File verdict·Decided by the MT AI Engine
Our call

Malicious

12 tier-1 engines agree on Win64 trojan family; process injection and direct-IP C2 observed in sandbox execution.

abtrojan
Trust score8Critical
MT AI confidence · 94%
Xeno-v1.3.55 (1).zip
6.8 MB
7d89aca3584916e86797a7a02a0b
Antivirus engines
31 of 74 flagged
Code signing
Unsigned
Age
First seen 29 days ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

94%Confidence
Very high
Reasoning

The sample exhibits strong malicious indicators across multiple dimensions. Tier-1 engines (Avast, AVG, Avira, BitDefender, DrWeb, Emsisoft, F-Secure, G-Data, Ikarus, Sophos, Symantec, TrendMicro) converge on Win64 trojan families with 12 malicious detections. Triggered heuristics confirm process injection (T1055 — CreateRemoteThread into rundll32.exe) and direct-IP C2 communication to 4 external IPs with zero DNS lookups, a classic malware evasion pattern. The file is unsigned with no signer history, and its prevalence as 'common_new' (5053 submissions in 29 days) suggests active distribution. While external intel (CIRCL, YARAify) returned no hits and one community researcher claimed 'clean', the tier-1 consensus and observed sandbox behaviour override these dissenting signals.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines.tier1Malicious=12 with tier1FamilyConsensus.strong=true (Avast, AVG, Avira agree on 'win64' family)

  2. MalwareTips.Synth.ProcessInjection fired: T1055 CreateRemoteThread injection into rundll32.exe observed

  3. MalwareTips.Synth.DirectIpC2 fired: 4 direct-IP C2 contacts (150.171.109.183, 150.171.73.13, 185.199.111.133, 173.194.64.132), zero DNS domains — evasion pattern

  4. Behaviour: offensiveTechniques=[T1055, T1560, T1562.001] (process injection, archive creation, log deletion); 10 dropped children unanalysed but parent behaviour conclusive

  5. File unsigned, no signer history, prevalence common_new (5053 submissions, 29 days); popular threat label 'trojan.abtrojan/downware' aligns with tier-1 consensus

Points in its favour
  • No malicious dropped children detected (10 inspected, 0 malicious)
  • No contact with known-malicious hosts in our URL cache
  • Sandbox execution completed without crashing or timeout
Points against
  • 12 tier-1 antivirus engines report malicious detection with family consensus
  • Process injection (T1055) into system process (rundll32.exe) observed
  • Direct-IP command-and-control communication bypassing DNS reputation systems
  • Archive manipulation and log deletion techniques (T1560, T1562.001)
  • Unsigned file with no legitimate publisher history
  • High submission volume (5053 submissions in 29 days) suggests active malware distribution
What to do

Block and quarantine this file immediately. Do not execute under any circumstances. If already executed, perform a full system scan and monitor for indicators of compromise including unexpected network connections and registry modifications.

Threat family attribution

abtrojan corroborated by 2 sources

  • VT (74 engines)
    abtrojan
  • MT AI Engine
    abtrojan
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
17

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027.002T1033T1055T1057T1059T1064T1070.006T1071T1082T1083T1106T1129T1497T1560T1562T1562.001T1574
Spawned processes
15
$(unnamed)
"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\Xeno-v1.3.55/api-ms-win-crt-convert-l1-1-0.dll",#1
$(unnamed)
"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\Xeno-v1.3.55/api-ms-win-crt-environment-l1-1-0.dll",#1
$(unnamed)
"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\Xeno-v1.3.55/api-ms-win-crt-filesystem-l1-1-0.dll",#1
$(unnamed)
C:\Windows\system32\WerFault.exe -u -p 1056 -s 528
$(unnamed)
"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\Xeno-v1.3.55/api-ms-win-crt-heap-l1-1-0.dll",#1
$(unnamed)
C:\Windows\system32\WerFault.exe -u -p 3012 -s 496
$(unnamed)
"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\Xeno-v1.3.55/api-ms-win-crt-locale-l1-1-0.dll",#1
$(unnamed)
"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\Xeno-v1.3.55/api-ms-win-crt-math-l1-1-0.dll",#1
+7 more processes captured.
Network activity
4
IP addresses4
  • 150.171.109.183
  • 150.171.73.13
  • 185.199.111.133
  • 173.194.64.132
Filesystem & mutexes
40
Files written15
  • C:\ProgramData\Microsoft\Windows\WER\Temp
  • C:\ProgramData\Microsoft\Windows\WER\Temp\a6fd5fcb-ad5a-4bc9-a04c-c69f307b4b6e
  • C:\ProgramData\Microsoft\Windows\WER\ReportQueue
  • C:\ProgramData\Microsoft\Windows\WER\Temp\7680b5a5-350d-4694-b7c7-abcbec83cbe1
  • C:\ProgramData\Microsoft\Windows\WER\ReportArchive
+10 more
Files deleted15
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEA3.tmp
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER13A3.tmp
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER15F6.tmp
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEA3.tmp.dmp
  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER13A3.tmp.WERInternalMetadata.xml
+10 more
Mutexes created10
  • Local\WERReportingForProcess1056
  • Global\AmiProviderMutex_InventoryApplicationFile
  • Global\5e2807f0-953a-4073-915b-4fecd826fc60
  • Local\WERReportingForProcess3012
  • Global\5b01f49f-9f9b-474a-9ba1-dd53f1448a29
+5 more
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • d12e9318898f2aff7494012aabNever scanned
    never seen before
  • f7c6c7ea22edd2f8bd07f91dc1Never scanned
    never seen before
  • c75272bba336b65488dc7f4bf9Never scanned
    never seen before
  • 2a466648affd3d51b9441fc1b3Never scanned
    never seen before
  • 465a7ddfb3a0da4c3965ea0a6fNever scanned
    never seen before
  • 4fe2c4420294758883e162653cNever scanned
    never seen before
  • 43e332faef4019a95d3b55dad2Never scanned
    never seen before
  • 21ef27edf8ab68d5228aad88b0Never scanned
    never seen before
  • 615824c59ed1e07f5924839451Never scanned
    never seen before
  • 84425efa675012d334336803d3Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

2 synthesis
MITRE ATT&CK profile
Defense evasion× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    "C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\Xeno-v1.3.55/api-ms-win-crt-convert-l1-1-0.dll",#1
  • DirectIpC2medium

    Sample contacted 4 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    150.171.109.183 · 150.171.73.13 · 185.199.111.133
Antivirus engine breakdown

31 detections across 74 engines

31 malicious0 suspicious43 clean
Tier-117 engines
12flag
Top commercial AVs (low FP rate)
Tier-238 engines
14flag
Mainstream engines with mixed FP rates
Low-trust19 engines
5flag
Heuristic / generic-AI engines (high FP rate)
Alibaba
malicious
Trojan:Win64/Genric.66760030
alibabacloud
malicious
Trojan:Win/Evo.Gen
ALYac
malicious
Adware.Generic.3313472
Antiy-AVL
malicious
GrayWare[AdWare]/Win32.Vigua
Arcabit
malicious
Adware.Generic.D328F40
Avast
malicious
Win64:Evo-gen [Trj]
AVG
malicious
Win64:Evo-gen [Trj]
Avira
malicious
TR/W64.Evo
BitDefender
malicious
Adware.Generic.3313472
CAT-QuickHeal
malicious
Trojan.Agent
CTX
malicious
zip.trojan.generic
Cynet
malicious
Malicious (score: 99)
DrWeb
malicious
Adware.Downware.20251
Elastic
malicious
malicious (moderate confidence)
Emsisoft
malicious
Adware.Generic.3313472 (B)
F-Secure
malicious
Trojan.TR/W64.Evo
GData
malicious
Win64.Trojan.Agent.M39LQY
Gridinsoft
malicious
Trojan.Win64.Agent.cl
Ikarus
malicious
Trojan.Malware
K7AntiVirus
malicious
Unwanted-Program ( 005ce05f1 )
K7GW
malicious
Unwanted-Program ( 005ce05f1 )
Lionic
malicious
Trojan.ZIP.Generic.4!c
McAfeeD
malicious
ti!7D89ACA35849
MicroWorld-eScan
malicious
Adware.Generic.3313472
Skyhigh
malicious
Artemis!Trojan
Sophos
malicious
Mal/Generic-S
Symantec
malicious
PUA.Gen.2
TrellixENS
malicious
Artemis!DEFCAE4A1F3A
TrendMicro
malicious
Trojan.Win32.ZYX.USBLFC26
Varist
malicious
ABTrojan.LIIW-
VIPRE
malicious
Adware.Generic.3313472
Hash 7d89aca35849… cross-referenced against 74 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Lots of people are uploading this but it's recent — typical of newly-released legitimate software. Low prior for malware.

Common & new
Unique uploaders
3,212
Hundreds of people have uploaded this — common.
Total submissions
5,053
Includes repeat uploads by the same source.
First seen by VT
29d ago
Jun 4, 2026
Prevalence quadrant
Rare · New
Targeted malware lives here
here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
6/4/2026, 6:03:38 PM
First seen (MalwareBazaar)
Last analysis (VT)
7/3/2026, 7:23:17 AM
Scanned here
7/3/2026, 2:08:36 PM
File name
Xeno-v1.3.55 (1).zip
Size
6.77 MB
MIME type
(unknown)
Detected type
ZIP
SHA-256
7d89aca3584916e86707d8c9c6af606491bc9a3cadff9aea85a95f97a7a02a0b
MD5
4cb6bc7c49c919065dab1c32d70df887
SHA-1
31924dd424c5259988e1cda49a5bd730fbb2b284
First seen (VT)
6/4/2026, 6:03:38 PM
Last analysis (VT)
7/3/2026, 7:23:17 AM
First scan (MalwareTips)
7/3/2026, 2:08:36 PM
Last scan (MalwareTips)
7/3/2026, 2:08:36 PM
Behavior tags
long-sleepscontains-pezipdetect-debug-environment
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.