Malware stories: Deworming the XWorm

This report provides an in-depth technical analysis of the XWorm .NET malware family: describing multi-stage unpacking and deobfuscation, AES-based config decryption, implemented capabilities (RAT functions, keylogger, USB spreading, plugin support, DDoS and remote execution), the C2 protocol, a list of sample hashes and C2 servers, and an automated extractor to retrieve and decrypt configs for detection and threat intelligence purposes.