XWorm Cocktail: A Mix of PE data with PowerShell Code
Essential information
- Published
- 19/02/2025 16:12
- Modified
- 19/02/2025 19:56
- Tags
- 2025-02-19 deobfuscation evasion keylogging obfuscation persistence powershell virustotal xworm
- Related entities
- 3 observables, 20 techniques (mitre), 1 malware
Description
A malicious file discovered on VirusTotal triggered a PowerShell rule, leading to the investigation of two closely related files identified as 'data files' but named as executables. The files contain a mix of PowerShell code, binary data, and obfuscated text. Analysis revealed characteristics of XWorm malware, including functions for system manipulation, data exfiltration, and keylogging. The obfuscation technique involves Base64 encoding, compression, and mathematical operations combined with logical operands. The malware attempts to evade detection, create persistence, and perform various malicious activities. The investigation highlights the complexity of modern malware obfuscation techniques and the challenges in deobfuscating such threats.