Backdoor:MSIL/XenoRat.BSA!MTB

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Backdoor:MSIL/XenoRat.BSA!MTB

Backdoor:MSIL/XenoRat.BSA!MTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Backdoor:MSIL/XenoRat.BSA!MTB

Classification:

Type:Backdoor

Platform:MSIL

Family:XenoRat

Detection Type:Concrete

Known malware family with identified signatures

Variant:BSA

Specific signature variant within the malware family

Suffix:!MTB

Detected via machine learning and behavioral analysis

Detection Method:Behavioral

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family XenoRat

Summary:

This detection identifies the XenoRat Remote Access Trojan (RAT), a backdoor that gives an attacker full remote control over the infected system. It can be used for data theft, surveillance, and executing arbitrary commands. The detection is based on a high-confidence machine learning model that identified behaviors specific to this malware family.

Severity:

Medium

VDM Static Detection:

Relevant strings associated with this threat:
 - \xeno-rat\Plugins (PEHSTR_EXT)

YARA Rule:

rule Backdoor_MSIL_XenoRat_BSA_2147927609_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:MSIL/XenoRat.BSA!MTB"
        threat_id = "2147927609"
        type = "Backdoor"
        platform = "MSIL: .NET intermediate language scripts"
        family = "XenoRat"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "15"
        strings_accuracy = "High"
    strings:
        $x_10_1 = "xeno rat client" ascii //weight: 10
        $x_5_2 = {1b 30 06 00 84 0b 00 00 10 00 00 11 12 00 14 7d 04 00 00 04 14 0b 72 64 05 00 70 0c 08 18 28 32 00 00 0a 28 33 00 00 0a 16 28 34 00 00 0a 26 21 00 60 40 00 00 00 00 00 e0 0d 20 b7 50 00 00 13 04 11 04 8d}  //weight: 5, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Known malware which is associated with this threat:

01632d680ce1155a06c739e93b1de614de4aba8d014dc1f38f009f09b4306661

30/01/2026

→VirusTotal ↓Download Sample

c5790d70c433138c1b88ba002d1639daccc4e111c788ecb9ea0cbf9473dc88dc

29/01/2026

→VirusTotal ↓Download Sample

Filename: Adone_xen_o.exe

8778ffa3bc07a6c317f71a964dcd3cafd4fe59c5183e348d14d53e5c66deedd4

09/01/2026

→VirusTotal ↓Download Sample

Filename: 0836b10136c957fc9166d5cc0218fd26.exe

843a0224d193c2f7aa8b7c8aeba6422870e38b5c44004199cb5c231f6d5fb64d

13/12/2025

→VirusTotal ↓Download Sample

09d01a2b34a8c11fd9104b3bb4d91d01af3856ce3bd3f311b48b62225c406037

10/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected machine from the network. Run a full antivirus scan to remove all malicious components. Investigate the initial access vector, check for persistence mechanisms, and reset all user credentials on the machine and associated network accounts.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 09/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Backdoor:MSIL/XenoRat.BSA!MTB - Windows Defender Threat Analysis