Detection Rules – agent_xworm_v2.exe (XWorm RAT v2.4.0)
Overview
Comprehensive detection coverage for agent_xworm_v2.exe, a confirmed XWorm RAT v2.4.0 sample with WebSocket-based C2 infrastructure (109.230.231.37). Rules target file hashes, behavioral patterns, network indicators, and XWorm family characteristics.
Malware Family: XWorm RAT Version: 2.4.0 Severity: CRITICAL Last Updated: 2026-01-12 Campaign: Open Directory 109.230.231.37 Distribution
Table of Contents
- YARA Rules
- Sigma Detection Rules
- EDR Hunting Queries
- SIEM Detection Rules
- Network Detection
- PowerShell Detection
- Implementation Guidance
YARA Rules
Rule 1: agent_xworm_v2.exe Specific Hash Detection
rule Agent_Xworm_V2_Specific_Hash {
meta:
description = "Detects agent_xworm_v2.exe by file hash and unique authentication secret"
author = "Threat Intelligence Team"
date = "2026-01-12"
severity = "CRITICAL"
malware_family = "XWorm RAT"
version = "2.4.0"
hash_sha256 = "f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e"
reference = "Open Directory 109.230.231.37 Investigation"
mitre_attack = "T1059.001, T1071.001, T1132.001, T1564.003"
strings:
$c2_ip = "109.230.231.37" ascii
$auth_secret = "AgentSec_8hJ3kL6mN9pQ2rS5tU8vW1xY4zA7bC0d" ascii
$version = "2.4.0" ascii
$agent_filename = "agent_xw2" ascii nocase
condition:
uint16(0) == 0x5A4D and // MZ header
filesize < 100KB and
all of them
}
Rule 2: XWorm RAT v2.x Family Detection
rule XWorm_RAT_V2_Family {
meta:
description = "Detects XWorm RAT v2.x variants based on code patterns and WebSocket C2"
author = "Threat Intelligence Team"
date = "2026-01-12"
severity = "HIGH"
malware_family = "XWorm RAT"
reference = "XWorm v2.x family analysis"
strings:
// .NET framework indicators
$dotnet1 = "System.Net.WebSockets" ascii wide
$dotnet2 = "System.Diagnostics.Process" ascii wide
$dotnet3 = "System.Security.Cryptography" ascii wide
$dotnet4 = "mscorlib" ascii wide
// XWorm v2.x specific patterns
$version_pattern = /2\.[0-9]\.[0-9]/ ascii wide
$websocket = "WebSocket" ascii wide nocase
$agent_sec = "AgentSec_" ascii wide
// Command execution
$ps1 = "Get-Process" ascii wide nocase
$ps2 = "Get-Service" ascii wide nocase
$ps3 = "Win32_ComputerSystem" ascii wide
// Stealth and encoding
$stealth1 = "ShowWindow" ascii wide
$stealth2 = "GetConsoleWindow" ascii wide
$encode = "ToBase64String" ascii wide
// MD5 fingerprinting
$md5 = "MD5" ascii wide
$hash = "ComputeHash" ascii wide
condition:
uint16(0) == 0x5A4D and
filesize < 500KB and
(
// Strong XWorm v2.x signature: WebSocket + AgentSec + version
($dotnet1 and $websocket and $agent_sec and $version_pattern) or
// Alternative: .NET + reconnaissance + stealth + encoding
(2 of ($dotnet*) and 2 of ($ps*) and 1 of ($stealth*) and $encode) or
// MD5 fingerprinting + WebSocket C2
($md5 and $hash and $websocket and 1 of ($ps*))
)
}
Rule 3: XWorm PowerShell Reconnaissance Commands
rule XWorm_PowerShell_Recon_V2 {
meta:
description = "Detects XWorm v2.x embedded PowerShell reconnaissance command patterns"
author = "Threat Intelligence Team"
date = "2026-01-12"
severity = "MEDIUM"
reference = "XWorm v2.x PowerShell command templates"
strings:
$ps1 = "-NoP -C Get-Process|Sort CPU" ascii wide
$ps2 = "-NoP -C Get-Service|?{$_.Status -eq" ascii wide
$ps3 = "-NoP -C Get-WmiObject Win32_ComputerSystem" ascii wide
$ps4 = "PartOfDomain,Domain,DomainRole" ascii wide
$ps5 = "Select -First 20 Name,Id,CPU,WS" ascii wide
condition:
uint16(0) == 0x5A4D and
3 of them
}
Rule 4: XWorm AgentSec Authentication Pattern
rule XWorm_AgentSec_Authentication_V2 {
meta:
description = "Detects XWorm AgentSec authentication secret naming pattern"
author = "Threat Intelligence Team"
date = "2026-01-12"
severity = "HIGH"
reference = "XWorm authentication mechanism analysis"
strings:
$pattern1 = /AgentSec_[0-9A-Za-z]{40,50}/ ascii wide
condition:
uint16(0) == 0x5A4D and
$pattern1
}
Rule 5: XWorm WebSocket C2 Pattern
rule XWorm_WebSocket_C2 {
meta:
description = "Detects .NET executables with WebSocket C2 characteristics typical of XWorm"
author = "Threat Intelligence Team"
date = "2026-01-12"
severity = "HIGH"
strings:
$ws1 = "System.Net.WebSockets" ascii wide
$ws2 = "WebSocketState" ascii wide
$ws3 = "SendAsync" ascii wide
$ws4 = "ReceiveAsync" ascii wide
$c2_1 = "Heartbeat" ascii wide nocase
$c2_2 = "Reconnect" ascii wide nocase
$c2_3 = "Frame" ascii wide
$dotnet = "mscorlib" ascii wide
condition:
uint16(0) == 0x5A4D and
filesize < 200KB and
$dotnet and
3 of ($ws*) and
2 of ($c2_*)
}
Sigma Detection Rules
Rule 1: XWorm WebSocket C2 Connection to 109.230.231.37
title: XWorm RAT v2.4.0 WebSocket C2 Connection to Known Infrastructure
id: f8e7e73b-f2b2-6635-800a-042e7890a35f
status: stable
description: Detects WebSocket connections to known XWorm v2.4.0 C2 server 109.230.231.37
author: Threat Intelligence Team
date: 2026/01/12
references:
- agent_xworm_v2.exe analysis report
- Open Directory 109.230.231.37 investigation
tags:
- attack.command_and_control
- attack.t1071.001
- attack.t1132.001
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationIp: '109.230.231.37'
condition: selection
falsepositives:
- None - IP is confirmed malicious infrastructure
level: critical
Rule 2: .NET Process with Hidden Window and WebSocket Connection
title: Suspicious .NET Process with Hidden Console and WebSocket Activity
id: 4164a194-5d83-7325-5a5c-b7e42f05c259
status: experimental
description: Detects .NET executables hiding console window while establishing WebSocket connections (XWorm v2.x behavior)
author: Threat Intelligence Team
date: 2026/01/12
references:
- XWorm RAT v2.x behavioral analysis
tags:
- attack.defense_evasion
- attack.t1564.003
- attack.command_and_control
- attack.t1071.001
logsource:
product: windows
category: process_creation
detection:
selection_dotnet:
Image|endswith: '.exe'
CommandLine|contains: 'v4.0.30319'
selection_hidden:
WindowStyle|contains:
- 'Hidden'
- 'SW_HIDE'
- 'CreateNoWindow'
selection_websocket:
# Process establishing WebSocket connection
NetworkConnection: true
DestinationPort:
- 80
- 443
- 8080
condition: selection_dotnet and selection_hidden and selection_websocket
falsepositives:
- Legitimate .NET applications with background WebSocket operations
level: high
Rule 3: PowerShell Spawned by Suspicious .NET Process from User Directory
title: PowerShell Execution from .NET Process in User-Writable Directory
id: 7c624e0b-11c8-17d5-16f9-411972191c46
status: experimental
description: Detects PowerShell execution from .NET binaries in user-writable directories (XWorm execution pattern)
author: Threat Intelligence Team
date: 2026/01/12
references:
- XWorm v2.x PowerShell execution capability
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_powershell:
Image|endswith: 'powershell.exe'
CommandLine|contains: '-NoP -C'
selection_parent:
ParentImage|contains:
- '\AppData\'
- '\Temp\'
- '\Users\'
ParentImage|endswith: '.exe'
filter:
ParentImage|contains:
- 'Microsoft'
- 'Visual Studio'
condition: selection_powershell and selection_parent and not filter
falsepositives:
- Legitimate development tools, software installers
level: high
Rule 4: XWorm PowerShell Reconnaissance Pattern
title: XWorm RAT PowerShell Reconnaissance Command Sequence
id: f8e7e73b-f2b2-6635-800a-042e7890a35a
status: experimental
description: Detects rapid sequence of PowerShell reconnaissance commands typical of XWorm RAT
author: Threat Intelligence Team
date: 2026/01/12
tags:
- attack.discovery
- attack.t1082
- attack.t1057
- attack.t1007
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging (Event ID 4104)'
detection:
selection:
ScriptBlockText|contains:
- 'Get-Process|Sort CPU'
- 'Get-Service|?{$_.Status -eq'
- 'Win32_ComputerSystem'
timeframe: 60s
condition: selection | count() >= 2
falsepositives:
- System administration scripts, legitimate automation
level: high
EDR Hunting Queries
Microsoft Defender for Endpoint (KQL)
Query 1: Hunt for File Hashes
// Hunt for known agent_xworm_v2.exe file hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 == "f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e"
or SHA1 == "7c624e0b11c817d516f9411972191c4627fd2e53"
or MD5 == "4164a1945d8373255a5cb7e42f05c259"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| sort by Timestamp desc
Query 2: Hunt for Network Connections to C2
// Hunt for WebSocket connections to XWorm v2.4.0 C2 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteIP == "109.230.231.37"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath,
RemoteIP, RemotePort, RemoteUrl, LocalIP
| sort by Timestamp desc
Query 3: Hunt for PowerShell Spawned by .NET Processes
// Hunt for PowerShell execution from .NET processes in user directories
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "-NoP -C"
| where InitiatingProcessFolderPath has_any ("AppData", "Users", "Temp")
| join kind=inner (
DeviceFileEvents
| where FolderPath has_any ("AppData", "Users", "Temp")
| where FileName endswith ".exe"
) on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessFolderPath, SHA256
| sort by Timestamp desc
Query 4: Hunt for WebSocket Activity from User Directories
// Identify .NET executables from user directories making WebSocket connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFolderPath has_any ("AppData", "Temp", "Users")
| where RemoteIPType == "Public"
| where RemotePort in (80, 443, 8080)
| where InitiatingProcessFileName has ".exe"
| join kind=inner (
DeviceFileEvents
| where FolderPath has_any ("AppData", "Temp")
| where FileSize < 100000 // Less than 100KB (XWorm typical size)
) on DeviceId, InitiatingProcessFileName
| project Timestamp, DeviceName, InitiatingProcessFileName,
InitiatingProcessFolderPath, RemoteIP, RemotePort, FileSize, SHA256
| sort by Timestamp desc
Query 5: Hunt for XWorm Authentication Secret Pattern
// Search for AgentSec authentication secret in process command lines or file content
DeviceFileEvents
| where Timestamp > ago(30d)
| where FileName has "agent"
| where FileSize < 50000
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
| join kind=inner (
DeviceProcessEvents
| where ProcessCommandLine has "AgentSec_"
) on DeviceName
| sort by Timestamp desc
CrowdStrike Falcon (Event Search)
// Hunt for agent_xworm_v2.exe indicators
event_simpleName=ProcessRollup2 OR event_simpleName=DnsRequest OR event_simpleName=NetworkConnectIP4
| search SHA256Hash="f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e"
OR FileName="agent_xworm_v2.exe"
OR CommandLine="*-NoP -C Get-Process*"
OR CommandLine="*AgentSec_*"
OR RemoteAddressIP4="109.230.231.37"
| table _time, ComputerName, FileName, CommandLine, RemoteAddressIP4, SHA256Hash
| sort -_time
SentinelOne (Deep Visibility Query)
-- Hunt for XWorm RAT v2.x behavioral patterns
EventType = "Process Creation" OR EventType = "Network" OR EventType = "File Creation"
AND (
SHA256 = "f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e"
OR ProcessName CONTAINS "agent_xworm"
OR CommandLine CONTAINS "AgentSec_"
OR CommandLine CONTAINS "-NoP -C Get-Process"
OR DstIP = "109.230.231.37"
OR (ProcessName ENDS WITH ".exe" AND FilePath CONTAINS "AppData" AND NetworkConnection = true)
)
ORDER BY CreatedAt DESC
SIEM Detection Rules
Splunk SPL Queries
Query 1: File Hash Detection
index=endpoint (sourcetype=file_creation OR sourcetype=process_creation)
| search (SHA256="f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e" OR
SHA1="7c624e0b11c817d516f9411972191c4627fd2e53" OR
MD5="4164a1945d8373255a5cb7e42f05c259")
| table _time, host, process_name, file_path, SHA256, user
| sort -_time
Query 2: C2 Network Communication
index=network (sourcetype=firewall OR sourcetype=proxy OR sourcetype=dns)
| search dest_ip="109.230.231.37" OR src_ip="109.230.231.37"
| stats count by _time, src_ip, dest_ip, dest_port, action, user, process_name
| sort -_time
Query 3: PowerShell Reconnaissance Pattern
index=windows sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104
| search (ScriptBlockText="*-NoP -C Get-Process*" OR
ScriptBlockText="*-NoP -C Get-Service*" OR
ScriptBlockText="*Win32_ComputerSystem*")
| eval process_path=lower(ParentProcessName)
| where match(process_path, "appdata|temp|users")
| table _time, Computer, ParentProcessName, ScriptBlockText, UserID
| sort -_time
Query 4: XWorm Behavioral Pattern
index=endpoint sourcetype=process_creation
| search (process_name="*.exe" AND file_path="*\\AppData\\*" AND network_connection=true)
| search (command_line="*v4.0.30319*" OR command_line="*ShowWindow*" OR command_line="*WebSocket*")
| table _time, host, process_name, file_path, command_line, network_destination, SHA256
| sort -_time
Query 5: AgentSec Authentication Secret Detection
index=* (sourcetype=stream:tcp OR sourcetype=network_traffic)
| search "AgentSec_"
| rex field=_raw "AgentSec_(?<auth_token>[0-9A-Za-z]{40,50})"
| stats count by _time, src_ip, dest_ip, auth_token
| sort -_time
Elastic Stack (EQL)
Query 1: Process Creation with WebSocket Network Connection
sequence by host.id with maxspan=5m
[process where event.action == "start" and
process.executable : "*\\AppData\\*" and
process.name : "*.exe"]
[network where event.action == "connection_attempted" and
destination.ip == "109.230.231.37"]
Query 2: PowerShell with Suspicious .NET Parent
process where event.action == "start" and
process.name : "powershell.exe" and
process.command_line : "*-NoP -C*" and
process.parent.executable : "*\\AppData\\*" and
not process.parent.code_signature.valid == true
Query 3: XWorm File Creation Pattern
file where event.action == "creation" and
file.path : "*\\AppData\\*\\*.exe" and
file.size < 100000 and
not (
file.code_signature.valid == true and
file.code_signature.subject_name : "Microsoft*"
)
Network Detection
Suricata/Snort Rules
Rule 1: Connection to XWorm C2 Server
alert tcp $HOME_NET any -> 109.230.231.37 any (
msg:"MALWARE XWorm RAT v2.4.0 C2 Connection to 109.230.231.37";
flow:to_server,established;
reference:sha256,f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e;
classtype:trojan-activity;
sid:1000020;
rev:1;
)
alert tcp 109.230.231.37 any -> $HOME_NET any (
msg:"MALWARE XWorm RAT v2.4.0 C2 Response from 109.230.231.37";
flow:to_client,established;
reference:sha256,f8e7e73bf2b26635800a042e7890a35f7376508f288a1ced3d3e12b173c5cb7e;
classtype:trojan-activity;
sid:1000021;
rev:1;
)
Rule 2: WebSocket Upgrade with Suspicious Characteristics
alert tcp $HOME_NET any -> any any (
msg:"SUSPICIOUS WebSocket Upgrade from User Directory Process";
flow:to_server,established;
content:"Upgrade|3a 20|websocket"; http_header;
content:"GET"; http_method;
threshold:type both, track by_src, count 3, seconds 60;
classtype:suspicious-traffic;
sid:1000022;
rev:1;
)
Rule 3: XWorm AgentSec Authentication Secret
alert tcp $HOME_NET any -> any any (
msg:"MALWARE XWorm AgentSec Authentication Secret Detected";
flow:to_server,established;
content:"AgentSec_"; nocase;
pcre:"/AgentSec_[0-9A-Za-z]{40,50}/i";
classtype:trojan-activity;
sid:1000023;
rev:1;
)
Rule 4: Base64 Encoded WebSocket Payload
alert tcp $HOME_NET any -> any any (
msg:"SUSPICIOUS Base64 encoded WebSocket traffic from process";
flow:to_server,established;
content:"|41 67 65 6e 74|"; // "Agent" in hex
content:"WebSocket"; nocase;
pcre:"/^[A-Za-z0-9+\/]{20,}={0,2}$/";
threshold:type both, track by_src, count 5, seconds 60;
classtype:suspicious-traffic;
sid:1000024;
rev:1;
)
Network Monitoring Recommendations
Firewall Rules:
# Block known malicious C2 infrastructure - CRITICAL
DENY IP ANY -> 109.230.231.37 ANY
DENY IP 109.230.231.37 -> ANY ANY
LOG ALL connections to/from 109.230.231.37
# Monitor for unusual WebSocket activity
ALERT TCP $HOME_NET:$UNPRIVILEGED_PORTS -> ANY:80,443,8080
from_process_path:*\AppData\*.exe
from_process_path:*\Temp\*.exe
protocol:websocket
DNS Monitoring:
# Alert on DNS queries from suspicious processes
# (XWorm v2.4.0 uses hardcoded IP, but other variants may use domains)
ALERT DNS query
FROM process:*\AppData\*\*.exe
WHERE process NOT IN (browser_list, legitimate_updaters)
PowerShell Detection
Enable PowerShell Logging (GPO Configuration)
Registry Keys:
# Script Block Logging (Event ID 4104 - CRITICAL for XWorm detection)
HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
EnableScriptBlockLogging = 1
EnableScriptBlockInvocationLogging = 1
# Module Logging
HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
EnableModuleLogging = 1
ModuleNames = *
# Transcription
HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
EnableTranscripting = 1
EnableInvocationHeader = 1
OutputDirectory = C:\PowerShellTranscripts
PowerShell Detection Query (Windows Event Log)
# Search for XWorm PowerShell reconnaissance commands
Get-WinEvent -FilterHashtable @{
LogName='Microsoft-Windows-PowerShell/Operational'
ID=4104 # Script Block Logging
} | Where-Object {
$_.Message -match 'Get-Process\|Sort CPU' -or
$_.Message -match 'Get-Service\|\?' -or
$_.Message -match 'Win32_ComputerSystem' -or
$_.Message -match 'AgentSec_'
} | Select-Object TimeCreated, Message, ProcessId | Format-List
Splunk Query for XWorm PowerShell Activity
index=windows sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104
| search (
ScriptBlockText IN ("*Get-Process|Sort CPU*", "*Get-Service|?{$_.Status*", "*Win32_ComputerSystem*") OR
ParentProcessName IN ("*agent*.exe", "*xworm*.exe") OR
ScriptBlockText="*AgentSec_*"
)
| table _time, Computer, ParentProcessName, ScriptBlockText, UserID
| sort -_time
Implementation Guidance
Priority 1: Immediate Deployment (0-24 hours)
- Network IOCs - Add to:
- Firewall deny lists (109.230.231.37) - CRITICAL
- IDS/IPS signatures (Suricata/Snort rules)
- Threat intelligence feeds
- DNS sinkholes (if applicable)
- Hash-Based Detection - Deploy to:
- EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender)
- Antivirus/endpoint protection
- File integrity monitoring tools
- Application whitelisting systems (block list)
- YARA Rules - Deploy to:
- Email gateways (scan attachments)
- Web proxies (scan downloads)
- File servers (retroactive scan)
- EDR systems with YARA support
Priority 2: Enhanced Monitoring (24-48 hours)
- Sigma Rules - Deploy to:
- SIEM platforms (Splunk, Elastic, QRadar)
- Windows Event Log aggregation
- EDR platforms with Sigma support
- PowerShell Logging - Enable via GPO:
- Script Block Logging (Event ID 4104) - CRITICAL
- Module Logging for all modules
- Transcription logging with centralized storage
- EDR Hunting Queries - Execute on:
- All endpoints (comprehensive hunt)
- High-value targets (executives, IT admins, finance)
- Systems with recent network activity to 109.230.231.37
Priority 3: Long-Term Monitoring (Week 1+)
- Behavioral Analytics:
- UEBA for anomalous .NET process behavior
- Machine learning for XWorm pattern detection
- Network traffic anomaly detection (WebSocket C2)
- Threat Intelligence Integration:
- Add IOCs to threat intelligence platforms (TIP)
- Monitor for XWorm family evolution (v6.0+ variants)
- Track secondary malware (AsyncRAT, LockBit) associated with XWorm
- Continuous Improvement:
- Review detection effectiveness weekly
- Tune rules to reduce false positives
- Update based on XWorm v6.0 evolution
- Conduct purple team exercises
Testing & Validation
Safe Testing Procedures
DO NOT:
- Execute live malware on production systems
- Test with actual agent_xworm_v2.exe outside isolated labs
- Disable security controls to test effectiveness
DO:
- Create test files with matching strings (non-malicious harness)
- Use YARA rule testing frameworks (yara-ci)
- Validate Sigma rules in test SIEM instances
- Test EDR queries against historical data
- Conduct purple team exercises in controlled environments
Validation Checklist
- YARA rules tested against sample (isolated lab only)
- Sigma rules validated in test SIEM
- EDR queries return expected results
- Network signatures tested in lab
- False positive assessment completed
- Alert tuning performed
- Incident response procedures documented
- SOC team trained on XWorm detection
- Escalation paths defined
Maintenance & Updates
Review Schedule:
- Daily: Monitor alerts for new detections and false positives
- Weekly: Check for false positives and tune rules
- Monthly: Review detection effectiveness (true positive rate)
- Quarterly: Update rules based on XWorm family evolution (v6.0+ features)
Update Procedure:
- Monitor threat intelligence for XWorm v6.0+ updates
- Analyze new samples if discovered
- Update YARA/Sigma rules with new indicators
- Re-test in lab environment
- Deploy updated rules to production
- Document changes in version control
- Communicate updates to SOC team
Metrics to Track:
- True positive detection rate
- False positive rate by rule
- Mean time to detect (MTTD)
- Coverage across attack chain stages
- Alert volume trends
- Remediation success rate
Related Resources
- agent_xworm_v2.exe Main Report
- agent_xworm_v2.exe IOC Feed
- agent_xworm.exe (v5.x) Detection Rules
- MITRE ATT&CK Framework: https://attack.mitre.org/
- XWorm Family Intelligence: Malpedia, ANY.RUN, Huntress
Version: 1.0 Last Updated: 2026-01-12 Next Review: 2026-02-12
END OF DETECTION RULES