For evasion:
: Typically uses TCP or HTTP-based communication with a hardcoded or configurable C2 server. It may use XOR or simple encryption to obfuscate traffic. xworm 3.1
: Detects XWorm under names such as Trojan:MSIL/XWormRAT!atmn and Trojan:Win32/Xworm!rfn . For evasion: : Typically uses TCP or HTTP-based
XWorm 3.1 is composed of several functional modules that allow it to control an infected system: xworm 3.1
Once a system is compromised, XWorm ensures it will survive a reboot. It achieves persistence by:
A typical XWorm 3.1 sample (SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 – Note: replace with real hash for live hunting ) reveals the following upon analysis in a debugger like dnSpy (since it is .NET):