XWorm is a popular commodity malware available for purchase as a Malware-as-a-Service (MaaS) through dark net forums. This versatile malware functions primarily as a Remote Access Tool (RAT), allowing attackers to gain control over compromised systems. In addition to its RAT capabilities, XWorm often includes self-propagating features, enabling it to spread autonomously across networks.

XWorm malware primarily functions as:

  • Stealthily evading detection
  • Collecting sensitive data & passwords
  • Cryptocurrency wallet data
  • Keystrokes
  • Launching DDoS attacks

File Info

File name: XClient.exe

File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

File size: 54.5 KB

SHA256: 59d366551d68f623c1091f82ca9c7355271dcf723970bc6252cca3e6f4f26bf2

SHA1: 8de4e02a0230c756b77d8782412ae69fa0d9b48f

MD5: bf6ec56ab492e15ddf046206061e089e

Static Analysis:

A quick analysis using ExeinfoPE revealed a .NET sample.

The code was entirely obfuscated but we were able to manually clean it after using the de4dot tool.

Dynamic Analysis:

We identified the main function where the first action after the execution is the decryption of the malware configuration.

Decryption of the malware configuration:

Decrypt function

The algorithm used to encrypt the malware configuration is AES-ECB combined with Base64 encoding. The function which decrypts the configuration is visible in the below figure.

C2 Domain Decryption

C2 Port Decryption

AES Key Decryption

String splitter Decryption

Version Decryption

USB drop filename Decryption

Malware copy path Decryption

The decryption procedure is the same as below content.

The extracted malware configuration is presented in the table below:

Malware configuration

C2 Domain26.ip.gl.ply.gg
C2 Port3569
AES Key<123456789>
String Splitter<Xwormmm>
Versionроблокс
USB drop FilenameUSB.exe
Malware Copy PathUserPath\AppData\Roaming

Dropped File Info

Malware drops to copy itself to the local user “AppData\Roaming” directory as a file named “svchost.exe”. If a file with the same name already exists, it will be deleted and replaced.

Registry Entry

Also adding registry entry for persistence of malware run.

Creating Mutex

Creating Mutex for checking whether the program is already executed or not.

Executing Windows’ task schedule

Then, the malware uses the Windows’ task scheduler to establish persistence on the system, the command used depends on the privileges it possesses.

It will executes after the interval of every 1 min.

Building message for Telegram channel

Malware has ensured its persistence within the system; it proceeds to gather information, which will be transmitted, to a Telegram channel through a message.

Building message for Telegram channel

GenerateShortMD5Hash Function

This function serves as an identifier generator by retrieving system information and generating a short MD5 hash from it.

This function used for the information and returns a substring consisting of 21 uppercase characters, which will then be incorporated into the Telegram message.

Check Antivirus Product

Among the various information that xworm gathers there is also which of antivirus products are registered in the system.tool.