{ "campaign": "agent_xworm_v2.exe (XWorm RAT v2.4.0) - Open Directory 109.230.231.37", "description": "Comprehensive IOCs for agent_xworm_v2.exe, a confirmed XWorm RAT v2.4.0 variant discovered on open directory at 109.230.231.37. XWorm is a professional-grade .NET Remote Access Trojan operating as Malware-as-a-Service (MaaS) with global scale (18,459 devices compromised in single campaign). This v2.4.0 sample features WebSocket-based C2 infrastructure, Base64-encoded communications, PowerShell reconnaissance capabilities, and modular payload delivery mechanisms. XWorm campaigns frequently deploy secondary payloads (78% multi-malware rate) including AsyncRAT and LockBit Black ransomware.", "severity": "CRITICAL", "confidence_level": "High", "malware_family": "XWorm RAT", "family_confidence": "CONFIRMED (95%)", "version": "2.4.0 (CONFIRMED - hardcoded version string)", "discovery_date": "2026-01-10", "report_date": "2026-01-12", "file_hashes": { "agent_xworm_v2_exe": { "sha256": "f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e", "sha1": "7c624e0b11c817d516f9411972191c4627fd2e53", "md5": "4164a1945d8373255a5cb7e42f05c259", "size": "15872", "type": "PE32 executable (console) Intel 80386, .NET assembly", "original_filename": "agent_xworm_v2.exe", "internal_name": "agent_xw2", "framework": ".NET Framework v4.0.30319", "family": "XWorm RAT", "version": "2.4.0", "yara_signatures": [ "Agent_Xworm_V2_Specific_Hash", "XWorm_RAT_V2_Family", "XWorm_PowerShell_Recon_V2", "XWorm_WebSocket_C2" ] } }, "network_indicators": { "c2_infrastructure": { "ip": "109.230.231.37", "description": "Hardcoded WebSocket C2 server IP - confirmed malware distribution point (open directory)", "confidence": "CONFIRMED", "threat_type": "Command and Control + Malware Distribution", "action": "BLOCK at network perimeter immediately - CRITICAL", "status": "Offline during analysis (common XWorm evasion)", "protocol": "WebSocket (ws://)", "port": "Not specified (likely default 80 for ws://)", "authentication_secret": "AgentSec_8hJ3kL6mN9pQ2rS5tU8vW1xY4zA7bC0d" }, "c2_characteristics": { "protocol": "WebSocket for real-time bidirectional communication", "heartbeat_mechanism": "Periodic keepalive beacons to maintain persistent connections", "reconnection_logic": "Automatic retry after connection failures", "encoding": "Base64 for command and data transmission", "authentication": "Shared secret validation (AgentSec_...)", "traffic_pattern": "Long-lived connections with periodic small packets (heartbeat)" } }, "behavioral_indicators": { "hidden_console": { "technique": "T1564.003 - Hide Artifacts: Hidden Window", "indicators": [ "ShowWindow API called with SW_HIDE (0)", "GetConsoleWindow API usage", "CreateNoWindow flag in ProcessStartInfo", "Process executes without visible window" ], "impact": "User has no visual indication of malware execution", "detection": "Monitor for .NET processes with hidden windows creating network connections" }, "powershell_execution": { "technique": "T1059.001 - Command and Scripting Interpreter: PowerShell", "embedded_commands": [ "-NoP -C Get-Process|Sort CPU -Desc|Select -First 20 Name,Id,CPU,WS|FT", "-NoP -C Get-Service|?{$_.Status -eq 'Running'}|Select Name,Status,StartType|FT", "-NoP -C Get-WmiObject Win32_ComputerSystem|Select Name,PartOfDomain,Domain,DomainRole" ], "impact": "CRITICAL - Full PowerShell execution capability enables unlimited post-exploitation", "detection": "Enable PowerShell Script Block Logging (Event ID 4104)", "mitigation": "Deploy Constrained Language Mode where full PowerShell not required" }, "base64_encoding": { "technique": "T1027 - Obfuscated Files or Information", "indicators": [ "ToBase64String API usage for network traffic", "FromBase64String for command decoding", "Base64-encoded configuration data" ], "impact": "Obfuscates C2 communications from simple network inspection", "detection": "Base64-aware IDS/IPS rules, DPI appliances" }, "websocket_c2": { "technique": "T1071.001 - Application Layer Protocol: Web Protocols", "characteristics": "WebSocket protocol for real-time bidirectional C2", "indicators": [ "System.Net.WebSockets namespace usage", "WebSocketState, SendAsync, ReceiveAsync methods", "Long-lived connections to external IPs" ], "impact": "WebSocket traffic blends with legitimate web application communications", "detection": "NGFW with WebSocket inspection, behavioral analytics for unusual WebSocket sources" }, "dotnet_compilation": { "characteristic": ".NET Framework v4.0.30319 (Microsoft Visual Studio)", "indicators": [ "mscorlib references", "System.Net.Sockets usage", "System.Diagnostics.Process spawning", "System.Security.Cryptography libraries", "System.Net.WebSockets (WebSocket C2)" ], "impact": "Inherent complexity in reverse engineering, easy recompilation for signature evasion", "detection": "Monitor .NET processes from user-writable directories with network activity" }, "machine_fingerprinting": { "technique": "Unique victim identification via MD5 hashing", "implementation": "MD5 hash of system identifiers (hostname, username, OS version)", "purpose": "Track individual victims, prevent duplicate infections in C2 panel", "detection": "Monitor for MD5 hashing operations combined with system enumeration" } }, "capabilities": { "system_reconnaissance": { "techniques": ["T1082", "T1033", "T1087", "T1057", "T1007", "T1016", "T1482"], "confidence": "CONFIRMED (CAPA analysis + embedded PowerShell)", "information_collected": [ "OS version, architecture, .NET runtime (T1082)", "Hostname, machine ID via MD5 fingerprinting (T1082)", "Username, administrator privileges via IsInRole() (T1033)", "Local IP address (T1016)", "Domain membership, domain role via WMI (T1482)", "Running processes via Get-Process (T1057)", "Running services via Get-Service (T1007)" ], "impact": "Enables targeted post-exploitation based on victim value (domain + admin = high priority)", "detection": "Rapid sequential WMI queries, domain enumeration, privilege checking from unusual processes" }, "file_download": { "technique": "T1105 - Ingress Tool Transfer", "confidence": "CONFIRMED (CAPA - WebClient.DownloadFile)", "implementation": "System.Net.WebClient for HTTP/HTTPS file downloads", "impact": "Multi-stage attack deployment - 78% of XWorm campaigns deliver secondary malware", "common_payloads": [ "AsyncRAT (credential harvesting, lateral movement)", "LockBit Black ransomware (encryption + exfiltration)", "RedLine Stealer, Raccoon Stealer (infostealer deployment)", "Mimikatz, LaZagne (credential dumping tools)" ], "detection": "Monitor HTTP/HTTPS downloads from .NET processes to suspicious locations (AppData, Temp)" }, "command_execution": { "technique": "T1059.001 - PowerShell Execution", "confidence": "CONFIRMED (embedded templates + CAPA)", "implementation": "ProcessStartInfo with UseShellExecute=false, RedirectStandardOutput=true, CreateNoWindow=true", "impact": "CRITICAL - Unlimited capability without additional uploads (Mimikatz, lateral movement, persistence)", "detection": "PowerShell spawned from non-administrative processes, -NoP flag usage, hidden WindowStyle" }, "credential_access": { "technique": "T1056.001 - Input Capture: Keylogging", "confidence": "HIGHLY LIKELY (PowerShell download capability)", "implementation": "Download keylogger scripts via PowerShell or .NET file download", "impact": "CRITICAL - All credentials entered during infection window must be rotated", "mitigation": "MANDATORY credential rotation for all users on compromised systems" }, "persistence": { "techniques": ["T1547.001", "T1053.005"], "confidence": "LIKELY (XWorm family capability, code structure supports)", "mechanisms": [ "Registry Run keys (HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run)", "Startup folder entries", "Scheduled tasks (via PowerShell New-ScheduledTask)", "WMI event subscriptions (PowerShell-based)" ], "impact": "Malware survives system reboots and user logoffs", "detection": "Monitor for startup folder modifications, registry Run key creation, scheduled task additions" }, "defense_evasion": { "techniques": ["T1564.003", "T1027", "T1562.001"], "confirmed_in_v2_4_0": [ "Hidden console window (ShowWindow API)", "Base64 encoding for C2 traffic and configuration" ], "xworm_v6_0_advanced": [ "AMSI bypass (disables PowerShell script inspection) - NOT IN v2.4.0", "ETW tampering (prevents Script Block Logging) - NOT IN v2.4.0", "Process injection - NOT OBSERVED", "DLL side-loading - NOT OBSERVED" ], "impact": "v2.4.0 uses basic stealth, more detectable than v6.0 advanced variants", "detection": "PowerShell logging still effective (no AMSI/ETW bypass), behavioral EDR with .NET analysis" } }, "mitre_attack_techniques": { "execution": [ "T1204.002 - User Execution: Malicious File", "T1059.001 - Command and Scripting Interpreter: PowerShell" ], "persistence": [ "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", "T1053.005 - Scheduled Task/Job: Scheduled Task" ], "defense_evasion": [ "T1564.003 - Hide Artifacts: Hidden Window", "T1027 - Obfuscated Files or Information", "T1562.001 - Impair Defenses: Disable or Modify Tools (v6.0 only, NOT in v2.4.0)" ], "credential_access": [ "T1056.001 - Input Capture: Keylogging" ], "discovery": [ "T1082 - System Information Discovery", "T1033 - System Owner/User Discovery", "T1087 - Account Discovery", "T1083 - File and Directory Discovery", "T1057 - Process Discovery", "T1007 - System Service Discovery", "T1016 - System Network Configuration Discovery", "T1482 - Domain Trust Discovery" ], "collection": [ "T1005 - Data from Local System", "T1113 - Screen Capture (PowerShell capability)" ], "command_and_control": [ "T1071.001 - Application Layer Protocol: Web Protocols (WebSocket)", "T1132.001 - Data Encoding: Standard Encoding (Base64)", "T1573 - Encrypted Channel", "T1105 - Ingress Tool Transfer" ], "exfiltration": [ "T1041 - Exfiltration Over C2 Channel" ], "impact": [ "T1486 - Data Encrypted for Impact (secondary payload - LockBit)" ] }, "detection_opportunities": { "high_confidence_indicators": [ "File hash match: SHA256 f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e", "Network connection to 109.230.231.37", "Authentication secret 'AgentSec_8hJ3kL6mN9pQ2rS5tU8vW1xY4zA7bC0d' in memory/network", "Embedded PowerShell commands: -NoP -C Get-Process|Sort CPU", "Embedded PowerShell commands: -NoP -C Get-Service", "Embedded PowerShell commands: -NoP -C Get-WmiObject Win32_ComputerSystem", "Version string: 2.4.0 in binary" ], "behavioral_patterns": [ ".NET process from AppData/Temp with hidden window + WebSocket connection", "PowerShell spawned by .NET executable with -NoP flag from user directory", "Base64-encoded WebSocket traffic to non-whitelisted destinations from .NET process", "Rapid sequential PowerShell queries (processes, services, domain) from single .NET process", "WebClient.DownloadFile API calls from non-browser .NET process", "MD5 hashing combined with system enumeration (machine fingerprinting)", "Long-lived WebSocket connections with periodic heartbeat packets" ], "forensic_artifacts": [ "Process creation events for agent_xworm_v2.exe (Event ID 4688)", "PowerShell Script Block Logging (Event ID 4104) showing reconnaissance commands", "Network connections to 109.230.231.37 in firewall/proxy logs", "Registry Run key modifications (if persistence deployed)", "Scheduled task creation events (if persistence deployed)", "Memory dumps containing 'AgentSec_' authentication strings", "File system: agent_xworm_v2.exe in AppData, Temp, or Downloads", "WebSocket handshake in network pcaps" ] }, "secondary_malware_risk": { "multi_malware_campaigns": "78% of XWorm campaigns deliver additional malware", "common_secondary_payloads": { "rats": { "percentage": "60%+", "families": ["AsyncRAT", "QuasarRAT", "DcRAT", "NjRAT"] }, "ransomware": { "percentage": "25%", "families": ["LockBit Black", "Conti", "Hive"] }, "infostealers": { "percentage": "15%", "families": ["RedLine Stealer", "Raccoon Stealer", "Vidar"] } }, "typical_attack_chain": [ "XWorm RAT v2.4.0 (15.8KB lightweight payload, initial access)", "System reconnaissance (processes, services, domain membership, admin privileges)", "AsyncRAT deployment (credential harvesting, lateral movement)", "Privilege escalation (Mimikatz, PowerShell exploits)", "LockBit Black ransomware (encryption + double extortion)" ], "detection_strategy": "XWorm detection must trigger comprehensive hunt for AsyncRAT, LockBit, and other secondary malware" }, "remediation_guidance": { "complexity": "HIGH - Complete system rebuild strongly recommended", "recommended_approach": "REBUILD (not cleanup)", "rationale": "XWorm's modular architecture and PowerShell execution capability mean unknown payloads may have been delivered. 78% of campaigns deploy secondary malware (AsyncRAT, LockBit). Cleanup approaches have 10-20% residual risk.", "rebuild_steps": [ "Isolate infected systems from network immediately (disable adapter, do NOT shut down)", "Capture memory dumps and disk images for forensic analysis (evidence preservation)", "Identify all users who authenticated during infection window (credential rotation scope)", "Hunt enterprise-wide for secondary malware (AsyncRAT persistence, LockBit precursors)", "Complete disk wipe and clean OS installation from trusted media", "Apply all security updates before network reconnection", "Restore user data after malware scanning (from pre-infection backups)", "MANDATORY credential rotation for all affected users", "Deploy enhanced monitoring for 30 days post-rebuild (hunt for reinfection)" ], "credential_rotation": { "priority": "CRITICAL - Mandatory action", "scope": "ALL users who authenticated to infected systems during infection window", "rationale": "PowerShell execution capability means credential dumping tools (Mimikatz, LaZagne) may have been deployed. All credentials must be considered compromised.", "includes": [ "User account passwords (all users on infected systems)", "Service account credentials accessible from infected systems", "Privileged account credentials (domain admin, enterprise admin, local admin)", "Application passwords and API tokens", "VPN credentials", "MFA device re-enrollment if codes were typed", "Browser saved passwords (assume keylogger captured during autofill)" ], "timeline": "Complete within 24-48 hours of detection" } }, "threat_actor_assessment": { "malware_family": "XWorm RAT", "version": "2.4.0 (mid-generation, predates v6.0 advanced evasion)", "maa": "Malware-as-a-Service (MaaS)", "family_confidence": "CONFIRMED (95%)", "attribution_basis": "WebSocket C2 architecture, AgentSec authentication mechanism, PowerShell reconnaissance templates, v2.4.0 version string match known XWorm samples", "threat_actor_types": { "commodity_cybercriminals": "60% - financial gain via ransomware, data theft, crypto mining", "initial_access_brokers": "10% - selling compromised credentials and network access", "ransomware_affiliates": "25% - LockBit Black deployment via XWorm initial access", "state_sponsored": "5% - Ukrainian intelligence reported Russian hackers using XWorm in H1 2024" }, "sophistication": "Professional-grade development (modular architecture, MaaS builder tools, versioned releases)", "motivation": "Financial gain (primary), espionage (secondary in state-sponsored usage)", "targeting": "Opportunistic (mass distribution via open directories, phishing, ClickFix social engineering)", "scale": "18,459 devices compromised in single builder campaign (global threat)", "evolution": { "v2_4_0": "This sample - WebSocket C2, PowerShell recon, basic evasion (detectable)", "v6_0": "June 4, 2025 - Fully re-coded, AMSI bypass, ETW tampering, RCE-Fixed (harder to detect)" } }, "delivery_mechanisms": { "confirmed": "Open directory 109.230.231.37 (mass distribution)", "common_xworm_vectors": [ "Email phishing attachments (.vbs, .bat, .ps1, .hta, Office macros with malicious VBA)", "Drive-by downloads (compromised websites, exploit kits)", "ClickFix social engineering (fake error messages instructing PowerShell execution)", "Software supply chain (bundled with pirated software, cracks, keygens)", "Malvertising (malicious ads redirecting to XWorm downloads)", "USB/removable media (worm-like spreading in some variants)", "Open directories (confirmed for this sample - 109.230.231.37)" ] }, "response_priorities": { "immediate_0_4_hours": [ "Isolate infected systems from network (disable adapter, preserve memory)", "Block C2 IP 109.230.231.37 at network perimeter and internal firewalls - CRITICAL", "Alert leadership (CISO, IT Director) of CRITICAL XWorm RAT v2.4.0 infection", "Preserve evidence (memory dumps, disk images, network captures)", "Deploy IOC hunt across enterprise (file hashes, C2 IP, authentication secret)", "Begin threat hunt for secondary malware (AsyncRAT, LockBit Black indicators)" ], "short_term_4_24_hours": [ "Execute comprehensive threat hunting (file hashes, persistence artifacts, PowerShell logs)", "Review network logs for connections to 109.230.231.37 (identify infection timeline)", "Identify all users on infected systems during infection window (credential rotation scope)", "Hunt for secondary malware (AsyncRAT: svchost.exe in AppData, LockBit: VSS deletion, backup stops)", "Begin MANDATORY credential rotation for affected users", "Initiate forensic analysis to determine dwell time and data access" ], "medium_term_1_7_days": [ "Complete system rebuild (strongly recommended) or aggressive cleanup (high residual risk)", "Finish MANDATORY credential rotation (all users, service accounts, privileged accounts)", "Deploy enhanced monitoring and XWorm-specific detection rules", "Hunt for persistence mechanisms (registry Run keys, scheduled tasks, WMI subscriptions)", "Validate cleanup effectiveness (30-day monitoring, daily threat hunting)", "Conduct lessons learned and control gap analysis", "Update incident response procedures based on XWorm findings" ], "estimated_cost": "$150,000 - $500,000 per incident (labor, tools, business disruption, potential ransomware if LockBit deployed)" }, "xworm_family_intelligence": { "first_observed": "Mid-2022 (dark-web marketplaces)", "maa": "Malware-as-a-Service (builder tools available)", "version_history": { "v4": "2022 - initial MaaS release", "v5": "2023 - enhanced capabilities, modular plugins", "v2_4_0": "This sample - mid-generation variant, WebSocket C2", "v6": "June 4, 2025 - fully re-coded, AMSI bypass, ETW tampering, RCE-Fixed" }, "scale": "18,459 devices compromised worldwide (single builder campaign)", "state_usage": "Ukrainian State Service reported Russian hackers using XWorm in H1 2024", "multi_malware_rate": "78% of campaigns deliver secondary payloads", "common_chains": [ "XWorm → AsyncRAT → LockBit Black", "XWorm → QuasarRAT → RedLine Stealer", "XWorm → DcRAT → Conti Ransomware" ] }, "timestamp": "2026-01-12T00:00:00Z", "analyst": "Threat Intelligence Team", "report_version": "1.0", "license": "© 2026 Joseph. All rights reserved. Free to read, but reuse requires written permission." }