{
	"id": "fffbbc6b-bc59-4ace-b793-d6def75b5407",
	"created_at": "2026-04-06T00:12:49.208165Z",
	"updated_at": "2026-04-10T03:20:06.269784Z",
	"deleted_at": null,
	"sha1_hash": "ab1181d8c6401a865d08637cc6a0e5f3d6e255ca",
	"title": "XWorm Malware Analysis: SOC \u0026 IR Perspective on Persistence, C2, and Anti-Analysis Tactics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1913875,
	"plain_text": "XWorm Malware Analysis: SOC \u0026 IR Perspective on Persistence, C2,\r\nand Anti-Analysis Tactics\r\nBy Zyad Waleed Elzyat\r\nPublished: 2025-09-12 · Archived: 2026-04-05 14:25:40 UTC\r\nXWorm malware analysis from SOC \u0026 IR perspective. Learn about persistence, C2, encryption, anti-analysis tactics, and\r\nkey IOCs for detection \u0026 response.\r\nIntroduction\r\nIn recent years, XWorm malware has emerged as one of the more versatile and evasive threats targeting enterprises and\r\nindividuals alike. Written in .NET, this remote-access trojan (RAT) and backdoor family has been observed delivering\r\npersistent access, data exfiltration, and encrypted command-and-control (C2) communication.\r\nIn this article, we break down the findings of an in-depth analysis of two XWorm samples, exploring their encryption,\r\npersistence mechanisms, anti-analysis tricks, and the Indicators of Compromise (IOCs) defenders need to know.\r\n📌 This report is written from a SOC (Security Operations Center) and Incident Response (IR) perspective,\r\nfocusing on actionable insights for detection, containment, and mitigation.\r\nTable of Contents\r\n1. Malware Samples Information\r\n2. Command and Control (C2) Infrastructure\r\n3. De-Obfuscation Techniques\r\n4. Malware Encryption Algorithm\r\n5. Persistence Mechanisms\r\n6. Information Gathering and Exfiltration\r\n7. Anti-Analysis Techniques\r\n8. IOC’s\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xzyadelzyat/xworm-malware-analysis-soc-ir-perspective-on-persistence-c2-and-anti-analysis-tactics-ed41d335b2ce\r\nPage 1 of 6\n\nMalware Samples Analyzed\r\nTwo malicious executables were reviewed, both heavily obfuscated .NET binaries:\r\nSample 1 Details :\r\nMD5 7c7aff561f11d16a6ec8a999a2b8cdad\r\nSHA-1 a3f6e039f346a7234bf5243568c05d63cc01fd87\r\nSHA256\r\nced525930c76834184b4e194077c8c4e7342b3323544365b714943519a0f92af\r\nType .NET Executable\r\nSample 2 Details :\r\nMD5 806e784be61b0321fb659dab71a109f8\r\nSHA-1 6fa16df45e33d90c75a43a2412a7fe98ab7fb859\r\nSHA-256 94ec50f2df421486907c7533ee4380c219b57cf23ebab9fce3f03334408e4c06\r\nType .NET Executable\r\nBoth exhibited high entropy, signaling packing and string obfuscation, consistent with MITRE T1027.002 — Software\r\nPacking.\r\n🔍 Takeaway: Always submit suspicious hashes to VirusTotal, Triage, or AnyRun during SOC triage.\r\nCommand and Control (C2)\r\nXWorm uses multiple IPs, domains, and Telegram channels for command-and-control. This redundancy makes simple IP\r\nblocking insufficient.\r\nKey C2 infrastructure identified:\r\nIPs: 104.208.16.94 , 185.117.249.43 , 20.69.140.28\r\nDomains: copy-marco.gl.at.ply.gg , fp2e7a.wpc.2be4.phicdn.net\r\nTelegram Bot API: leveraged for exfiltration and tasking\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xzyadelzyat/xworm-malware-analysis-soc-ir-perspective-on-persistence-c2-and-anti-analysis-tactics-ed41d335b2ce\r\nPage 2 of 6\n\nObfuscation \u0026 De-Obfuscation\r\nXWorm relies on string encryption and packing to evade signature-based detection.\r\nTools like de4dot can be used to reverse-engineer .NET obfuscation.\r\nhttps://github.com/kant2002/de4dot\r\nPost-de-obfuscation, analysts gain access to clear AES-CBC encryption routines and persistence logic.\r\nhttps://medium.com/@0xzyadelzyat/xworm-malware-analysis-soc-ir-perspective-on-persistence-c2-and-anti-analysis-tactics-ed41d335b2ce\r\nPage 3 of 6\n\nEncryption Algorithm\r\nXWorm protects its C2 traffic with AES (RijndaelManaged in CBC mode), ensuring sensitive exfiltrated data remains\r\nconcealed.\r\nGet Zyad Waleed Elzyat’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThis makes network-based detection harder, shifting the burden to behavioral monitoring and endpoint detection.\r\nPersistence Mechanisms\r\nPersistence is achieved through multi-layered techniques, ensuring reinfection after reboot:\r\nScheduled Tasks (MITRE T1053.005)\r\nRegistry Run Keys / Startup Folder (MITRE T1547.001)\r\nAppData Placement for stealthy execution\r\nInformation Gathering \u0026 Exfiltration\r\nXWorm collects system metadata, including:\r\nOS version\r\nUsername \u0026 machine ID\r\nCPU/GPU/RAM details\r\nConnected USB devices\r\nThis telemetry is sent to Telegram, tagged with malware version identifiers like XWorm V5.0.\r\nhttps://medium.com/@0xzyadelzyat/xworm-malware-analysis-soc-ir-perspective-on-persistence-c2-and-anti-analysis-tactics-ed41d335b2ce\r\nPage 4 of 6\n\nAnti-Analysis Techniques\r\nXWorm implements robust evasion strategies:\r\nDebugger Detection — exits if a debugger is attached.\r\nVM / Sandbox Detection — scans for VMware and VirtualBox.\r\nCloud/Hosting Checks — queries ip-api.com to detect AWS/Azure/Google Cloud.\r\nOS Version Filtering — avoids execution on older Windows (e.g., XP).\r\nhttps://medium.com/@0xzyadelzyat/xworm-malware-analysis-soc-ir-perspective-on-persistence-c2-and-anti-analysis-tactics-ed41d335b2ce\r\nPage 5 of 6\n\nThese map to MITRE ATT\u0026CK IDs: T1497.001, T1497.002, T1622.\r\nIndicators of Compromise (IOCs)\r\nAdd these IOCs to your threat-hunting lists, blocklists, and detection rules:\r\n1. 104.208.16.94\r\n2. 150.171.22.17\r\n3. 151.101.22.172\r\n4. 184.25.113.6\r\n5. 184.25.113.61\r\n6. 185.117.249.43\r\n7. 20.69.140.28\r\n8. 20.99.133.109\r\n9. 185.117.250.169:7000\r\n10. 66.175.239.149:7000\r\n11. copy-marco.gl.at.ply.gg\r\n12. fp2e7a.wpc.2be4.phicdn.net\r\n13. hxxps[://]api[.]telegram[.]org/bot\r\n14. XWorm V5.0\r\n15. WmiPrvSE.exe\r\n16. WmiPrvSE.lnk\r\n17. Soundman.exe\r\n18. hxxps[://]api[.]telegram[.]org/bot5835520796:AAEDP1FiQ-0LFxO6-eDNugzON7bdAxLBrXs/sendMessage?\r\nchat_id=-4094900225\u0026text=%E2%98%A0%20[XWorm%20V5.0]New%20Clinet%20:%20899A34CB785F521B3558UserName%20:%20azureO\r\nSource: https://medium.com/@0xzyadelzyat/xworm-malware-analysis-soc-ir-perspective-on-persistence-c2-and-anti-analysis-tactics-ed41d335b2ce\r\nhttps://medium.com/@0xzyadelzyat/xworm-malware-analysis-soc-ir-perspective-on-persistence-c2-and-anti-analysis-tactics-ed41d335b2ce\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@0xzyadelzyat/xworm-malware-analysis-soc-ir-perspective-on-persistence-c2-and-anti-analysis-tactics-ed41d335b2ce"
	],
	"report_names": [
		"xworm-malware-analysis-soc-ir-perspective-on-persistence-c2-and-anti-analysis-tactics-ed41d335b2ce"
	],
	"threat_actors": [],
	"ts_created_at": 1775434369,
	"ts_updated_at": 1775791206,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ab1181d8c6401a865d08637cc6a0e5f3d6e255ca.pdf",
		"text": "https://archive.orkl.eu/ab1181d8c6401a865d08637cc6a0e5f3d6e255ca.txt",
		"img": "https://archive.orkl.eu/ab1181d8c6401a865d08637cc6a0e5f3d6e255ca.jpg"
	}
}