MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc02945d95bddaa8b73660f7b4d6fe84cf9a6f53ade99caad909d22203522af8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XenoRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc02945d95bddaa8b73660f7b4d6fe84cf9a6f53ade99caad909d22203522af8
SHA3-384 hash: 505b3b7a356718228381c66365ece18cc34d8b383a87eb0790c19acc97ee169be5500f305f90a8ea670055c046a4a911
SHA1 hash: c0f3b5a6a994a97c8e2f274633e35dca8ea16db4
MD5 hash: 85e8abb0e0335b1b4453e84b9dd466b0
humanhash: crazy-autumn-bulldog-oklahoma
File name:85E8ABB0E0335B1B4453E84B9DD466B0.exe
Download: download sample
Signature XenoRAT
Create hunting rule
File size:499'200 bytes
First seen:2026-02-03 03:55:05 UTC
Last seen:2026-02-03 04:25:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'663 x Formbook, 12'252 x SnakeKeylogger)
ssdeep 6144:NVIom3zDD9VfprbbMp3GQCjdrTeE8/JIT70/5junpBtDE3tbYZMJNGxDQRP:sz3LpYMQMChInK5C1MqMc
TLSH T1DCB4ADAF72CE4E13C2802AB5D09385244FA1BE763637E74E2F0836D91D72F752D99681
TrID 58.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.4% (.EXE) Win64 Executable (generic) (10522/11/4)
5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:exe XenoRAT


Avatar
abuse_ch
XenoRAT C2:
1.229.183.193:9646

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
1.229.183.193:9646 https://threatfox.abuse.ch/ioc/1740540/

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
NETReactor
Details
NETReactor
decrypted strings
Link:
https://research.acce.ciphertechsolutions.com/results/abdffa01-dc34-4f10-80cb-77450885f1f8/
Malware family:
n/a
ID:
1
File name:
85E8ABB0E0335B1B4453E84B9DD466B0.exe
Verdict:
Malicious activity
Analysis date:
2026-02-03 03:55:48 UTC
Tags:
rat remote auto-reg netreactor
Link:
https://app.any.run/tasks/7ea4df59-5153-40c7-9507-56138c3775d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51399/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.54977894.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698171b82198a42a6805563f
Tags:
netwiredrc backdoor netwire virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
DNS request
Connection attempt
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/bc02945d95bddaa8b73660f7b4d6fe84cf9a6f53ade99caad909d22203522af8
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-26T22:55:00Z UTC
Last seen:
2026-02-03T07:46:00Z UTC
Hits:
~10
Detections:
Trojan.MSIL.Xeno.sb HEUR:Backdoor.MSIL.XenoRAT.a
Link:
https://opentip.kaspersky.com/bc02945d95bddaa8b73660f7b4d6fe84cf9a6f53ade99caad909d22203522af8/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dd89500d-c2a0-4549-960c-0a0f3174572f
Result
Threat name:
PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1862139
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bc02945d95bddaa8b73660f7b4d6fe84cf9a6f53ade99caad909d22203522af8
Verdict:
Malware
YARA:
12 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.89 Win 32 Exe x86
Link:
https://app.malva.re/file/85e8abb0e0335b1b4453e84b9dd466b0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc02945d95bddaa8b73660f7b4d6fe84cf9a6f53ade99caad909d22203522af8/
Verdict:
Malicious
Threat:
Family.XENORAT
Link:
https://tip.neiki.dev/file/bc02945d95bddaa8b73660f7b4d6fe84cf9a6f53ade99caad909d22203522af8
Threat name:
Win32.Backdoor.Xenorat
Create hunting rule
Status:
Malicious
First seen:
2026-01-28 02:31:00 UTC
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xqbjixmvxxnkrnzwmd33jvx6qthzu32tvxuzzkwzbhjcea2sfl4a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/260203-eg2qbshx4g/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
bc02945d95bddaa8b73660f7b4d6fe84cf9a6f53ade99caad909d22203522af8
MD5 hash:
85e8abb0e0335b1b4453e84b9dd466b0
SHA1 hash:
c0f3b5a6a994a97c8e2f274633e35dca8ea16db4
Link:
https://www.unpac.me/results/8182ecf4-507f-485b-8a7d-3c30458adafd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc02945d95bddaa8b73660f7b4d6fe84cf9a6f53ade99caad909d22203522af8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MALWARE_Win_XenoRAT
Create hunting rule
Author:ditekshen
Description:Detects Blacksuit
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51399/

Comments