MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87490ef7978df4e4353a14a3ae08662886f611266418dc2e74d560f351d17d1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XenoRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87490ef7978df4e4353a14a3ae08662886f611266418dc2e74d560f351d17d1a
SHA3-384 hash: a85047604d20c69c600c1d2fd79b95bfbbfff0c33b76b28bb70900e88ec9af1da3ec2a261fa0a7297ec478613717fd6b
SHA1 hash: a0f37945587729efee290316dc70f008d1340283
MD5 hash: 26e1bfd81ff9dc775626688c3cd7ae38
humanhash: eleven-friend-sixteen-stream
File name:87490ef7978df4e4353a14a3ae08662886f611266418d.exe
Download: download sample
Signature XenoRAT
Create hunting rule
File size:2'441'048 bytes
First seen:2025-07-26 17:40:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'456 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:Ua29eJAc3Pfz/oMqhAnxJj2L/MBIF6wUyrwdn9h0W4:Z29OAuzAMSAnxJjjI6vd9A
TLSH T1EBB53345D0C28631D6556AB80F1181C18E76FE132CA7C4AB30DED9FA2BEB152F0ED7A5
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
dhash icon 74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter abuse_ch
Tags:exe XenoRAT


Avatar
abuse_ch
XenoRAT C2:
185.100.157.116:7930

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.100.157.116:7930 https://threatfox.abuse.ch/ioc/1560932/

Intelligence

File Origin
# of uploads :
1
# of downloads :
30
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
_7e348ac70407e6051594dfc5cd130adb5cc8fa9a2ae9ad81877f0747bf7c2b03.exe
Verdict:
Malicious activity
Analysis date:
2025-07-26 17:16:38 UTC
Tags:
amadey botnet stealer loader auto-reg rdp lumma themida miner xmrig ms-smartcard auto generic github stealc pastebin deerstealer telegram golang websocket inno installer delphi auto-startup gcleaner autoit evasion
Link:
https://app.any.run/tasks/6be2c188-e5a2-4e88-9d35-71fdc9899429

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17039/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6885133c0b4775fb2131a0c4
Tags:
vmdetect nemty
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Restart of the analyzed sample
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file
Moving a recently created file
Launching a process
Loading a suspicious library
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% directory
Running batch commands
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
borland_delphi fingerprint installer invalid-signature obfuscated overlay packed packer_detected signed
Link:
https://www.filescan.io/uploads/68851326c79df08ef095fe0f/reports/a2fefda4-8670-422f-875b-110d29860339/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/87490ef7978df4e4353a14a3ae08662886f611266418dc2e74d560f351d17d1a
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2594481a-15d9-4040-96e6-759c19a86f6e
Result
Threat name:
GO Injector, XenoRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1744729
Signature
.NET source code contains potential unpacker
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Yara detected GO Injector
Yara detected XenoRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1744729 Sample: 87490ef7978df4e4353a14a3ae0... Startdate: 26/07/2025 Architecture: WINDOWS Score: 100 74 x1.i.lencr.org 2->74 76 e8652.dscx.akamaiedge.net 2->76 78 crl.root-x1.letsencrypt.org.edgekey.net 2->78 90 Suricata IDS alerts for network traffic 2->90 92 Multi AV Scanner detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 6 other signatures 2->96 15 87490ef7978df4e4353a14a3ae08662886f611266418d.exe 2 2->15         started        18 regsvr32.exe 2->18         started        signatures3 process4 file5 72 87490ef7978df4e435...2886f611266418d.tmp, PE32 15->72 dropped 20 87490ef7978df4e4353a14a3ae08662886f611266418d.tmp 6 15->20         started        process6 file7 56 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 20->56 dropped 58 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->58 dropped 60 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 20->60 dropped 23 87490ef7978df4e4353a14a3ae08662886f611266418d.exe 2 20->23         started        process8 file9 62 87490ef7978df4e435...2886f611266418d.tmp, PE32 23->62 dropped 26 87490ef7978df4e4353a14a3ae08662886f611266418d.tmp 6 23->26         started        process10 file11 64 C:\Users\user\AppData\Local\is-0UCES.tmp, PE32+ 26->64 dropped 66 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 26->66 dropped 68 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 26->68 dropped 70 2 other malicious files 26->70 dropped 29 regsvr32.exe 26->29         started        process12 process13 31 regsvr32.exe 4 29->31         started        dnsIp14 84 185.100.157.116, 49720, 49721, 49722 M247GB Poland 31->84 86 System process connects to network (likely due to code injection or exploit) 31->86 88 Suspicious powershell command line found 31->88 35 powershell.exe 37 31->35         started        38 powershell.exe 31->38         started        40 cmd.exe 31->40         started        signatures15 process16 signatures17 98 Loading BitLocker PowerShell Module 35->98 42 conhost.exe 35->42         started        44 conhost.exe 38->44         started        46 Acrobat.exe 40->46         started        48 conhost.exe 40->48         started        process18 process19 50 AcroCEF.exe 46->50         started        dnsIp20 80 e8652.dscx.akamaiedge.net 104.76.101.49, 49716, 80 AKAMAI-ASUS United States 50->80 53 AcroCEF.exe 50->53         started        process21 dnsIp22 82 23.200.196.138, 443, 49717, 49718 NOS_COMUNICACOESPT United States 53->82
Score:
30%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/87490ef7978df4e4353a14a3ae08662886f611266418dc2e74d560f351d17d1a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/26e1bfd81ff9dc775626688c3cd7ae38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87490ef7978df4e4353a14a3ae08662886f611266418dc2e74d560f351d17d1a/
Verdict:
Malicious
Threat:
Win64.Infostealer.Heuristic
Link:
https://tip.neiki.dev/file/87490ef7978df4e4353a14a3ae08662886f611266418dc2e74d560f351d17d1a
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-07-26 13:25:26 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5eq554xrx2oinj2csr24cdgfcdpmejgmqmnyltu2vqpguorpuna._file
Result
Malware family:
xenorat
Create hunting rule
Score:
  10/10
Tags:
family:xenorat adware discovery execution rat spyware trojan
Link:
https://tria.ge/reports/250726-v887gs1zfz/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect XenoRat Payload
XenorRat
Xenorat family
Malware Config
C2 Extraction:
185.100.157.116
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/af78ed3d-f8b1-4a9c-9684-cd0a63489586
Unpacked files
SH256 hash:
87490ef7978df4e4353a14a3ae08662886f611266418dc2e74d560f351d17d1a
MD5 hash:
26e1bfd81ff9dc775626688c3cd7ae38
SHA1 hash:
a0f37945587729efee290316dc70f008d1340283
Link:
https://www.unpac.me/results/9db0815b-6aed-44fe-b0df-a3eceda32327/
SH256 hash:
58c620e60585c0562b2873cd4a160f9c323b6bd56212de1e52e62baf7a1af9fa
MD5 hash:
11301c08b6901764cedcc05d882a1858
SHA1 hash:
efab5aed31ee21a1e491142922bdfdfe32321ee2
Link:
https://www.unpac.me/results/9db0815b-6aed-44fe-b0df-a3eceda32327/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/9db0815b-6aed-44fe-b0df-a3eceda32327/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/9db0815b-6aed-44fe-b0df-a3eceda32327/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/9db0815b-6aed-44fe-b0df-a3eceda32327/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/87490ef7978df4e4353a14a3ae08662886f611266418dc2e74d560f351d17d1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_XenoRAT
Create hunting rule
Author:ditekshen
Description:Detects Blacksuit
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:ScanStringsInsocks5systemz
Create hunting rule
Author:Byambaa@pubcert.mn
Description:Scans presence of the found strings using the in-house brute force method
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Trojan_Xeno_f92ffb82
Create hunting rule
Author:Elastic Security
Rule name:win_xenorat_w0
Create hunting rule
Author:jeFF0Falltrades
Description:Detects win.xenorat.
Rule name:xenorat
Create hunting rule
Author:jeFF0Falltrades
Rule name:xeno_rat
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:Xeno Rat Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17039/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments