{
	"id": "50beb2d6-bd74-406f-b39b-34380b73d48b",
	"created_at": "2026-04-06T00:10:03.198951Z",
	"updated_at": "2026-04-10T03:21:52.063298Z",
	"deleted_at": null,
	"sha1_hash": "725909b28d32b81de1a915da670a17c45c894a9c",
	"title": "Malware Analysis — Xworm",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7475422,
	"plain_text": "Malware Analysis — Xworm\r\nBy 0xMrMagnezi\r\nPublished: 2024-02-22 · Archived: 2026-04-05 15:59:36 UTC\r\nPress enter or click to view image in full size\r\nXworm is a type of malware that spreads through removable drives , such as USB flash drives , infecting\r\nWindows systems and potentially stealing information or allowing remote access.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 1 of 13\n\nMalware Bazaar Sample\r\nAs always, this sample has been downloaded and extracted using the password ‘infected.’ At first glance, it\r\nseemed like a simple deobfuscation task, but I later found out that it is a multi-stage malware.\r\nPress enter or click to view image in full size\r\nStage1 — Obfuscated VBS code\r\nThis seemed like a simple deobfuscation where the first function returns the character associated with the\r\nspecified ASCII code. In this example, it was the letter ‘e’, which is used to build the final URL and execute the\r\ncontext of that URL.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 2 of 13\n\nStage1 — Deobfuscated VBS code\r\nPress enter or click to view image in full size\r\nCURL to get that Stage 2\r\nThe second stage appeared more obfuscated than the first. I noticed keywords such as “WScript” , “-window” ,\r\nand what seemed like “execution policy bypass”.\r\nPress enter or click to view image in full size\r\nStage 2 — Obfuscated\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 3 of 13\n\nGiven the length of that file, I have decided that it will be more effective to launch the code and check for new\r\nprocesses.\r\nPress enter or click to view image in full size\r\nProcMon — PowerShell was executed under the VBS\r\nPress enter or click to view image in full size\r\nFirst PowerShell code\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 4 of 13\n\nSecond PowerShell code\r\nIt seemed like the second PowerShell script is directly related to the first one , essentially being the decoded\r\nversion of the first. After some cleaning of the code it was pretty clear what this code does.\r\nPress enter or click to view image in full size\r\nClean PowerShell code\r\nThis PowerShell script downloads data from a list of URLs. It searches for a section in the downloaded data\r\nenclosed by \u003c\u003cBASE64_START\u003e\u003e and \u003c\u003cBASE64_END\u003e\u003e flags , assuming this section is base64-encoded data.\r\nThe script decodes and loads this data as a .NET assembly , expecting it to contain a method named “VAI” that is\r\nthen invoked with specific parameters. I once again used curl to access these URLs and observe their content.\r\nPress enter or click to view image in full size\r\nCURL to the given URLs\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 5 of 13\n\n\"FF D8\" indicates the start of a JPEG file\r\nBased on its content and the file header, I assumed that it’s a genuine JPEG. I then started looking for the flags\r\n\u003c\u003cBASE64_START\u003e\u003e and \u003c\u003cBASE64_END\u003e\u003e , and indeed , they were found at the end of the file. This\r\ntechnique is called steganography , which involves embedding content within a file.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 6 of 13\n\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 7 of 13\n\nFinding the Base64 embedded within the JPEG\r\nPress enter or click to view image in full size\r\nDecoding the Base64 using CyberChef\r\nGet 0xMrMagnezi’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 8 of 13\n\nRemember me for faster sign in\r\nThe decoding was successful , resulting in a new EXE file. This file , written in .NET , was then opened in\r\nDNSPY for debugging. Inside , a persistence technique was discovered , where the program adds itself to a\r\nregistry key that runs it every time the system starts up.\r\nPress enter or click to view image in full size\r\nPersistence technique\r\nPress enter or click to view image in full size\r\nThe main Function — “VAI” , that is being invoked by the previous PS\r\nIt’s the downloader function. It reverses the first string it receives and attempts to download its content.\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 9 of 13\n\nDownloading from the URL\r\nPress enter or click to view image in full size\r\nReversing and decoding From Base64 — Output is EXE once again\r\nThis is the actual Xworm. Inside , there were some functions related to keyloggers , persistence , sockets etc.\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 10 of 13\n\nKey Logger functions (GetKeyState / GetKeyboardLayout etc..)\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 11 of 13\n\nAdding itself to AppData and Startup folder\r\nPress enter or click to view image in full size\r\nDecrypting its doing\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 12 of 13\n\nInformation about the system being sent over Socket\r\nIOCs:\r\nhxxps://uploaddeimagens[.]com[.]br/images/004/739/227/original/new_image.jpg?1707826222\r\nhxxp://45[.]74[.]19[.]84/xampp/bkp/vbs_novo_new_image[.]jpg\r\nhxxps://wayoutkwt[.]com/bk/fexrw[.]txt\r\nhxxps://pastebin[.]com/raw/G9zY5tnh\r\nfebxworm39090[.]duckdns[.]org\r\n45[.]74[.]19[.]84\r\n85673635.vbs — 032c2cc1862303d06832c0ebe34b9dae\r\nPROJETOAUTOMACAO.VB1.dll — ce91eb459e4f6a9e2871088d855cd211\r\nfebxworm39090.exe — 1a2b23fd06525561826e61fc104b66d0\r\nvbs_novo_new_image.jpg — ddb09774c5a870c73cf0cf71e6d97d3e\r\noutput.273230999.txt — 983865b130c91b9b3a36d488afbdd1bd\r\nIn conclusion , Xworm is a sophisticated malware targeting Windows systems. It employs advanced evasion\r\ntechniques like polymorphism , multi-staging and anti-debugging mechanisms , making detection and analysis\r\nchallenging. Xworm also uses steganography to conceal its malicious code within innocuous files , further\r\ncomplicating its identification.\r\nSource: https://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nhttps://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb"
	],
	"report_names": [
		"malware-analysis-xworm-80b3bbb072fb"
	],
	"threat_actors": [],
	"ts_created_at": 1775434203,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/725909b28d32b81de1a915da670a17c45c894a9c.pdf",
		"text": "https://archive.orkl.eu/725909b28d32b81de1a915da670a17c45c894a9c.txt",
		"img": "https://archive.orkl.eu/725909b28d32b81de1a915da670a17c45c894a9c.jpg"
	}
}