XWorm V5.6 Payload Fetching C2 Instructions From Pastebin

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

knestcful.exe

Type

Win64 Executable (generic)

SHA‑1

de9ffe8dece95615367ee605ccf9c2ccf936d037

MD5

41a3d7a6ac2f2bb26877015c31419964

First Seen

2025-11-25 08:00:58.169233

Last Analysis

2025-11-25 09:02:44.359804

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC)	Event	Elapsed
2025-11-24 20:10:07 UTC	First VirusTotal submission	—
2025-11-27 06:50:27 UTC	Latest analysis snapshot	2 days, 10 hours, 40 minutes
2025-11-27 12:57:26 UTC	Report generation time	2 days, 16 hours, 47 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 70. Detected as malicious: 57. Missed: 13. Coverage: 81.4%.

Detected Vendors

Xcitium
+56 additional vendors (names not provided)

List includes Xcitium plus an additional 56 vendors per the provided summary.

Missed Vendors

Acronis
Antiy-AVL
Baidu
CMC
MaxSecure
NANO-Antivirus
TACHYON
tehtris
VBA32
ViRobot
Yandex
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

This threat shows heavy registry manipulation (47.03% of total behavior), indicating persistent backdoor installation, configuration tampering, or system policy modification attempts. The malware likely establishes persistence mechanisms and modifies security settings to maintain long-term access.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
Registry	4407	47.03%
File System	2100	22.41%
System	1987	21.21%
Process	431	4.60%
Network	156	1.66%
Misc	111	1.18%
Device	58	0.62%
Crypto	44	0.47%
Threading	32	0.34%
Synchronization	26	0.28%
Hooking	5	0.05%
Com	5	0.05%
Windows	4	0.04%
Services	4	0.04%

MITRE ATT&CK Mapping

T1083 – get common file path
T1027 – encode data using XOR
T1222 – set file attributes
T1059 – accept command line arguments
T1546.001 – persist via default file association registry key
T1614 – get geographical location
T1083 – get file size
T1027 – encrypt data using RC4 PRGA
T1083 – check if file exists
T1129 – link function at runtime on Windows
T1082 – get disk information
T1129 – parse PE header

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
pastebin.com	172.66.171.73	United States	Cloudflare, Inc.
www.aieov.com	76.223.54.146	United States	Amazon.com, Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
5isohu.com	A
www.aieov.com	A
pastebin.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	5	udp
53	88	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.14	192.168.56.255	137	137	3.102414131164551	udp
192.168.56.14	224.0.0.252	51209	5355	3.0215799808502197	udp
192.168.56.14	224.0.0.252	53401	5355	4.12353515625	udp
192.168.56.14	224.0.0.252	55094	5355	5.750133991241455	udp
192.168.56.14	224.0.0.252	55848	5355	3.021811008453369	udp
192.168.56.14	224.0.0.252	65148	5355	19.875344038009644	udp
192.168.56.14	8.8.4.4	49916	53	51.51535606384277	udp
192.168.56.14	8.8.4.4	50180	53	75.98433804512024	udp
192.168.56.14	8.8.4.4	50582	53	316.17172408103943	udp
192.168.56.14	8.8.4.4	50710	53	36.812268018722534	udp
192.168.56.14	8.8.4.4	50870	53	162.57859897613525	udp
192.168.56.14	8.8.4.4	50914	53	127.79730296134949	udp
192.168.56.14	8.8.4.4	51262	53	160.46882104873657	udp
192.168.56.14	8.8.4.4	51614	53	207.51545596122742	udp
192.168.56.14	8.8.4.4	52116	53	268.9529011249542	udp
192.168.56.14	8.8.4.4	52556	53	197.1720199584961	udp
192.168.56.14	8.8.4.4	52815	53	6.968860149383545	udp
192.168.56.14	8.8.4.4	53449	53	179.87470197677612	udp
192.168.56.14	8.8.4.4	53837	53	359.18774008750916	udp
192.168.56.14	8.8.4.4	54017	53	287.3592960834503	udp
192.168.56.14	8.8.4.4	54579	53	24.015871047973633	udp
192.168.56.14	8.8.4.4	54683	53	98.81244397163391	udp
192.168.56.14	8.8.4.4	55827	53	128.01561093330383	udp
192.168.56.14	8.8.4.4	55914	53	65.96902298927307	udp
192.168.56.14	8.8.4.4	56172	53	352.76589012145996	udp
192.168.56.14	8.8.4.4	56399	53	93.296865940094	udp
192.168.56.14	8.8.4.4	56716	53	266.281023979187	udp
192.168.56.14	8.8.4.4	56763	53	335.45356607437134	udp
192.168.56.14	8.8.4.4	56864	53	231.74984407424927	udp
192.168.56.14	8.8.4.4	57355	53	301.74987411499023	udp
192.168.56.14	8.8.4.4	57742	53	193.10979294776917	udp
192.168.56.14	8.8.4.4	59068	53	174.84394812583923	udp
192.168.56.14	8.8.4.4	59212	53	240.2028751373291	udp
192.168.56.14	8.8.4.4	60117	53	41.35947799682617	udp
192.168.56.14	8.8.4.4	60713	53	145.29670310020447	udp
192.168.56.14	8.8.4.4	61083	53	283.5465760231018	udp
192.168.56.14	8.8.4.4	61713	53	318.187283039093	udp
192.168.56.14	8.8.4.4	62022	53	80.45579504966736	udp
192.168.56.14	8.8.4.4	62055	53	300.89091515541077	udp
192.168.56.14	8.8.4.4	62112	53	22.406662940979004	udp
192.168.56.14	8.8.4.4	62548	53	113.2660620212555	udp
192.168.56.14	8.8.4.4	62800	53	146.0936930179596	udp
192.168.56.14	8.8.4.4	62997	53	254.57855796813965	udp
192.168.56.14	8.8.4.4	63205	53	110.62534308433533	udp
192.168.56.14	8.8.4.4	63906	53	344.7970390319824	udp
192.168.56.14	8.8.4.4	64452	53	214.4221169948578	udp
192.168.56.14	8.8.4.4	64753	53	58.70297908782959	udp
192.168.56.14	8.8.4.4	64950	53	330.421972990036	udp
192.168.56.14	8.8.4.4	65271	53	249.01569294929504	udp
192.168.56.14	8.8.4.4	65283	53	221.95324206352234	udp
192.168.56.14	8.8.8.8	49916	53	50.516247034072876	udp
192.168.56.14	8.8.8.8	50180	53	74.98509001731873	udp
192.168.56.14	8.8.8.8	50582	53	315.173583984375	udp
192.168.56.14	8.8.8.8	50710	53	35.822083950042725	udp
192.168.56.14	8.8.8.8	50870	53	161.5920021533966	udp
192.168.56.14	8.8.8.8	50914	53	126.79711294174194	udp
192.168.56.14	8.8.8.8	51262	53	159.4752790927887	udp
192.168.56.14	8.8.8.8	51614	53	206.52441000938416	udp
192.168.56.14	8.8.8.8	52116	53	267.96269512176514	udp
192.168.56.14	8.8.8.8	52556	53	196.17418909072876	udp
192.168.56.14	8.8.8.8	52815	53	7.968786954879761	udp
192.168.56.14	8.8.8.8	53449	53	178.8798451423645	udp
192.168.56.14	8.8.8.8	53837	53	358.2030861377716	udp
192.168.56.14	8.8.8.8	54017	53	286.36004400253296	udp
192.168.56.14	8.8.8.8	54579	53	23.015639066696167	udp
192.168.56.14	8.8.8.8	54683	53	97.81290602684021	udp
192.168.56.14	8.8.8.8	55827	53	127.02167105674744	udp
192.168.56.14	8.8.8.8	55914	53	64.96930193901062	udp
192.168.56.14	8.8.8.8	56172	53	351.7790460586548	udp
192.168.56.14	8.8.8.8	56399	53	92.29699516296387	udp
192.168.56.14	8.8.8.8	56716	53	265.29054498672485	udp
192.168.56.14	8.8.8.8	56763	53	334.46347403526306	udp
192.168.56.14	8.8.8.8	56864	53	230.7626130580902	udp
192.168.56.14	8.8.8.8	57355	53	300.75530910491943	udp
192.168.56.14	8.8.8.8	57742	53	192.11570715904236	udp
192.168.56.14	8.8.8.8	59068	53	173.85006093978882	udp
192.168.56.14	8.8.8.8	59212	53	239.2111189365387	udp
192.168.56.14	8.8.8.8	60117	53	40.35968208312988	udp
192.168.56.14	8.8.8.8	60713	53	144.31245613098145	udp
192.168.56.14	8.8.8.8	61083	53	282.5565810203552	udp
192.168.56.14	8.8.8.8	61713	53	317.1881239414215	udp
192.168.56.14	8.8.8.8	62022	53	79.45339298248291	udp
192.168.56.14	8.8.8.8	62055	53	299.90118503570557	udp
192.168.56.14	8.8.8.8	62112	53	21.40661907196045	udp
192.168.56.14	8.8.8.8	62548	53	112.26606702804565	udp
192.168.56.14	8.8.8.8	62800	53	145.10693907737732	udp
192.168.56.14	8.8.8.8	62997	53	253.5942211151123	udp
192.168.56.14	8.8.8.8	63205	53	109.62539505958557	udp
192.168.56.14	8.8.8.8	63906	53	343.80085802078247	udp
192.168.56.14	8.8.8.8	64452	53	213.4357089996338	udp
192.168.56.14	8.8.8.8	64753	53	57.703556060791016	udp
192.168.56.14	8.8.8.8	64950	53	329.4227740764618	udp
192.168.56.14	8.8.8.8	65271	53	248.01868605613708	udp
192.168.56.14	8.8.8.8	65283	53	220.9650411605835	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report