XWorm Cocktail: A Mix of PE data with PowerShell Code

Description

A malicious file discovered on VirusTotal triggered a PowerShell rule, leading to the investigation of two closely related files identified as 'data files' but named as executables. The files contain a mix of PowerShell code, binary data, and obfuscated text. Analysis revealed characteristics of XWorm malware, including functions for system manipulation, data exfiltration, and keylogging. The obfuscation technique involves Base64 encoding, compression, and mathematical operations combined with logical operands. The malware attempts to evade detection, create persistence, and perform various malicious activities. The investigation highlights the complexity of modern malware obfuscation techniques and the challenges in deobfuscating such threats.