Introduction

A suspicious email was identified by the security team, containing a potentially malicious attachment. The sender appears to impersonate a well-known software company, using social engineering tactics to trick the recipient into executing the file.

As a malware analyst, your task is to analyze the attached binary to understand its behavior, capabilities, and infrastructure. Your findings will help the incident response team assess the scope of the threat and take appropriate action.

Sample: XWorm.malware
SHA256: CED525930C76834184B4E194077C8C4E7342B3323544365B714943519A0F92AF

Initial Setup

Before analysis, rename the sample from XWorm.malware to XWorm.exe so analysis tools can load it properly. Perform all work inside an isolated VM with no network connectivity.

Q1. To determine when the malware was compiled, examine the PE header of the file. What is the compilation timestamp (UTC) of the malware?

We begin with initial triage using Detect It Easy (DIE). Open XWorm.exe in DIE. DIE immediately identifies the binary as a VB.NET application compiled with .NET Framework (CLR 4.0.30319) and linked with Microsoft Linker 11.0. Knowing this is a .NET binary is important — it means we can use dnSpy for full decompilation rather than relying on disasse