{
	"id": "d2bef239-fd60-443f-96cc-f1fa0b17e397",
	"created_at": "2026-04-06T00:16:39.908424Z",
	"updated_at": "2026-04-10T13:12:57.508771Z",
	"deleted_at": null,
	"sha1_hash": "0477166d0b9ad6189f8228e9df5add344de1aa32",
	"title": "[QuickNote] The Xworm malware is being spread through a phishing email",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 659977,
	"plain_text": "[QuickNote] The Xworm malware is being spread through a\r\nphishing email\r\nPublished: 2024-09-12 · Archived: 2026-04-05 18:18:04 UTC\r\n1. Techniques used to trick users into downloading malware\r\nThe attacker sent an email with a shorten link to download a file:\r\nWhen a standard user clicks on the link provided, the browser will automatically initiate a download of the file\r\nItinerary.doc _.zip, as illustrated in the following:\r\nInspect the downloaded .zip file. There is a shortcut file (.lnk):\r\nUpon further inspection of the file Itinerary.doc.lnk, it was discovered that the attacker leveraged this file to\r\ndownload and run a malicious .bat script named output4.bat:\r\nhttps://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/\r\nPage 1 of 5\n\nDownloading the output4.bat file and examining it reveals that it employs bitsadmin to download a harmful\r\npayload and execute it on the target system. The downloaded file is disguised as svchost.com and saved in the\r\n%temp% folder:\r\n2. Quick analysis of Xworm malware\r\nThe downloaded svchost.com file (hash:\r\nec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891) was conducted using popular tools\r\nincluding DiE and ExeInfo to identify any potential threats. The results of this scan are presented below:\r\nAs shown in the figure, this is a payload written in .NET, likely protected by the .NET Reactor protector. DiE\r\neven detected this as the XWorm malware family.\r\nLoading the file into dnSpy and going to the entry point, we can see that its code has been completely obfuscated.\r\nhttps://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/\r\nPage 2 of 5\n\nThe code was heavily obfuscated, making it nearly impossible to read. Trying our luck with the\r\nNETReactorSlayer tool, the result obtained was much more promising:\r\nA thorough analysis of the malware code revealed that all associated strings were encrypted:\r\nThe function responsible for decoding the string pjuwlH0Onm5es3BMfhR1hfmv is implemented as follows:\r\nhttps://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/\r\nPage 3 of 5\n\nDissecting the function, we observe that the malicious code carries out the following operations:\r\nCalculate the MD5 hash of the string “ 5b6qhQLrSgjM8zFs ” put it into the variable array2 :\r\nUtilize the data in array2 to create a new array that will serve as the AES key with the value\r\n“ 23DB8E591319155C9A1EFBEA84A17123DB8E591319155C9A1EFBEA84A1717600 ”\r\nFirst, decode the string using Base64. Then, decrypt the result using AES in ECB mode with the\r\npreviously acquired AES key\r\nFollowing the steps outlined above, the data was simulated using CyberChef as shown below:\r\nThe malware config is as follows:\r\nHost cyberdon1[.]duckdns[.]org\r\nhttps://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/\r\nPage 4 of 5\n\nPort 1500\r\nSplitter  \u003cXwormmm\u003e\r\nSleep time multiplier 3\r\nMutex 5b6qhQLrSgjM8zFs\r\nUSB drop file  system32.exe\r\nTelegram token 7483891888:AAGbwyeJ_9j8PbOJI1cOfRW_cbll04oDXhA\r\nTelegram chat id  1344104260\r\nThe XWorm version under analysis in this note is 5.6 .\r\nDone!\r\nm4n0w4r\r\nSource: https://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/\r\nhttps://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/"
	],
	"report_names": [
		"quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email"
	],
	"threat_actors": [],
	"ts_created_at": 1775434599,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0477166d0b9ad6189f8228e9df5add344de1aa32.pdf",
		"text": "https://archive.orkl.eu/0477166d0b9ad6189f8228e9df5add344de1aa32.txt",
		"img": "https://archive.orkl.eu/0477166d0b9ad6189f8228e9df5add344de1aa32.jpg"
	}
}