MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fee7a480a9b4883347bc7c6e7b383dc3ff8d2466b1c7f6941df9fa1edeb6f5f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



XenoRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 20 File information Comments

SHA256 hash: fee7a480a9b4883347bc7c6e7b383dc3ff8d2466b1c7f6941df9fa1edeb6f5f5
SHA3-384 hash: 3fbc27a22a7771d1bfe86b2a8e1d12f851da263673a209c1a6dcb6142bd694f7f6dbdece4e6ace705b2376e9c2c425e5
SHA1 hash: f4448b19b8819beb1ff96f30e47b996d206884d9
MD5 hash: 3e09851e283a9fd65ce69f3510587df6
humanhash: nine-glucose-ceiling-item
File name:Img200039_PAGO.exe
Download: download sample
Signature XenoRAT
File size:274'432 bytes
First seen:2026-05-04 12:10:41 UTC
Last seen:2026-05-20 11:19:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'096 x AgentTesla, 20'113 x Formbook, 12'356 x SnakeKeylogger)
ssdeep 6144:rM/PU6MYrEfeb+e0ixeykmfrzyMPayVst5cYIP:rME6MYrvb+e0IeifTrNP
TLSH T141449E97E9808D12CE6A1F35C82518042177BD9ABDB2FB4EE94475B88BF37D600B3857
TrID 70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win64 Executable (generic) (6522/11/2)
4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 665881a480430040 (1 x XenoRAT)
Reporter adrian__luca
Tags:exe XenoRAT

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
178.16.54.156:4444 https://threatfox.abuse.ch/ioc/1805999/

Intelligence


File Origin
# of uploads :
2
# of downloads :
153
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
ConfuserEx
Details
ConfuserEx
decrypted strings and possibly embedded components
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
No threats detected
Analysis date:
2026-05-04 12:13:01 UTC
Tags:
httpdebugger tool

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Searching for synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 dotfuscator obfuscated obfuscated packed reconnaissance similar-threat smartassembly vbnet yano
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-03T13:19:00Z UTC
Last seen:
2026-05-06T05:57:00Z UTC
Hits:
~1000
Detections:
VHO:Backdoor.MSIL.Quasar.gen PDM:Trojan.Win32.Generic Trojan.MSIL.Xeno.sb HEUR:Trojan-Spy.MSIL.Quasar.gen
Verdict:
inconclusive
YARA:
13 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Threat name:
ByteCode-MSIL.Trojan.Generic
Status:
Suspicious
First seen:
2026-05-03 16:54:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
xenorat
Similar samples:
Result
Malware family:
xenorat
Score:
  10/10
Tags:
family:xenorat discovery execution persistence rat trojan
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Detect XenoRat Payload
Family: XenoRat
Malware Config
C2 Extraction:
178.16.54.156:4444
Unpacked files
SH256 hash:
fee7a480a9b4883347bc7c6e7b383dc3ff8d2466b1c7f6941df9fa1edeb6f5f5
MD5 hash:
3e09851e283a9fd65ce69f3510587df6
SHA1 hash:
f4448b19b8819beb1ff96f30e47b996d206884d9
SH256 hash:
460c8db29a4ed8498478e5d87c628fa2dee91b3602a1e650e97eed208a28fc3b
MD5 hash:
39abe8499de2c7e0a16b61e977ecb447
SHA1 hash:
5942ff5cab5e3b03749207810c8724dbf7f7308b
Detections:
win_xenorat_w0 XenoRAT
SH256 hash:
127ec31730015fc9e6a0e735b8e1ee7a3288b95375995d76113d07679d531b1f
MD5 hash:
a1f943648c6cafc712c1d748d8039efc
SHA1 hash:
97769068be4bbf59c4ee9501368533a8c0896e89
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_Goliath
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_XenoRAT
Author:ditekshen
Description:Detects Blacksuit
Rule name:Multifamily_RAT_Detection
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Generic_Threat_0a640296
Author:Elastic Security
Rule name:win_xenorat_w0
Author:jeFF0Falltrades
Description:Detects win.xenorat.
Rule name:xenorat
Author:jeFF0Falltrades
Rule name:xeno_rat
Author:Nikolaos 'n0t' Totosis
Description:Xeno Rat Payload

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XenoRAT

Executable exe fee7a480a9b4883347bc7c6e7b383dc3ff8d2466b1c7f6941df9fa1edeb6f5f5

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments