- Phishing Tactics: An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip.
- The downloaded .zip file contained a shortcut file (.lnk).
- This .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.
- The svchost.com file was analyzed using tools like DiE and ExeInfo, revealing it to be part of the XWorm malware family, protected by .NET Reactor.
- The malware's code was heavily obfuscated but was partially deobfuscated using the NETReactorSlayer tool.
- MD5 hashing, AES encryption in ECB mode, and Base64 decoding to decrypt strings.
- The malware’s configuration included a host (cyberdon1[.]duckdns[.]org), port (1500), and other parameters like a Telegram token and chat ID.
- XWorm Version: The analyzed version of XWorm was 5.6.
Click to Open Code Editor