Open Directory Investigation: This sample was discovered on an open directory hosted at IP address 109.230.231.37, representing an active malware distribution point. The presence of multiple RAT variants on this infrastructure suggests organized malware distribution operations targeting opportunistic victims. To see all other reports from this investigation see Executive Overview

Analyst Note: This is been a trend in my findings and reports lately, there has been many different findings of XWorm being involved in many different places, levels of sophistication, and operations. This is one of the main reasons I picked this out of all these 30+ samples found in this directory to drill into further.

Campaign Identifier: Arsenal-237-109.230.231.37-Malware-Repository

Last Updated: January 9, 2026

BLUF (Bottom Line Up Front)

Executive Summary

Business Impact Summary

agent_xworm.exe is a CRITICAL-severity Remote Access Trojan (RAT) confirmed as belonging to the XWorm malware family. This 16KB .NET-compiled malware represents the latest evolution of XWorm RAT, which achieved massive scale in 2024-2025 with over 18,459 devices compromised worldwide in a single builder campaign. The sample demonstrates professional-grade development with hardcoded command-and-control infrastructure (109.230.231.37), Base64-encoded communications, and comprehensive offensive capabilities including PowerShell execution, system reconnaissance, and file download functionality.

XWorm’s architecture revolves around a heartbeat-based TCP client that maintains persistent connection to attacker infrastructure using authentication secrets (AgentSec_8hJ3kL6mN9pQ2rS5tU8vW1xY4zA7bC0d). Static analysis reveals modular command handlers for process enumeration, service discovery, domain checking, and arbitrary command execution. The malware’s small footprint (16KB) combined with hidden console operation indicates a lightweight first-stage payload designed for rapid deployment and minimal detection surface.

The threat landscape for XWorm has evolved significantly in 2025, with Version 6 (released June 4, 2025) introducing “fully re-coded, RCE-Fixed” capabilities along with advanced evasion techniques (AMSI bypass, ETW tampering). XWorm is increasingly deployed as part of multi-malware campaigns, with 78% delivering secondary payloads including AsyncRAT and LockBit Black ransomware.

Key Risk Factors

Risk Factor	Score	Business Impact
Overall Risk	8.5/10	CRITICAL - Immediate response required
Data Exfiltration Risk	9/10	Full PowerShell execution + modular keylogging (plugin-based)
System Compromise	9/10	Complete remote control with modular payload delivery
Persistence Difficulty	7/10	Registry Run keys + Scheduled tasks (plugin-activated)
Evasion Capability	9/10	AMSI bypass, ETW tampering, hidden console, Base64 encoding
Lateral Movement Risk	8/10	PowerShell execution enables network pivoting and credential theft
Detection Difficulty	9/10	Small footprint, .NET obfuscation, dormant C2 behavior
Multi-Malware Risk	8/10	78% of XWorm campaigns deliver secondary payloads (AsyncRAT, LockBit)

Recommended Actions

ISOLATE systems showing connections to 109.230.231.37 immediately
BLOCK distribution infrastructure at network perimeter and internal firewalls
DEPLOY behavioral detection rules for .NET RAT indicators and Base64-encoded C2
HUNT enterprise-wide for file hashes, authentication secret “AgentSec_”, and PowerShell anomalies
ROTATE credentials for all users on confirmed or suspected infected systems
MONITOR for secondary payload delivery (AsyncRAT, LockBit ransomware)

Quick Reference
File Identification
Executive Technical Summary
Deep Technical Analysis
XWorm Family Threat Intelligence
MITRE ATT&CK Mapping
Frequently Asked Questions
IOCs
Detections

Quick Reference

Detections & IOCs:

File Identification

Original Filename: agent_xworm.exe
SHA256: 0ec3fca58ef8f0d9f098cd749dd209fccda7cbf68c1eecf836668e5dabd6f3bc
SHA1: 0102782950619820bbcd60efca256c907403cfb0
MD5: 9d963f85812fd02e382a48c41fc0387e
File Size: 16,384 bytes (16 KB)
Type: PE32 executable (console) Intel 80386, .NET assembly
Framework: .NET Framework v4.0.30319 (Microsoft Visual Studio .NET)
Family: XWorm RAT (CONFIRMED - HIGH confidence 95%)
Version: Likely v5.x or early v6.x
Distribution Source: IP 109.230.231.37 (CONFIRMED - Open Directory)

Discovery Context: Discovered on an open directory at 109.230.231.37, an active malware distribution point serving multiple RAT variants. The presence of “agent_xworm.exe” alongside “agent.exe” (PoetRAT) suggests infrastructure reuse by organized threat actors.

Executive Technical Summary

Business Context

agent_xworm.exe is a professional-grade Remote Access Trojan with confirmed attribution to the XWorm malware family, which compromised 18,459 devices worldwide in a single campaign. XWorm operates as Malware-as-a-Service (MaaS), with builder tools enabling rapid generation of customized samples. The June 2025 release of XWorm v6 introduced advanced evasion capabilities (AMSI bypass, ETW tampering) that significantly enhance detection difficulty.

Key Business Impacts

Multi-Stage Attack Platform: 78% of XWorm campaigns deliver secondary malware (AsyncRAT, LockBit ransomware)
Credential Harvesting: Modular keylogging plugins threaten corporate credentials and MFA bypass
Network Pivoting: PowerShell execution enables lateral movement and Active Directory compromise
Regulatory Exposure: Data exfiltration creates GDPR, HIPAA, PCI-DSS violation risks
Ransomware Pipeline: Increasingly used as initial access for LockBit Black deployment

Detection Challenges

.NET Compilation: Inherent complexity in reverse engineering, easily recompiled for signature evasion
Small Footprint: 16KB binary evades size-based heuristics
Legitimate Naming: “agent” naming pattern blends with enterprise software
Dormant C2: Server offline during analysis (common XWorm evasion)
Base64 Encoding: Obfuscated network traffic prevents simple inspection
AMSI Bypass: XWorm v6 disables Antimalware Scan Interface
ETW Tampering: Event Tracing for Windows evasion reduces logging

Deep Technical Analysis

Code Architecture

agent_xworm.exe is a 32-bit .NET console application with modular architecture:

Core Components:

Main Loop: Main() initiates C2 connection and heartbeat threads
Networking: TCP client (System.Net.Sockets.TcpClient) with automatic reconnection
Command Handler: HandleCmd() with dictionary-based command routing
Execution Engine: Exec() for PowerShell command execution
Reconnaissance: GetSysInfo(), GetLocalIP(), IsAdmin() for victim profiling
Encoding: ToJson(), FromJson(), Base64 encoding (ToBase64String())
Fingerprinting: GetMachineId() using MD5 hashing for unique victim IDs

Configuration Constants:

VERSION - XWorm version identifier
HEARTBEAT_MS - Keepalive interval
RECONNECT_MS - Reconnection delay
SERVER_HOST - C2 IP (109.230.231.37)
SERVER_PORT - C2 TCP port
AGENT_SECRET - Authentication (AgentSec_8hJ3kL6mN9pQ2rS5tU8vW1xY4zA7bC0d)

Embedded PowerShell Commands:

Process Enumeration: -NoP -C Get-Process|Sort CPU -Desc|Select -First 20 Name,Id,CPU,WS|FT
Service Discovery: -NoP -C Get-Service|?{$_.Status -eq 'Running'}|Select Name,Status,StartType|FT
Domain Checking: -NoP -C Get-WmiObject Win32_ComputerSystem|Select Name,PartOfDomain,Domain,DomainRole

Command & Control Infrastructure

C2 Characteristics:

Server: 109.230.231.37 (hardcoded, offline during analysis)
Protocol: TCP with heartbeat keepalive
Authentication: Shared secret “AgentSec_8hJ3kL6mN9pQ2rS5tU8vW1xY4zA7bC0d”
Encoding: Base64 for command/data transmission
Reconnection: Automatic retry logic after connection failures

Operational Flow:

Execute → hide console (ShowWindow API)
Generate machine ID (MD5 hash)
Connect to 109.230.231.37
Authenticate with AGENT_SECRET
Spawn heartbeat thread
Receive/process commands via HandleCmd()
Execute via Exec() → transmit results
Auto-reconnect on failure

Business Impact: Hardcoded IP (109.230.231.37) provides critical blocking opportunity. Network traffic to this IP indicates active XWorm infection requiring immediate response.

Capabilities Analysis

PowerShell Execution

Confirmed: CAPA analysis + embedded command templates

Implementation:

ProcessStartInfo {
    FileName = "powershell.exe",
    Arguments = "-NoP -C <command>",
    UseShellExecute = false,
    RedirectStandardOutput = true,
    RedirectStandardError = true,
    CreateNoWindow = true,
    WindowStyle = Hidden
}

Capabilities Enabled:

Credential harvesting (Invoke-Mimikatz, LSASS dumping)
Lateral movement (Invoke-Command, WMI/WinRM)
Data discovery (Get-ChildItem, Select-String)
Privilege escalation (PowerUp, PowerSploit)
Persistence (Registry, scheduled tasks, WMI events)
Anti-forensics (log clearing, timestamp manipulation)

System Reconnaissance

Confirmed: CAPA T1082, T1033, T1087

Information Collected:

OS version, architecture, .NET runtime
Hostname, machine ID (MD5 fingerprint)
Username, administrator privileges (IsAdmin)
Local IP address (GetLocalIP)
Domain membership, role
Running processes, services

Business Impact: Enables targeted post-exploitation based on victim value assessment (domain membership + admin privileges = high priority).

File Download & Plugin System

Confirmed: CAPA - WebClient.DownloadFile

XWorm Plugin Architecture:

In-memory DLL loading (Assembly.Load from bytes)
No disk writes (evades file-based detection)
Modular capabilities: keylogger, screenshot, webcam, file exfiltration, crypto miner

Multi-Stage Attack Chain:

XWorm (16KB initial access)
    ↓ reconnaissance
AsyncRAT plugin (credential harvesting, lateral movement)
    ↓ privilege escalation
LockBit Black ransomware (encryption + exfiltration)

78% of XWorm campaigns deploy secondary payloads.

Stealth & Evasion

Confirmed Techniques:

Hidden Console: ShowWindow(hWnd, 0) - SW_HIDE
Base64 Encoding: Obfuscates C2 traffic
Small Footprint: 16KB binary size

XWorm v6 Advanced Evasion (not confirmed in this sample):

AMSI bypass (disables PowerShell script inspection)
ETW tampering (prevents Script Block Logging)
Process injection, DLL side-loading

Reality Check: This sample uses basic stealth suitable for mass distribution. Advanced v6 variants include AMSI/ETW evasion. Detectable by:

Modern EDR with .NET process monitoring
PowerShell Script Block Logging (if enabled)
Network analysis for Base64 C2
YARA rules for authentication secret

XWorm Family Threat Intelligence

Historical Context

Timeline:

Mid-2022: XWorm first appears on dark-web marketplaces (MaaS model)
2023: Rapid iteration (v4.x → v5.x) adds capabilities
H1 2024: Used in Russian state-sponsored attacks against Ukraine
June 4, 2025: XWorm v6 released - “fully re-coded, RCE-Fixed, AMSI bypass, ETW tampering”

Scale: 18,459 devices compromised in single builder campaign

Delivery Mechanisms

Email phishing (.vbs, .bat, .ps1, .hta, Office macros)
Drive-by downloads (compromised websites, exploit kits)
ClickFix social engineering (fake error messages → PowerShell execution)
Software supply chain (pirated software bundles)
Open directories (109.230.231.37 infrastructure)

Multi-Malware Ecosystem

Campaign Statistics:

78% of XWorm campaigns deliver additional malware
60%+ of secondary payloads are RATs (AsyncRAT, QuasarRAT, DcRAT)
25% involve ransomware (LockBit Black, Conti, Hive)
15% deploy infostealers (RedLine, Raccoon, Vidar)

Common Chain:

XWorm → AsyncRAT → LockBit Black ransomware

Threat Actor Usage:

Commodity cybercriminals (60% - financial gain)
Initial access brokers (10% - selling credentials)
Ransomware affiliates (25% - LockBit deployment)
State-sponsored groups (5% - Ukrainian intelligence reporting)

MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name	Confidence
Execution	T1204.002	User Execution: Malicious File	CONFIRMED
Execution	T1059.001	Command and Scripting Interpreter: PowerShell	CONFIRMED
Persistence	T1547.001	Registry Run Keys / Startup Folder	LIKELY (plugin)
Defense Evasion	T1564.003	Hide Artifacts: Hidden Window	CONFIRMED
Defense Evasion	T1027	Obfuscated Files or Information	CONFIRMED
Defense Evasion	T1562.001	Impair Defenses: Disable Tools (AMSI/ETW)	POSSIBLE (v6)
Credential Access	T1056.001	Input Capture: Keylogging	LIKELY (plugin)
Discovery	T1082	System Information Discovery	CONFIRMED
Discovery	T1033	System Owner/User Discovery	CONFIRMED
Discovery	T1057	Process Discovery	CONFIRMED
Discovery	T1007	System Service Discovery	CONFIRMED
Collection	T1005	Data from Local System	CONFIRMED
Collection	T1113	Screen Capture	LIKELY (plugin)
Command and Control	T1071.001	Application Layer Protocol	CONFIRMED
Command and Control	T1132.001	Data Encoding: Standard Encoding	CONFIRMED
Command and Control	T1105	Ingress Tool Transfer	CONFIRMED
Exfiltration	T1041	Exfiltration Over C2 Channel	CONFIRMED
Impact	T1486	Data Encrypted for Impact	LIKELY (campaign context)

Frequently Asked Questions

Q: Why is the C2 server offline?

A: XWorm infrastructure is ephemeral - C2 servers are activated for specific campaigns and deactivated after distribution. Open directory (109.230.231.37) was distribution point; actual C2 may be different infrastructure or operator-specific.

Q: How does the XWorm plugin system work?

A: In-memory DLL loading via .NET reflection. C2 sends plugin URL → malware downloads DLL bytes → Assembly.Load into memory (no disk writes). Plugins include keyloggers, screenshot capture, webcam access.

Q: What makes XWorm particularly dangerous?

A: (1) Mass scale - 18,459 devices in single campaign; (2) Multi-malware - 78% deliver secondary payloads including ransomware; (3) Advanced evasion - XWorm v6 AMSI/ETW bypass.

Q: Should we rebuild infected systems?

A: REBUILD STRONGLY RECOMMENDED. Modular architecture means unknown plugins may be loaded. 78% of campaigns deliver secondary malware (AsyncRAT, LockBit). Cleanup has significant residual risk.

Q: What are compliance implications?

A: Significant violations possible:

GDPR: 72-hour breach notification
HIPAA: PHI exposure triggers HHS notification
PCI-DSS: Forensic investigation, potential fines
SOX: Financial data integrity concerns

Q: How to detect XWorm if antivirus fails?

A: Behavioral detection:

Enable PowerShell Script Block Logging (Event ID 4104)
Deploy EDR monitoring .NET processes with hidden windows + network
Network analysis for Base64-encoded C2
Hunt for “AgentSec_” authentication secret in memory
Monitor WebClient.DownloadFile from non-browser processes

Q: Estimated remediation timeline?

A: Rebuild approach:

Immediate (0-4h): Isolation, evidence preservation, C2 blocking, hunting
Investigation (4-24h): Forensics, scope determination, hunt for AsyncRAT/LockBit
Remediation (1-3 days): Rebuild, credential rotation (ALL users), secondary malware hunting
Validation (3-14 days): Reinfection monitoring, cleanup verification

Cost: $100K-$400K per incident (labor, tools, disruption, potential ransomware)

IOCs

agent_xworm.exe IOCs

Detections

agent_xworm.exe Detection Rules

Research Sources

[XWorm Malware: Analysis, Detection, Removal	Huntress](https://www.huntress.com/threat-library/malware/xworm)
[XWorm Rises Again: Dissecting the Modular Malware’s V6 Resurrection	Picus Security](https://www.picussecurity.com/resource/blog/xworm-rises-again-dissecting-the-modular-malwares-v6-resurrection)
[18,459 Devices Compromised Worldwide Via XWorm RAT Builder	MSSP Alert](https://www.msspalert.com/brief/18459-devices-compromised-worldwide-via-xworm-rat-builder)
[XWorm RAT analysis: Steal, persist & control	Logpoint](https://logpoint.com/en/blog/xworm-rat-analysis-steal-persist-control)
[XWorm (Malware Family)	Malpedia](https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm)

agent_xworm.exe (XWorm RAT v6) - Technical Analysis & Threat Intelligence Report