{
	"id": "33de39cf-e9ae-42e5-9ebb-63c8918572f1",
	"created_at": "2026-04-06T01:29:21.635207Z",
	"updated_at": "2026-04-10T03:20:44.685217Z",
	"deleted_at": null,
	"sha1_hash": "e3bb996418597cb8954bdb3284eedb74d67a1d76",
	"title": "XWorm: Technical Analysis of a New Malware Version",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67687,
	"plain_text": "XWorm: Technical Analysis of a New Malware Version\r\nBy Electron, kinoshi and glebyao\r\nPublished: 2023-08-24 · Archived: 2026-04-06 01:07:26 UTC\r\nIn this article, we will take a look at the latest version of an XWorm sample — a widespread malicious program\r\nthat is advertised for sale on underground forums. \r\nWe will analyze the functionality of our sample, as well as extract its configuration. \r\nLet’s get started. \r\nWhat is XWorm Malware? \r\nXWorm is a malware that targets Windows operating systems. It is known for its stealth and persistence, and a\r\nwide range of malicious activities, spanning from remote desktop control to ransomware and information theft.  \r\nUnfortunately, adversaries employ this threat widely —it’s not uncommon to see it in ANY.RUN’s top 10 most\r\nused malware by uploads. \r\nXWorm dynamic sandbox analysis \r\nWhile searching for new threats, we discovered an interesting sample, uploaded by our users to Public\r\nsubmissions. It was downloaded from the file hosting “Mediafire” in a RAR archive with a password: \r\nA sample with a RAR archive in ANY.RUN\r\nAfter launching, the threat was identified by Suricata’s network rules as XWorm: \r\nXWorm is identified in ANY.RUN\r\nWe decided to check the sample on VT to confirm that it was indeed XWorm, but at the time of writing this\r\narticle, we were unable to find it there: \r\nVT is missing Xworm sample\r\nThe initial analysis, according to the indicators set on process 2784, revealed that the software adds its shortcut to\r\nthe startup (MITRE T1547.001) and uses the task scheduler (MITRE T1053.005): \r\nThe initial Xworm analysis\r\nThe use of the scheduler is necessary to restart the software with elevated privileges, as indicated by the “/RL\r\nHIGHEST” parameter. \r\nRestart the software with elevated privilege\r\nhttps://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/\r\nPage 1 of 8\n\nAccording to the file operation data, the software is installed in the Public directory (MITRE T1074.001): \r\nInterestingly, the software attempts to connect to a remote server, but no response is received (MITRE T1571): \r\nXworm attempts to connect to a remote server,\r\nWe decided to restart the sample and check for additional activities. Unfortunately, it crashed almost immediately\r\nafter launch: \r\nXworm restart crash\r\nWe became interested in investigating the cause of the “crash,” and we found that the user-launched sample and\r\nthe sample restarted by us exhibited different behavior patterns. Specifically, the restarted sample queries a service\r\nto determine the external IP address (MITRE T1590.005) before crashing. Typically, in addition to the IP address,\r\nsuch services provide the ability to determine whether the software is running on a virtual host: \r\nThis is precisely what XWorm does — it attempts to verify whether it’s running on a user’s physical machine or\r\nnot. \r\nTo solve this problem, ANY.RUN has a useful feature called Residential Proxy which allows you to hide your\r\nactual location and convinces the software that it’s running on a real user’s machine. You can choose any location,\r\nin case it’s targeted malware requiring IP addresses from specific countries: \r\nhttps://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/\r\nPage 2 of 8\n\nRestarting with the Residential Proxy option enabled was successful, and XWorm exhibited its activity.  \r\nAdditionally, we activated the MITM proxy option to find out what data is being transmitted to Telegram\r\n(MITRE T1102): \r\nXworm transmitts data to Telegram\r\nIt’s evident that the software transmits its version (XWorm V3.1), the machine’s username, the operating system\r\nversion, and likely a hash of a new victim (MITRE T1082). \r\nXworm static analysis \r\nThe first step is to place our subject into the DIE — a utility for initial analysis. \r\nXworm analysis in DIE\r\nAs we can see, we are dealing with a .NET variation, so we promptly opened it in dnSpy. \r\nXworm analysis in dnSpy\r\nWe are immediately met with an unfavorable picture — all the program’s members were subjected to obfuscation\r\n(MITRE T1027). DIE could not recognize the packer even with the “Heuristic scan” being checked. \r\nOur first thought was to try using de4dot to simplify further analysis. \r\nde4dot usage for further Xworm analysis\r\nXworm analysis\r\nAs we can see, not much has changed, so we must continue analyzing what we have. \r\nReverse engineering: additional anti-evasion techniques and persistence gain \r\nTo slow down the analysis and hide from detection systems, the sample employs the following technologies: \r\n1. Virtualization detection using the WMI query “Select * from Win32_ComputerSystem” and checking for\r\noperation within VmWare or VirtualBox environments (MITRE T1047) \r\nDetection of a virtual machine \r\n2. Debugger detection using the CheckRemoteDebuggerPresent API function \r\nDetection of the debugger using CheckRemoteDebuggerPresent\r\n3. Checking for the loaded dynamic library SbieDll.dll, characteristic of Sandboxie, which is a sandbox-based\r\nisolation program. \r\nDetection of Sandboxie\r\nhttps://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/\r\nPage 3 of 8\n\n4. A query to check whether the current machine is hosted or located in a data center (this finally clarifies why the\r\nsample initially “crashed”) \r\nDetection of hosting\r\nThe sample also gains a foothold by utilizing the registry and the task scheduler: \r\nXworm utilizes the registry and the task scheduler\r\nReverse engineering: Xworm config extraction \r\nAfter a brief review of the methods’ contents, a constructor was found that bears a striking resemblance to a block\r\ncontaining settings. \r\nXworm contents\r\nAfter examining cross-references, we arrive at a method that looks like this: \r\nXworm reverse-engineering\r\nAs we can see, some fields undergo a reassignment stage, after processing by the method\r\n“Vc1fSJ4D04O6qGeP2fzA5lFCv8a7buXvJb4sHwuhuifI09pX.” Let’s take a closer look at it. \r\nXworm reverse-engineering\r\nFirst, an MD5 hash is computed from the value of the field\r\n“hArf0quX6jL4F88ywQTiLn52eBzsJ6HreaOqb0WGSa89u” from the presumed settings section.  \r\nThen the obtained value is copied twice into a temporary array (perhaps the malware developer made an off-by-one error when using the Array.Copy method, resulting in the MD5 not being copied entirely twice; the last copied\r\nbyte after the first copying is overwritten by the subsequent copying, so that the last byte in the resulting array is\r\nalways zero). The obtained array is used as a key to decrypt the incoming base64 strings using AES in ECB\r\nmode. \r\nIt’s also interesting that the field used is also a mutex. \r\nXworm mutex\r\nNow we have all the necessary information for decrypting the settings. \r\nXworm reverse-engineering\r\nOur final AES key looks like this:\r\n“01d31d5e811fce422987107f962c4001d31d5e811fce422987107f962c406600.” \r\nXworm reverse-engineering\r\nAnd here we have reached the core of our target’s sample. \r\nhttps://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/\r\nPage 4 of 8\n\nThe result can be viewed in CyberChef here. \r\nThe final config mapping is as follows: \r\nHost  6[.]tcp.eu.ngrok[.]io \r\nPort  13394 \r\nAES key  Slaves!-.;!2Swezy999!(xxx \r\nSplitter  Xwormmm\r\nSleep time  3 \r\nUSB drop file  USB.exe \r\nMutex  Lz8qftMH08V7f1rq \r\nLog file  %temp%\\\\Log.tmp \r\nTelegram token  6674821695:AAExQsr6_hmXk6hz7CN4kMSi9cs9y86daYM \r\nTelegram chat id  5865520781 \r\nWhen the goal isn’t to study the malware in-depth but rather to quickly obtain the configuration, this can be\r\nefficiently achieved by running the sample in ANY.RUN. This method provides a straightforward way to access\r\nthe necessary information without the need for extensive analysis, saving potentially hours of work. \r\nXworm malware configuration in ANY.RUN\r\nSee it in action for yourself here. \r\nIOCs \r\nAnalyzed files\r\nMD5  F6BB396FD836F66CD9F33CA4B0262DD7 \r\nSHA1  BFC7036E32A59AC25DB505D263B5F4CADE24C53C \r\nSHA256  1073FF4689CB536805D2881988B72853B029040F446AF5CED18D1BC08B2266E1 \r\nSS   6144:bfIbSc83qUhcX7elbKTua9bfF/H9d9n+:bLc83q3X3u+G \r\nMITRE (ARMATTACK)\r\nhttps://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/\r\nPage 5 of 8\n\nTactic  Technique  Description \r\nTA0003: Persistence \r\nT1547: Registry Run Keys / Startup\r\nFolder \r\nAdds a shortcut to the startup folder \r\nTA0003: Persistence  T1053: Scheduled Task  Uses the task scheduler \r\nTA0009: Collection  T1074: Local Data Staging \r\nThe malware saves itself in the Public\r\ndirectory \r\nTA0011: Command and\r\nControl \r\nT1571: Non-Standard Port  Connects to a remote server \r\nTA0043: Reconnaissance  T1590: IP Addresses  Checks the IP of the running system \r\nTA0011: Command and\r\nControl \r\nT1102: Bidirectional\r\nCommunication \r\nCommunicates through Telegram \r\nTA0007: Discovery \r\nT1082: System Information\r\nDiscovery \r\nCollects information about the\r\nvictim's computer \r\nTA0005: Defense Evasion  T1027: Command Obfuscation  Obfuscates the executable file \r\nTA0002: Execution \r\nT1047: Windows Management\r\nInstrumentation \r\nGathers system information to detect\r\nvirtualization \r\nTA0005: Defense Evasion  T1027: Embedded Payloads  Stores information in a mutex \r\nDNS requests \r\n6[.]tcp[.]eu[.]ngrok[.]io \r\nMore samples for your research\r\nhttps://app.any.run/tasks/d3858744-f1b2-4a9b-8ef7-deccada2a160/\r\nhttps://app.any.run/tasks/75f66fd6-d989-4f06-a348-c65e135e8ab4/\r\nhttps://app.any.run/tasks/5fab7db5-267e-46f6-a374-0f42de1cb328/\r\nhttps://app.any.run/tasks/b9275944-39fe-42cb-9eae-6b2e05f0892f/\r\nhttps://app.any.run/tasks/803758bf-387b-42e2-80cc-f20e7140cac4/\r\nInterested in more content like this? Check out our in-depth analysis of the latest .NET variant of LaplasClipper or\r\nread a break-down and guide to GuLoader deobfuscation strategies. \r\nA few words about ANY.RUN \r\nhttps://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/\r\nPage 6 of 8\n\nANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR\r\nteams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.  \r\nRequest a demo today and enjoy 14 days of free access to our Enterprise plan. \r\nRequest demo → \r\n[10:48] Ivan Skladchikov Electron is a malware analyst at ANY.RUN \r\nElectron\r\nI'm a malware analyst. I love CTF, reversing, and pwn. Off-screen, I enjoy the simplicity of biking, walking, and\r\nhiking.\r\nANY.RUN writer\r\nkinoshi\r\nI'm a dedicated programmer and malware analyst. I derive immense joy from the art of coding and have a deep\r\npassion for both low-level and system-level programming. I thoroughly enjoy delving into the intricacies of\r\nsoftware and exploring how it operates at a fundamental level. My expertise extends to solving crackme\r\nchallenges and participating in online CTF competitions, where I tackle complex tasks to enhance my skills.\r\nMalware analyst at ANY.RUN\r\nglebyao\r\nI am a 19-year-old malware analyst, programming in C / C++ / Python. My passion is to reverse-engineer\r\napplications of my interest. In my spare time, I participate in CTF events or develop tasks for reverse engineering,\r\npwn, PPC, and other categories.\r\nelectron\r\nElectron\r\nLeading malware analyst\r\nI'm a malware analyst. I love CTF, reversing, and pwn. Off-screen, I enjoy the simplicity of biking, walking, and\r\nhiking.\r\nkinoshi\r\nkinoshi\r\nMalware analyst at ANY.RUN\r\nI'm a dedicated programmer and malware analyst. I derive immense joy from the art of coding and have a deep\r\npassion for both low-level and system-level programming. I thoroughly enjoy delving into the intricacies of\r\nhttps://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/\r\nPage 7 of 8\n\nsoftware and exploring how it operates at a fundamental level. My expertise extends to solving crackme\r\nchallenges and participating in online CTF competitions, where I tackle complex tasks to enhance my skills.\r\nglebyao\r\nglebyao\r\nMalware analyst at ANY.RUN\r\nI am a 19-year-old malware analyst, programming in C / C++ / Python. My passion is to reverse-engineer\r\napplications of my interest. In my spare time, I participate in CTF events or develop tasks for reverse engineering,\r\npwn, PPC, and other categories.\r\nSource: https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/\r\nhttps://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/"
	],
	"report_names": [
		"xworm-technical-analysis-of-a-new-malware-version"
	],
	"threat_actors": [],
	"ts_created_at": 1775438961,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3bb996418597cb8954bdb3284eedb74d67a1d76.pdf",
		"text": "https://archive.orkl.eu/e3bb996418597cb8954bdb3284eedb74d67a1d76.txt",
		"img": "https://archive.orkl.eu/e3bb996418597cb8954bdb3284eedb74d67a1d76.jpg"
	}
}