• Phishing Tactics: An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip.
• The downloaded .zip file contained a shortcut file (.lnk).
• This .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.
• The svchost.com file was analyzed using tools like DiE and ExeInfo, revealing it to be part of the XWorm malware family, protected by .NET Reactor.
• The malware's code was heavily obfuscated but was partially deobfuscated using the NETReactorSlayer tool.
• MD5 hashing, AES encryption in ECB mode, and Base64 decoding to decrypt strings.
• The malware’s configuration included a host (cyberdon1[.]duckdns[.]org), port (1500), and other parameters like a Telegram token and chat ID.
• XWorm Version: The analyzed version of XWorm was 5.6.

 
Download. Email me if you need the password scheme.