Malicious
12 tier-1 engines agree on Win64 trojan family; process injection and direct-IP C2 observed in sandbox execution.
7d89aca3584916e867…97a7a02a0bThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The sample exhibits strong malicious indicators across multiple dimensions. Tier-1 engines (Avast, AVG, Avira, BitDefender, DrWeb, Emsisoft, F-Secure, G-Data, Ikarus, Sophos, Symantec, TrendMicro) converge on Win64 trojan families with 12 malicious detections. Triggered heuristics confirm process injection (T1055 — CreateRemoteThread into rundll32.exe) and direct-IP C2 communication to 4 external IPs with zero DNS lookups, a classic malware evasion pattern. The file is unsigned with no signer history, and its prevalence as 'common_new' (5053 submissions in 29 days) suggests active distribution. While external intel (CIRCL, YARAify) returned no hits and one community researcher claimed 'clean', the tier-1 consensus and observed sandbox behaviour override these dissenting signals.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.tier1Malicious=12 with tier1FamilyConsensus.strong=true (Avast, AVG, Avira agree on 'win64' family)
MalwareTips.Synth.ProcessInjection fired: T1055 CreateRemoteThread injection into rundll32.exe observed
MalwareTips.Synth.DirectIpC2 fired: 4 direct-IP C2 contacts (150.171.109.183, 150.171.73.13, 185.199.111.133, 173.194.64.132), zero DNS domains — evasion pattern
Behaviour: offensiveTechniques=[T1055, T1560, T1562.001] (process injection, archive creation, log deletion); 10 dropped children unanalysed but parent behaviour conclusive
File unsigned, no signer history, prevalence common_new (5053 submissions, 29 days); popular threat label 'trojan.abtrojan/downware' aligns with tier-1 consensus
- No malicious dropped children detected (10 inspected, 0 malicious)
- No contact with known-malicious hosts in our URL cache
- Sandbox execution completed without crashing or timeout
- 12 tier-1 antivirus engines report malicious detection with family consensus
- Process injection (T1055) into system process (rundll32.exe) observed
- Direct-IP command-and-control communication bypassing DNS reputation systems
- Archive manipulation and log deletion techniques (T1560, T1562.001)
- Unsigned file with no legitimate publisher history
- High submission volume (5053 submissions in 29 days) suggests active malware distribution
Block and quarantine this file immediately. Do not execute under any circumstances. If already executed, perform a full system scan and monitor for indicators of compromise including unexpected network connections and registry modifications.
abtrojan corroborated by 2 sources
- VT (74 engines)abtrojan
- MT AI Engineabtrojan
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 150.171.109.183
- 150.171.73.13
- 185.199.111.133
- 173.194.64.132
- C:\ProgramData\Microsoft\Windows\WER\Temp
- C:\ProgramData\Microsoft\Windows\WER\Temp\a6fd5fcb-ad5a-4bc9-a04c-c69f307b4b6e
- C:\ProgramData\Microsoft\Windows\WER\ReportQueue
- C:\ProgramData\Microsoft\Windows\WER\Temp\7680b5a5-350d-4694-b7c7-abcbec83cbe1
- C:\ProgramData\Microsoft\Windows\WER\ReportArchive
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEA3.tmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER13A3.tmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER15F6.tmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEA3.tmp.dmp
- C:\ProgramData\Microsoft\Windows\WER\Temp\WER13A3.tmp.WERInternalMetadata.xml
- Local\WERReportingForProcess1056
- Global\AmiProviderMutex_InventoryApplicationFile
- Global\5e2807f0-953a-4073-915b-4fecd826fc60
- Local\WERReportingForProcess3012
- Global\5b01f49f-9f9b-474a-9ba1-dd53f1448a29
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- d12e9318898f2aff7494…012aabNever scannednever seen before
- f7c6c7ea22edd2f8bd07…f91dc1Never scannednever seen before
- c75272bba336b65488dc…7f4bf9Never scannednever seen before
- 2a466648affd3d51b944…1fc1b3Never scannednever seen before
- 465a7ddfb3a0da4c3965…ea0a6fNever scannednever seen before
- 4fe2c4420294758883e1…62653cNever scannednever seen before
- 43e332faef4019a95d3b…55dad2Never scannednever seen before
- 21ef27edf8ab68d5228a…ad88b0Never scannednever seen before
- 615824c59ed1e07f5924…839451Never scannednever seen before
- 84425efa675012d33433…6803d3Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\Xeno-v1.3.55/api-ms-win-crt-convert-l1-1-0.dll",#1Sample contacted 4 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence150.171.109.183 · 150.171.73.13 · 185.199.111.133
31 detections across 74 engines
How often this file shows up in the wild
Lots of people are uploading this but it's recent — typical of newly-released legitimate software. Low prior for malware.
Forensic fingerprint
- File name
- Xeno-v1.3.55 (1).zip
- Size
- 6.77 MB
- MIME type
- (unknown)
- Detected type
- ZIP
- SHA-256
- 7d89aca3584916e86707d8c9c6af606491bc9a3cadff9aea85a95f97a7a02a0b
- MD5
- 4cb6bc7c49c919065dab1c32d70df887
- SHA-1
- 31924dd424c5259988e1cda49a5bd730fbb2b284
- First seen (VT)
- 6/4/2026, 6:03:38 PM
- Last analysis (VT)
- 7/3/2026, 7:23:17 AM
- First scan (MalwareTips)
- 7/3/2026, 2:08:36 PM
- Last scan (MalwareTips)
- 7/3/2026, 2:08:36 PM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.