MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XenoRAT

Vendor detections: 20

Intelligence 20 IOCs YARA 12 File information Comments 1

SHA256 hash:	c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc
SHA3-384 hash:	25ff48ccc870faa950c64b0fc2b25018f222491ddc0659922a4cf27aae898e48c90d59fdf1e31494cb634a4eeecdbc6e
SHA1 hash:	c0dfce1878c3907295053c562e255f3c33ea6876
MD5 hash:	8deacf4ffaeee8aacf5a61e28bc42fec
humanhash:	oven-washington-twelve-early
File name:	file
Download:	download sample
Signature	XenoRAT Create hunting rule
File size:	47'104 bytes
First seen:	2026-01-28 23:01:12 UTC
Last seen:	2026-01-28 23:06:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'854 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep	768:0dhO/poiiUcjlJInI2gH9Xqk5nWEZ5SbTDa2uI7CPW54:Ow+jjgnILH9XqcnW85SbTDuIw
TLSH	T1F823F84C5B9D8923F6AF1ABD9432425387B3E227A532E38F48CCD4E9379338558453A7
TrID	58.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 8.4% (.EXE) Win64 Executable (generic) (10522/11/4) 5.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 XenoRAT

Bitsight

url: http://130.12.180.43/files/7309295924/83OpFoG.exe

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Xeno

Details

Xeno

a c2 socket address, AES-CBC network key, a mutex, and a version number

Link:

https://research.acce.ciphertechsolutions.com/results/0a6f6918-c261-4872-868e-775b037395a7/

Malware family:

n/a

ID:

File name:

_c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc.exe

Verdict:

Malicious activity

Analysis date:

2026-01-28 23:02:29 UTC

Tags:

xenorat rat auto-reg

Link:

https://app.any.run/tasks/5694258a-6bba-4ee9-8346-db3610f4b2d3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XenoRAT

Link:

https://www.capesandbox.com/analysis/50573/

Detection(s):

Win.Malware.Msilzilla-10023780-0

Win.Packed.Msilzilla-10027509-0

Win.Malware.Jalapeno-10040809-0

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=697a95506fa3eed165300549

Tags:

dropper proxy micro spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a file

Сreating synchronization primitives

Launching a process

Sending a custom TCP request

DNS request

Connection attempt

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm base64 cmd fingerprint lolbin obfuscated reconnaissance schtasks

Link:

https://www.filescan.io/uploads/697a954e4156786ccbdde1f7/reports/fe03dcc9-c5d4-48dc-853c-5aec29ab2a3f/overview

Verdict:

Malicious

Labled as:

Jalapeno.Generic

Link:

https://www.hybrid-analysis.com/sample/c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-01-28T20:07:00Z UTC

Last seen:

2026-01-30T17:09:00Z UTC

Hits:

~10

Detections:

HEUR:Backdoor.MSIL.Agent.gen Trojan.MSIL.Xeno.sb HEUR:Trojan.MSIL.Xeno.gen HEUR:Backdoor.MSIL.XenoRAT.a NetTool.Ngrok.UDP.C&C

Link:

https://opentip.kaspersky.com/c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc/results?tab=lookup

Malware family:

MoonPeak

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9a0d7f0f-2907-4f63-b7f6-c76db927fd81

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc

Gathering data

Detection:

xenorat

Link:

https://mwdb.cert.pl/sample/c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc/

Verdict:

Malicious

Threat:

Family.XENORAT

Link:

https://tip.neiki.dev/file/c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc

Threat name:

ByteCode-MSIL.Backdoor.XenoRAT

Status:

Malicious

First seen:

2026-01-28 23:01:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yv4q24gegmjyyg4ixiac2frz3lgmjyiry6eozopkbs7zi464rdoa._file

Verdict:

malicious

Label(s):

moonpeak

Similar samples:

error

XenoRAT

Result

Malware family:

xenorat

Score:

10/10

Tags:

family:xenorat discovery execution persistence rat trojan

Link:

https://tria.ge/reports/260128-2zrpeac16a/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Contacts third-party web service commonly abused for C2

Checks computer location settings

Executes dropped EXE

Detect XenoRat Payload

XenorRat

Xenorat family

Malware Config

C2 Extraction:

0.tcp.in.ngrok.io:13563

Unpacked files

SH256 hash:

c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc

MD5 hash:

8deacf4ffaeee8aacf5a61e28bc42fec

SHA1 hash:

c0dfce1878c3907295053c562e255f3c33ea6876

Detections:

win_xenorat_w0

XenoRAT

Link:

https://www.unpac.me/results/d4eac2c8-037e-4bbf-8a81-1beae30b6267/

Malware family:

XenoRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c5790d70c433/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_XenoRAT Create hunting rule
Author:	ditekshen
Description:	Detects Blacksuit

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Ngrok_URL Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects a PE file that contains an ngrok.io URL. This can be used as C2 channel

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_Xeno_f92ffb82 Create hunting rule
Author:	Elastic Security

Rule name:	win_xenorat_w0 Create hunting rule
Author:	jeFF0Falltrades
Description:	Detects win.xenorat.

Rule name:	xenorat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	xeno_rat Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	Xeno Rat Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XenoRAT

exe c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc

(this sample)

Dropped by

Amadey

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3765315/

Cape

https://www.capesandbox.com/analysis/50573/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

commented on 2026-01-28 23:05:57 UTC

RAT King Parser (https://github.com/jeFF0Falltrades/rat_king_parser) Output:

{
"sha256": "c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc",
"yara_possible_family": "xenorat",
"key": "f09223726c4ba9cfe5124492a82b7b92",
"salt": "None",
"config": {
"Hosts": [
"0.tcp.in.ngrok.io"
],
"Ports": 13563,
"Key": "05550bc685f04599b689922632e7baf0719d003649362002c83ace6253b03d49",
"delay": 5000,
"mutexstring": "Windows Security Health Host",
"DoStartup": 1,
"Installpath": "temp",
"startupname": "Windows Security Health Host"
}
}