Insights, news, education and announcements from PolySwarm

XWorm

Written by The Hivemind | Nov 3, 2023 6:13:28 PM

Executive Summary

XWorm is a .NET based, modular, multi-purpose malware family most often used as a RAT. CERT Polska analyzed an Xworm sample distributed via malspam containing an .lzh file.

Key Takeaways

  • XWorm is a .NET based, modular, multi-purpose malware family most often used as a RAT.
  • CERT Polska analyzed an Xworm sample distributed via malspam containing an .lzh file.
  • A selection of XWorm hashes and extracted C2 information are provided at the end of this Threat Bulletin. 

What is XWorm?

CERT Polska recently reported on XWorm, a .NET based, modular, multi-purpose malware family most often used as a RAT. It has been active in the wild since at least 2022.

The sample CERT Polska analyzed was distributed via malspam containing a .lzh file. The .lzh file contained an .EXE. The use of an .lzh file was an interesting choice, as it is a rarely used open-source file format, whose last stable release was over 30 years ago. CERT Polska assessed this file format was chosen in an attempt to evade detection.

CERT Polska analyzed the .EXE and found that it was not heavily obfuscated and was mostly likely written in VisualBasic. Upon checking the file’s resources, they found three resources. Two were images, including an explicit NSFW image of a female, and a bitmap containing seemingly random pixels. A third resource contained what appeared to be random strings.

CERT Polska noted reverse engineering the code was a challenge, as the malicious code was hidden amongst legitimate code that was probably copied from an open-source project. CERT Polska researchers found that the malicious code snippet was hidden in an InitializeComponent method of the main window. The program performed a few simple operations on a long string found in the code, converted it to bytes, and then loaded it as .NET assembly. It then called a method named DeleteMC on the result.

Unpacking this payload led to a binary that decrypted another layer of malware and loaded it with AppDomain.Load. The passed resource_name ended up being the file name of the suspicious bitmap discovered earlier in the reversing process. After decrypting the bitmap, the researchers obtained the unpacked sample, which contained obfuscated code.

Following decryption, the researchers finally had the unpacked XWorm sample. The XWorm sample was compact. Its configuration was stored unencrypted in a static class, and the data itself was encrypted using AES ECB with the MD5 hash of the “Mutex” field as the key.

XWorm’s capabilities include keylogging, a USB spreader capability, an uninstaller capability, and simple antivirus evasion capabilities. As a RAT, it also has C2 communication capabilities and the ability to download plugins.

IOCs

Hashes

PolySwarm has over 1700 samples of XWorm and is monitoring for additional samples. A limited selection of XWorm hashes is provided below.

 

64f690f98b36dd0fa9bc7e4cbfc9b64201a9f3ab66c3f122efdfd7bb755b3434

3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354

d0354d9dba1229815a1c14067e84ac5c113bfbd398d95e5847de76592e03602f

7a61fcf00b368d4e5efe55c3d5b09b417422f081b4154a5b264a211c30959ed2

f995d58bbe6383947308e35ffc36eba0fe3e357c2d4d9612dbf4bb2fa0f992b4

 

You can use the following CLI command to search for all XWorm samples in our portal:

$ polyswarm link list -f XWorm

 

C2 Information

PolySwarm analysts extracted the following C2 information from our XWorm samples.

 

01001001.hopto[.]org  

 0.tcp.ap.ngrok[.]io 

 0.tcp.sa.ngrok[.]io 

 103.114.106[.]183 

 103.170.118[.]35 

 103.82.25[.]115 

 103.89.90[.]254 

 103.89.90[.]54 

 104.220.158[.]189 

 104.234.239[.]223 

 104.250.188[.]95 

 10.9.106[.]226 

 134.209.31[.]145 

 147.185.221[.]16 

 151.106.34[.]192 

 16.ip.gl.ply[.]gg 

 172.28.174[.]227 

 180.ip.ply[.]gg 

 185.239.237[.]162 

 188.142.164[.]175 

 192.168.1[.]66 

 192.168.3[.]176 

 192.168.35[.]130 

 192.168.43[.]70 

 20.235.249[.]143 

 211.ip.ply[.]gg 

 2.90.111[.]24          

 theslayer.ddns[.]net          

 93.169.183[.]100 

 37.5.252[.]247 

 41.216.188[.]29 

 4.tcp.eu.ngrok[.]io 

 6.tcp.eu.ngrok[.]io:10043          

 7.tcp.eu.ngrok[.]io          

 2.tcp.eu.ngrok[.]io 

 79.112.239[.]222 

 7.tcp.eu.ngrok[.]io 

 82.216.54[.]76  

 82.216.54[.]76 

 86.217.176[.]218 

 alw7sh.ddns[.]net 

 haroun.ddns[.]net 

 rattfilly.ddns[.]net 

 swezy.ddns[.]net 

 130.51.20[.]126 

 132.145.149[.]132 

 13.48.157[.]143 

 13.48.194[.]80 

 13.48.68[.]245 

 138.128.241[.]237 

 139.84.228[.]75 

 140.228.29[.]162 

 141.94.61[.]23 

 144.202.69[.]96 

 146.19.230[.]52 

 146.70.162[.]122 

 147.185.221[.]16 

 147.185.221[.]16         

 192.168.1[.]9          

 upon-uzbekistan.gl.at.ply[.]gg 

 147.185.221[.]180 

 147.185.221[.]223 

 152.228.179[.]67 

 15.228.35[.]69 

 15.228.89[.]234 

 152.67.162[.]194 

 155.138.163[.]166 

 157.245.65[.]139 

 16.16.96[.]108 

 163.5.215[.]212 

 167.71.56[.]116 

 168.196.90[.]183 

 16.ip.gl.ply[.]gg 

 171.22.28[.]214 

 172.177.19[.]106 

 172.23.250[.]47 

 172.233.206[.]110 

 172.28.93[.]20 

 172.81.61[.]206 

 172.99.233[.]17 

 173.0.60[.]172 

 173.212.237[.]121 

 178.236.246[.]29 

 178.236.247[.]70 

 179.118.199[.]252 

 180.ip.ply[.]gg 

 181.ip.ply[.]gg 

 18.230.117[.]219 

 18.231.156[.]119 

 185.110.188[.]112 

 185.179.218[.]73 

 185.179.219[.]117 

 185.225.73[.]231 

 185.225.73[.]47 

 185.228.72[.]8 

 185.94.29[.]178 

 188.134.71[.]71 

 192.121.87[.]108 

 192.168.0[.]108 

 192.168.0[.]111 

 192.168.100[.]239         

 192.168.100[.]1 

 192.168.100[.]3 

 192.168.1[.]121 

 192.168.119[.]131 

 192.168.1[.]221 

 192.168.1[.]56          

 147.185.221[.]16 

 192.168.1[.]9 

 192.168.199[.]244 

 192.168.240[.]135 

 192.168.3[.]34 

 192.168.56[.]1          

 176.160.207[.]4 

 192.168.68[.]102 

 192.168.68[.]114 

 192.168.88[.]1          

 192.168.88[.]23          

 79.184.28[.]103          

 79.184.16[.]35 

 193.161.193[.]99 

 193.42.33[.]22 

 194.145.138[.]88 

 194.59.31[.]105 

 194.9.6[.]69 

 194.ip.ply[.]gg 

 198.50.187[.]74 

 199.115.193[.]171 

 1.tcp.ngrok[.]io 

 20.197.231[.]178 

 207.32.216[.]103 

 20.83.154[.]19 

 209.25.140[.]181 

 209.25.141[.]180 

 209.25.141[.]181 

 209.25.141[.]2 

 212.2.236[.]208 

 212.87.204[.]124 

 212.ip.ply[.]gg 

 223.ip.ply[.]gg 

 2.tcp.eu.ngrok[.]io 

 2.tcp.us-cal-1.ngrok[.]io 

 31.220.76[.]124 

 35.220.199[.]19 

 37.120.132[.]91 

 3llah.vpndns[.]net 

 41.216.188[.]29 

 45.141.26[.]8 

 45.154.98[.]251 

 45.94.4[.]108 

 4Mekey.myftp[.]biz 

 4.tcp.eu.ngrok[.]io 

 4.tcp.ngrok[.]io 

 5.104.75[.]36 

 51.195.198[.]173 

 51.81.42[.]49 

 51.89.220[.]50 

 52.67.123[.]186 

 54.249.72[.]19 

 5.78.76[.]189 

 5.tcp.eu.ngrok[.]io 

 62.234.41[.]178 

 64.235.38[.]13 

 64.235.61[.]43 

 65.0.50[.]125 

 65.109.10[.]250 

 67.213.221[.]18 

 6.tcp.eu.ngrok[.]io 

 6.tcp.ngrok[.]io 

 6.tcp.us-cal-1.ngrok[.]io 

 70.36.101[.]173 

 71.94.90[.]168 

 74.249.51[.]255 

 787.67.79[.]90 

 79.134.225[.]86 

 7.tcp.eu.ngrok[.]io 

 7.tcp.ngrok[.]io 

 80.76.51[.]232 

 81.230.10[.]189 

 82.117.253[.]63 

 85.217.144[.]175 

 87.207.144[.]125 

 88.214.56[.]103 

 8.tcp.ngrok[.]io 

 8.tcp.us-cal-1.ngrok[.]io 

 91.200.102[.]86 

 91.45.164[.]164 

 93.114.145[.]94 

 95.216.128[.]12 

 academic-submit.at.ply[.]gg 

 according-psp.at.ply[.]gg 

 add-eating.at.ply[.]gg 

 adult-infections.at.ply[.]gg 

 advertise-standings.at.ply[.]gg 

 amineaskary234.ddns[.]net 

 among-publication.at.ply[.]gg 

 anon19-52188.portmap[.]host 

 apiupdate.duckdns[.]org 

 artist-neither.at.ply[.]gg 

 art-mc.at.ply[.]gg 

 arts-guides.at.ply[.]gg 

 arts-tasks.at.ply[.]gg 

 authority-netscape.at.ply[.]gg 

 bagikeh241-22487.portmap[.]host 

 batman111.ddns[.]net 

 bed-cheat.at.ply[.]gg 

 blackid-48194.portmap[.]host 

 books-arbor.at.ply[.]gg 

 br1.localtonet[.]com 

 braven.ddns[.]net 

 brown-il.at.ply[.]gg 

 bsrpppjamui.duckdns[.]org 

 businesses-dig.gl.at.ply[.]gg 

 caloi1920.ddns[.]net 

 canyouseeme22.ddns[.]net 

 cd-simon.at.ply[.]gg 

 changes-hl.at.ply[.]gg 

 chydnoy-24488.portmap[.]io 

 classic-lovers.at.ply[.]gg 

 clear-trash.at.ply[.]gg 

 cnet-collection.gl.at.ply[.]gg 

 compare-hill.gl.at.ply[.]gg 

 com-retailer.gl.at.ply[.]gg 

 condition-dear.gl.at.ply[.]gg 

 conditions-monthly.at.ply[.]gg 

 considered-stars.at.ply[.]gg 

 contains-defense.at.ply[.]gg 

 copy-marco.gl.at.ply[.]gg 

 cross-romania.gl.at.ply[.]gg 

 custom-proc.at.ply[.]gg 

 daoudvip.ddns[.]net 

 dapperdesigns.for-better[.]biz 

 dating-jesse.gl.at.ply[.]gg 

 deals-softball.at.ply[.]gg 

 dei12345-48929.portmap[.]host 

 digital-oracle.gl.at.ply[.]gg 

 DizzyWizzy-61490.portmap[.]host 

 dzghost10.ddns[.]net 

 Emes-35574.portmap[.]host 

 eurotracking.ddns[.]net 

 f8terat.ddns[.]net 

 face-kissing.gl.at.ply[.]gg 

 fair-my.at.ply[.]gg 

 fatality.ddns[.]net 

 federal-worst.at.ply[.]gg 

 fee-harmful.gl.at.ply[.]gg 

 fee-harmful.gl.at.ply[.]gg:41934 

 foranother1337.publicvm[.]com 

 frank4893.duckdns[.]org 

 frostycheats-30646.portmap[.]host 

 futurist2.ddns[.]net 

 gartnerllc.ddns[.]net 

 gegeo.duckdns[.]org 

 germany-vs.at.ply[.]gg 

 gift-my.gl.at.ply[.]gg 

 goheg99417-59409.portmap[.]host 

 gold-peoples.gl.at.ply[.]gg:56190           

 gold-peoples.gl.at.ply[.]gg 

 googlplayservice.ddns[.]net 

 gtagtagta4321.ddns[.]net 

 gtagtagtali321.ddns[.]net 

 gyiuogigf.duckdns[.]org 

 h2ckedbyzngyy.ddns[.]net 

 hack-775[.]tk 

 hair-completely.at.ply[.]gg 

 hfhhdh.hopto[.]org 

 his-observer.gl.at.ply[.]gg 

 hope-mutual.at.ply[.]gg 

 http://103.118.30[.]113/ip2 

 https://fvia.id[.]vn/ip 

 https://fviatool[.]com/ip 

 https.myvnc[.]com 

 https://rentry[.]co/vy6o4/raw 

 https://want[.]pw/raw.php.id=0 

 ichbineinvogel2[.]duckdns[.]org 

 iie.ddns[.]me 

 inc-earlier.gl.at.ply[.]gg 

  includes-ear.at.ply[.]gg 

 includes-ear.at.ply[.]gg 

 income-knit.at.ply[.]gg 

 industrial-retail.at.ply[.]gg 

 instruments-specials.at.ply[.]gg 

 int-certainly.at.ply[.]gg 

 investment-unwrap.gl.at.ply[.]gg 

 is-crawford.at.ply[.]gg 

 items-cl.gl.at.ply[.]gg 

 it-hansen.at.ply[.]gg  

 iuhwdqnjk.duckdns[.]org 

 jajaovh.duckdns[.]org 

 japanese-elephant.at.ply[.]gg 

 jeanjaques.ddns[.]net 

 jeje.linkpc[.]net 

 jersey-council.at.ply[.]gg 

 johnmcro-43756.portmap[.]host 

 jotinha.sytes[.]net 

 kids-abstract.at.ply[.]gg 

 killertype.ddns[.]net 

 knowledge-winds.at.ply[.]gg 

 kriz-nas.ddnss[.]de 

 like-keeps.at.ply[.]gg 

 line-ellis.gl.at.ply[.]gg 

 links-recovered.at.ply[.]gg 

 list-slow.gl.at.ply[.]gg 

 m0ney7.ddns[.]net 

 may-donations.gl.at.ply[.]gg 

 messages-dash.gl.at.ply[.]gg 

 methods-workout.at.ply[.]gg 

 midia.ddns[.]net 

 miles-c.at.ply[.]gg 

 mini-ohio.gl.at.ply[.]gg 

 miopsbn.con-ip[.]com 

 mo1010.duckdns[.]org 

 mode-apollo.gl.at.ply[.]gg 

 momentmoney79.duckdns[.]org 

 monkeys11-39982.portmap[.]host 

 mrindianhackervijay.duckdns[.]org 

 ms-teams.duckdns[.]org 

 multi-asia.gl.at.ply[.]gg 

 mycoolhostlol.ddns[.]net 

 myip.myftp[.]org 

 name-shadows.at.ply[.]gg 

 nikvenom.ddns[.]net 

 no-sofa.at.ply[.]gg 

 nov231122.con-ip[.]com 

 office-dawson.duckdns[.]org 

 onsecurity.onthewifi[.]com 

 options-november.gl.at.ply[.]gg 

 over-llp.gl.at.ply[.]gg 

 paul-positive.at.ply[.]gg 

 paycei.hopto[.]org 

 personal-festival.gl.at.ply[.]gg 

 pipirka-39415.portmap[.]host 

 pressure-powers.gl.at.ply[.]gg 

 prices-grab.at.ply[.]gg 

 privatedomain.ddns[.]net 

 problem-progress.at.ply[.]gg 

 programs-scsi.at.ply[.]gg 

 R3dm0v3-52006.portmap[.]host 

 raizen.serveftp[.]com 

 Raizen.serveftp[.]com 

 rated-david.at.ply[.]gg 

 ready-stereo.gl.at.ply[.]gg 

 received-cuba.gl.at.ply[.]gg 

 received-cuba.gl.at.ply[.]gg          

 147.185.221[.]16          

 16.ip.gl.ply[.]gg 

 registered-dt.at.ply[.]gg 

 require-cards.gl.at.ply[.]gg 

 requirements-nav.at.ply[.]gg 

 require-sonic.at.ply[.]gg 

 return-interpreted.at.ply[.]gg 

 rick63.publicvm[.]com 

 risk-groove.gl.at.ply[.]gg 

 rodfalcao-41253.portmap[.]host 

 rules-views.at.ply[.]gg 

 Sakilafra-22838.portmap[.]io 

 same-impact.at.ply[.]gg  

 same-impact.at.ply[.]gg 

 Sanael-30497.portmap[.]host 

 saturbis1111-31905.portmap[.]host 

 save-corp.gl.at.ply[.]gg 

 sbss.ddns[.]net 

 sdfwdewdwe.ddns[.]net 

 secded21.duckdns[.]org 

 seems-racing.gl.at.ply[.]gg 

 selection-chorus.gl.at.ply[.]gg 

 sepatico.duckdns[.]org 

 septiembre2022.duckdns[.]org 

 server-client.sytes[.]net 

 serverwindor.duckdns[.]org 

 shows-brussels.gl.at.ply[.]gg 

 simply-cash.at.ply[.]gg 

 society-painted.at.ply[.]gg 

 soon-lp.at.ply[.]gg 

 speed-awards.gl.at.ply[.]gg 

 standard-seekers.at.ply[.]gg 

 starting-brave.at.ply[.]gg 

 stores-anytime.at.ply[.]gg 

 superhack3.ddns[.]net 

 swezy.ddns[.]net          

 79.253.77[.]103 

 teddytroja.duckdns[.]org 

 telebit[.]cloud 

 testarosa.duckdns[.]org 

 testbot123.ddns[.]net 

 that-oecd.at.ply[.]gg 

 thehill.ddns[.]net 

 to-laden.gl.at.ply[.]gg 

 topics-junior.at.ply[.]gg 

 tr2.localto[.]net 

 trial-pour.at.ply[.]gg 

 u-latter.at.ply[.]gg 

 unit-satisfactory.at.ply[.]gg 

 unless-inflation.at.ply[.]gg 

 up-scanners.gl.at.ply[.]gg 

 us1.localto[.]net 

 us-result.at.ply[.]gg 

 van-floppy.gl.at.ply[.]gg 

 video-unlikely.at.ply[.]gg 

 Viiper1337-29699.portmap[.]host 

 virtual-blonde.gl.at.ply[.]gg:57778          

 virtual-blonde.gl.at.ply[.]gg 

 viruswashere.ddns[.]net 

 wasmjmal052-28109.portmap[.]host 

 webchek.redirectme[.]net 

 windowsdriver.theworkpc[.]com 

 windowsmanagerhost.ddns[.]net 

 windows.theworkpc[.]com 

 winter-rd.at.ply[.]gg 

 wiz.bounceme[.]net 

 worknow.con-ip[.]com 

 ws728sb.ddns[.]net 

 year-receiver.at.ply[.]gg 

 years-distributor.at.ply[.]gg 

 you-irc.at.ply[.]gg 

 youtubevideos.ddns[.]net 

 zorro12.ddns[.]net 

 zorro5772.ddns[.]net 

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.