Malicious
Malicious

f1e932a91ae6248fe628b5fc303b84e6

PE Executable
|
MD5: f1e932a91ae6248fe628b5fc303b84e6
|
Size: 65.55 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Very high

Hash
 Hash Value
MD5
f1e932a91ae6248fe628b5fc303b84e6
Sha1
35110411492f8121ed1877903b966051bd9f1525
Sha256
58f75e02032fb21bbd4bcc72ed18edd24b986b206e51e7ec57003eabdf2883a4
Sha384
d995276d1498e387285e2d50a205e0e57f1df87ac9fa45095e94506e0b7bf323b3ca89548230483e8174be64d14fac48
Sha512
547d5ffb3a0665bcfbdbc516441f9d883ac5c6cf06480cc15fc73bc4bd4f4901963be15dac64b9266f58defb621f337d91a71b23019ec0edaf09c06e508ae728
SSDeep
768:5qmsOpXjv6P1bv5eykDlfVMVoJVpIsSgzbYTyBd19KVuuJTF6eFOwhUvxBB:5FDydzYltMVoJVlzbY2HsJ56eFOwyBB
TLSH
F0537C1C77F1422AD6FF5FB528F36152D336E3239503972F28C4169A6617E888E413EA

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
f1e932a91ae6248fe628b5fc303b84e6
Malicious
[Rebuild from dump]_a3c12665.exe
Malicious
Malware Configuration - XWorm config.
Config. Field
 Value
Mutex

SEb72SlnWovGeg7m
Hosts

127.0.0.1
Port

7000
KEY

<123456789>
USBNM

<Xwormmm>
family

xworm
Informations
Name
 Value
Info

PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info

Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_a3c12665.exe
Module Name

amongus.exe
Full Name

amongus.exe
EntryPoint

System.Void Stub.C5SJZtT4FfkGQQXYeeYsuI7cgqPgjr2wgeYhRdQntH9weD525yxYBVfPXG7GWQpGXkSt0PvMenMBOKYy2H::wmQQFi4WwboSEHYYLePIlblzeqBn8rShsb68eavVI5OKq4gk9kcTU6un8qXtAqEzYWkfw6E4IOVW7hx8uc()
Scope Name

amongus.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

amongus
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

210
Main Method

System.Void Stub.C5SJZtT4FfkGQQXYeeYsuI7cgqPgjr2wgeYhRdQntH9weD525yxYBVfPXG7GWQpGXkSt0PvMenMBOKYy2H::wmQQFi4WwboSEHYYLePIlblzeqBn8rShsb68eavVI5OKq4gk9kcTU6un8qXtAqEzYWkfw6E4IOVW7hx8uc()
Main IL Instruction Count

54
Main IL

ldsfld System.Int32 OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::LUkYcfiLBKaXsF9prizvqfb3fuFHI9YLiy0NcYIGmSMOz0YUcxyoPjpWSo3WZczTr1uOMuRE9ldmTzHfQM ldc.i4 1000 mul.ovf <null> call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::WsxLoadbg6FItF3nozleUhpNGZfkMuqs3YjiVkmHJzYNdMDvDuV67fZnUywboH8D0IMex0XXjPabDldEhdBPayalaKTyWcaHq call System.Object Stub.T0SK3KiiLmB2D31TuTzI1gb9::YPT7HPW9XQgk4bX5HwJgDCla(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::WsxLoadbg6FItF3nozleUhpNGZfkMuqs3YjiVkmHJzYNdMDvDuV67fZnUywboH8D0IMex0XXjPabDldEhdBPayalaKTyWcaHq ldsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::jTCPOnuKWwG1Av5KwXTIVWE8GuYs8HcCzzuO7FJ0MGzPbe3Ae92btrFHrkjyX637f3BCNEdyQ8P9Ksw0XNLokKAv5Yw5fFqUP call System.Object Stub.T0SK3KiiLmB2D31TuTzI1gb9::YPT7HPW9XQgk4bX5HwJgDCla(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::jTCPOnuKWwG1Av5KwXTIVWE8GuYs8HcCzzuO7FJ0MGzPbe3Ae92btrFHrkjyX637f3BCNEdyQ8P9Ksw0XNLokKAv5Yw5fFqUP ldsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::QO4g2QR8f6qjdpn5MGpSBf3jyWAG47t4qyPA6pE8B38XDqieEeyH2ctsN8imL0I632V3eLLYJfssFYadCQSxciR2eiUuFQr78 call System.Object Stub.T0SK3KiiLmB2D31TuTzI1gb9::YPT7HPW9XQgk4bX5HwJgDCla(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::QO4g2QR8f6qjdpn5MGpSBf3jyWAG47t4qyPA6pE8B38XDqieEeyH2ctsN8imL0I632V3eLLYJfssFYadCQSxciR2eiUuFQr78 ldsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::MGZrBV5s9vPaxDxyliqLdr8spzjvxITIHnhu9uV0MLqDJOJSIrlqYtoAQ4RJYQSdGU7q0GI8wBNCqH7Znu call System.Object Stub.T0SK3KiiLmB2D31TuTzI1gb9::YPT7HPW9XQgk4bX5HwJgDCla(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::MGZrBV5s9vPaxDxyliqLdr8spzjvxITIHnhu9uV0MLqDJOJSIrlqYtoAQ4RJYQSdGU7q0GI8wBNCqH7Znu ldsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::9GtOTsXNzpdkN7hJOQoSciB4SgdahTRy4nqGQiKEBPT3Kye4dCfkSM3AFGQqmXUOcoYVP2IIIKB6H15fN5 call System.Object Stub.T0SK3KiiLmB2D31TuTzI1gb9::YPT7HPW9XQgk4bX5HwJgDCla(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::9GtOTsXNzpdkN7hJOQoSciB4SgdahTRy4nqGQiKEBPT3Kye4dCfkSM3AFGQqmXUOcoYVP2IIIKB6H15fN5 leave.s IL_008A: call System.Boolean Stub.HV9f0NQ0CbUN9bT10YyDgYk6::KEpc9RLgWCiQOPdixDUFg4Os() dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.2 <null> ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave.s IL_008A: call System.Boolean Stub.HV9f0NQ0CbUN9bT10YyDgYk6::KEpc9RLgWCiQOPdixDUFg4Os() call System.Boolean Stub.HV9f0NQ0CbUN9bT10YyDgYk6::KEpc9RLgWCiQOPdixDUFg4Os() brtrue.s IL_0097: call System.Void Stub.HV9f0NQ0CbUN9bT10YyDgYk6::OUUkAQehxR4fQEuTKxrVGrTv() ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Stub.HV9f0NQ0CbUN9bT10YyDgYk6::OUUkAQehxR4fQEuTKxrVGrTv() ldnull <null> ldftn System.Void Stub.C5SJZtT4FfkGQQXYeeYsuI7cgqPgjr2wgeYhRdQntH9weD525yxYBVfPXG7GWQpGXkSt0PvMenMBOKYy2H::M7Ip37mJunbgq2myrqxzA6wHKa1je95TXhyvAWXcobjMo4cLTYTyYxXQeQEzkkYEhsPpPQyTGc7xJMjWwm() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.0 <null> ldnull <null> ldftn System.Void Stub.C5SJZtT4FfkGQQXYeeYsuI7cgqPgjr2wgeYhRdQntH9weD525yxYBVfPXG7GWQpGXkSt0PvMenMBOKYy2H::TgBFFlqwGWsajEOnOCL7GILjwaSiqmUdydxrWsVnPamjkSzw6ViHztSckMy65ptg5fPB2OV60713i4D6Mt() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.1 <null> ldloc.0 <null> callvirt System.Void System.Threading.Thread::Start() ldloc.1 <null> callvirt System.Void System.Threading.Thread::Start() ldloc.1 <null> callvirt System.Void System.Threading.Thread::Join() ret <null>
Module Name

amongus.exe
Full Name

amongus.exe
EntryPoint

System.Void Stub.C5SJZtT4FfkGQQXYeeYsuI7cgqPgjr2wgeYhRdQntH9weD525yxYBVfPXG7GWQpGXkSt0PvMenMBOKYy2H::wmQQFi4WwboSEHYYLePIlblzeqBn8rShsb68eavVI5OKq4gk9kcTU6un8qXtAqEzYWkfw6E4IOVW7hx8uc()
Scope Name

amongus.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

amongus
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

210
Main Method

System.Void Stub.C5SJZtT4FfkGQQXYeeYsuI7cgqPgjr2wgeYhRdQntH9weD525yxYBVfPXG7GWQpGXkSt0PvMenMBOKYy2H::wmQQFi4WwboSEHYYLePIlblzeqBn8rShsb68eavVI5OKq4gk9kcTU6un8qXtAqEzYWkfw6E4IOVW7hx8uc()
Main IL Instruction Count

54
Main IL

ldsfld System.Int32 OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::LUkYcfiLBKaXsF9prizvqfb3fuFHI9YLiy0NcYIGmSMOz0YUcxyoPjpWSo3WZczTr1uOMuRE9ldmTzHfQM ldc.i4 1000 mul.ovf <null> call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::WsxLoadbg6FItF3nozleUhpNGZfkMuqs3YjiVkmHJzYNdMDvDuV67fZnUywboH8D0IMex0XXjPabDldEhdBPayalaKTyWcaHq call System.Object Stub.T0SK3KiiLmB2D31TuTzI1gb9::YPT7HPW9XQgk4bX5HwJgDCla(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::WsxLoadbg6FItF3nozleUhpNGZfkMuqs3YjiVkmHJzYNdMDvDuV67fZnUywboH8D0IMex0XXjPabDldEhdBPayalaKTyWcaHq ldsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::jTCPOnuKWwG1Av5KwXTIVWE8GuYs8HcCzzuO7FJ0MGzPbe3Ae92btrFHrkjyX637f3BCNEdyQ8P9Ksw0XNLokKAv5Yw5fFqUP call System.Object Stub.T0SK3KiiLmB2D31TuTzI1gb9::YPT7HPW9XQgk4bX5HwJgDCla(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::jTCPOnuKWwG1Av5KwXTIVWE8GuYs8HcCzzuO7FJ0MGzPbe3Ae92btrFHrkjyX637f3BCNEdyQ8P9Ksw0XNLokKAv5Yw5fFqUP ldsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::QO4g2QR8f6qjdpn5MGpSBf3jyWAG47t4qyPA6pE8B38XDqieEeyH2ctsN8imL0I632V3eLLYJfssFYadCQSxciR2eiUuFQr78 call System.Object Stub.T0SK3KiiLmB2D31TuTzI1gb9::YPT7HPW9XQgk4bX5HwJgDCla(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::QO4g2QR8f6qjdpn5MGpSBf3jyWAG47t4qyPA6pE8B38XDqieEeyH2ctsN8imL0I632V3eLLYJfssFYadCQSxciR2eiUuFQr78 ldsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::MGZrBV5s9vPaxDxyliqLdr8spzjvxITIHnhu9uV0MLqDJOJSIrlqYtoAQ4RJYQSdGU7q0GI8wBNCqH7Znu call System.Object Stub.T0SK3KiiLmB2D31TuTzI1gb9::YPT7HPW9XQgk4bX5HwJgDCla(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::MGZrBV5s9vPaxDxyliqLdr8spzjvxITIHnhu9uV0MLqDJOJSIrlqYtoAQ4RJYQSdGU7q0GI8wBNCqH7Znu ldsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::9GtOTsXNzpdkN7hJOQoSciB4SgdahTRy4nqGQiKEBPT3Kye4dCfkSM3AFGQqmXUOcoYVP2IIIKB6H15fN5 call System.Object Stub.T0SK3KiiLmB2D31TuTzI1gb9::YPT7HPW9XQgk4bX5HwJgDCla(System.String) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stsfld System.String OmYwI1EDqCZNPpF5yRzqYSS0ylR8K2f6dMMROgc6eT389zTC13ccInK2VcuEZv92hTARDV4Fu89SHFrRwLkwDfze5ASE3Tj7n::9GtOTsXNzpdkN7hJOQoSciB4SgdahTRy4nqGQiKEBPT3Kye4dCfkSM3AFGQqmXUOcoYVP2IIIKB6H15fN5 leave.s IL_008A: call System.Boolean Stub.HV9f0NQ0CbUN9bT10YyDgYk6::KEpc9RLgWCiQOPdixDUFg4Os() dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.2 <null> ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave.s IL_008A: call System.Boolean Stub.HV9f0NQ0CbUN9bT10YyDgYk6::KEpc9RLgWCiQOPdixDUFg4Os() call System.Boolean Stub.HV9f0NQ0CbUN9bT10YyDgYk6::KEpc9RLgWCiQOPdixDUFg4Os() brtrue.s IL_0097: call System.Void Stub.HV9f0NQ0CbUN9bT10YyDgYk6::OUUkAQehxR4fQEuTKxrVGrTv() ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Stub.HV9f0NQ0CbUN9bT10YyDgYk6::OUUkAQehxR4fQEuTKxrVGrTv() ldnull <null> ldftn System.Void Stub.C5SJZtT4FfkGQQXYeeYsuI7cgqPgjr2wgeYhRdQntH9weD525yxYBVfPXG7GWQpGXkSt0PvMenMBOKYy2H::M7Ip37mJunbgq2myrqxzA6wHKa1je95TXhyvAWXcobjMo4cLTYTyYxXQeQEzkkYEhsPpPQyTGc7xJMjWwm() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.0 <null> ldnull <null> ldftn System.Void Stub.C5SJZtT4FfkGQQXYeeYsuI7cgqPgjr2wgeYhRdQntH9weD525yxYBVfPXG7GWQpGXkSt0PvMenMBOKYy2H::TgBFFlqwGWsajEOnOCL7GILjwaSiqmUdydxrWsVnPamjkSzw6ViHztSckMy65ptg5fPB2OV60713i4D6Mt() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.1 <null> ldloc.0 <null> callvirt System.Void System.Threading.Thread::Start() ldloc.1 <null> callvirt System.Void System.Threading.Thread::Start() ldloc.1 <null> callvirt System.Void System.Threading.Thread::Join() ret <null>
Artefacts
Name
 Value
PE Layout

MemoryMapped (process dump suspected)
Mutex

SEb72SlnWovGeg7m
CnC

127.0.0.1
Port

7000
PE Layout

MemoryMapped (process dump suspected)
Mutex

SEb72SlnWovGeg7m
CnC

127.0.0.1
Port

7000
f1e932a91ae6248fe628b5fc303b84e6 (65.55 KB)
File Structure
f1e932a91ae6248fe628b5fc303b84e6
Malicious
[Rebuild from dump]_a3c12665.exe
Malicious
Characteristics
Malware Configuration - XWorm config.
Config. Field
 Value
Mutex

SEb72SlnWovGeg7m
Hosts

127.0.0.1
Port

7000
KEY

<123456789>
USBNM

<Xwormmm>
family

xworm
Artefacts
Name
 Value Location
PE Layout

MemoryMapped (process dump suspected)

f1e932a91ae6248fe628b5fc303b84e6
Mutex

SEb72SlnWovGeg7m

Malicious

f1e932a91ae6248fe628b5fc303b84e6
CnC

127.0.0.1

Malicious

f1e932a91ae6248fe628b5fc303b84e6
Port

7000

Malicious

f1e932a91ae6248fe628b5fc303b84e6
PE Layout

MemoryMapped (process dump suspected)

f1e932a91ae6248fe628b5fc303b84e6 > [Rebuild from dump]_a3c12665.exe
Mutex

SEb72SlnWovGeg7m

Malicious

f1e932a91ae6248fe628b5fc303b84e6 > [Rebuild from dump]_a3c12665.exe
CnC

127.0.0.1

Malicious

f1e932a91ae6248fe628b5fc303b84e6 > [Rebuild from dump]_a3c12665.exe
Port

7000

Malicious

f1e932a91ae6248fe628b5fc303b84e6 > [Rebuild from dump]_a3c12665.exe
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙