XWorm Cocktail: A Mix of PE data with PowerShell Code
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A malicious file discovered on VirusTotal triggered a PowerShell rule, leading to the investigation of two closely related files identified as 'data files' but named as executables. The files contain a mix of PowerShell code, binary data, and obfuscated text. Analysis revealed characteristics of XWorm malware, including functions for system manipulation, data exfiltration, and keylogging. The obfuscation technique involves Base64 encoding, compression, and mathematical operations combined with logical operands. The malware attempts to evade detection, create persistence, and perform various malicious activities. The investigation highlights the complexity of modern malware obfuscation techniques and the challenges in deobfuscating such threats.
OPENCTI LABELS :
powershell,xworm,obfuscation,evasion,keylogging,persistence,deobfuscation,virustotal
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
XWorm Cocktail: A Mix of PE data with PowerShell Code