File name:

echo-bam.exe

Full analysis: https://app.any.run/tasks/61b753f7-48b9-4c6e-9b24-90f43bda030a
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: February 07, 2025, 22:21:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
crypto-regex
xworm
remote
fody
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

42AB496F529DE8ABCF6AA5E0E2754E6B

SHA1:

CB8CDDD7EA582FAE2CA278BE5C8432C6F633A5D2

SHA256:

51DB87883D80674731D1909CE99E3ABAB24E5F17DDC74569342D60D0D574E8B1

SSDEEP:

196608:LEjrNuh4z1+ksX2gXpW/l/uYG+V4BgI/vCZpSmd10mKODOB:LE3NuOz1OYG+V/YvCamj0mrOB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • echo-bam.exe (PID: 5460)

    • XWORM has been detected (YARA)

      • echo-bam.exe (PID: 5460)

    • Create files in the Startup directory

      • echo-bam.exe (PID: 5460)

    • XWORM has been detected (SURICATA)

      • echo-bam.exe (PID: 5460)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • echo-bam.exe (PID: 2212)

    • Reads the date of Windows installation

      • echo-bam.exe (PID: 2212)

    • Executable content was dropped or overwritten

      • echo-bam.exe (PID: 2212)
      • echo-bam.exe (PID: 5460)

    • Connects to unusual port

      • echo-bam.exe (PID: 5460)

    • Found regular expressions for crypto-addresses (YARA)

      • echo-bam.exe (PID: 5460)

    • Reads the BIOS version

      • echo-bam (1).exe (PID: 4556)

    • Contacting a server suspected of hosting an CnC

      • echo-bam.exe (PID: 5460)

  • INFO

    • Checks supported languages

      • echo-bam.exe (PID: 2212)
      • echo-bam.exe (PID: 5460)
      • echo-bam (1).exe (PID: 4556)

    • Creates files or folders in the user directory

      • echo-bam.exe (PID: 2212)
      • echo-bam.exe (PID: 5460)

    • Reads the computer name

      • echo-bam.exe (PID: 2212)
      • echo-bam.exe (PID: 5460)
      • echo-bam (1).exe (PID: 4556)

    • The sample compiled with english language support

      • echo-bam.exe (PID: 2212)

    • Process checks computer location settings

      • echo-bam.exe (PID: 2212)

    • Reads the machine GUID from the registry

      • echo-bam.exe (PID: 2212)
      • echo-bam.exe (PID: 5460)
      • echo-bam (1).exe (PID: 4556)

    • Process checks whether UAC notifications are on

      • echo-bam (1).exe (PID: 4556)

    • Reads the software policy settings

      • echo-bam (1).exe (PID: 4556)

    • Detects Fody packer (YARA)

      • echo-bam.exe (PID: 5460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(5460) echo-bam.exe
C2fund-jacob.gl.at.ply.gg:54816
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.1
MutexuF7gnBJDUuoKjfs4
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:07 21:45:30+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 25046016
InitializedDataSize: 20992
UninitializedDataSize: -
EntryPoint: 0x17e4b1e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: echo-bam.exe
LegalCopyright:
OriginalFileName: echo-bam.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start echo-bam.exe echo-bam (1).exe no specs echo-bam (1).exe #XWORM echo-bam.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2212"C:\Users\admin\Desktop\echo-bam.exe" C:\Users\admin\Desktop\echo-bam.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\echo-bam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3224"C:\Users\admin\AppData\Roaming\echo-bam (1).exe" C:\Users\admin\AppData\Roaming\echo-bam (1).exeecho-bam.exe
User:
admin
Company:
Inspect Element Ltd
Integrity Level:
MEDIUM
Description:
BAM Log Viewer
Exit code:
3221226540
Version:
1.0.0
Modules
Images
c:\users\admin\appdata\roaming\echo-bam (1).exe
c:\windows\system32\ntdll.dll
4556"C:\Users\admin\AppData\Roaming\echo-bam (1).exe" C:\Users\admin\AppData\Roaming\echo-bam (1).exe
echo-bam.exe
User:
admin
Company:
Inspect Element Ltd
Integrity Level:
HIGH
Description:
BAM Log Viewer
Exit code:
4294967295
Version:
1.0.0
Modules
Images
c:\users\admin\appdata\roaming\echo-bam (1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5460"C:\Users\admin\AppData\Roaming\echo-bam.exe" C:\Users\admin\AppData\Roaming\echo-bam.exe
echo-bam.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\echo-bam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(5460) echo-bam.exe
C2fund-jacob.gl.at.ply.gg:54816
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameXWorm V5.1
MutexuF7gnBJDUuoKjfs4
Total events
5 603
Read events
5 595
Write events
8
Delete events
0

Modification events

(PID) Process:(4556) echo-bam (1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\ECHO-BAM (1).EXE00000000017C6C60
Operation:writeName:Name
Value:
ECHO-BAM (1).EXE
(PID) Process:(4556) echo-bam (1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\ECHO-BAM (1).EXE00000000017C6C60
Operation:writeName:UsesMapper
Value:
00000000
(PID) Process:(4556) echo-bam (1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Name
Value:
ECHO-BAM (1).EXE
(PID) Process:(4556) echo-bam (1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Id
Value:
ECHO-BAM (1).EXE00000000017C6C60
(PID) Process:(4556) echo-bam (1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Version
Value:
00080000
(PID) Process:(4556) echo-bam (1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:MostRecentStart
Value:
C9D762B7AE79DB01
(PID) Process:(5460) echo-bam.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:echo-userassist
Value:
C:\Users\admin\AppData\Roaming\echo-userassist.exe
(PID) Process:(4556) echo-bam (1).exeKey:HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0
Operation:writeName:GUID
Value:
20000DF5A1E5EF118001444553540000
Executable files
3
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2212echo-bam.exeC:\Users\admin\AppData\Roaming\echo-bam (1).exeexecutable
MD5:EF585DEFB4F699118254C86CCE6A2952
SHA256:DC37564771CFC5D6F976F94CFAFBD85B743633A71C320BD8018C6BC4F9FB388F
5460echo-bam.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\echo-userassist.lnkbinary
MD5:58D05F7B4C6E8F8FC395B71F1B8E6140
SHA256:94E167CF8F1C5A31A90B3EAA36A40B1883567327587145FC6FB27BB1695F6431
2212echo-bam.exeC:\Users\admin\AppData\Roaming\echo-bam.exeexecutable
MD5:5D3E757FD149FDA246275106FB91CC98
SHA256:976E586FFB1E04A061306B2B7C173645FDA9ECE3FEB7D9FD44FE6B2EB696697C
5460echo-bam.exeC:\Users\admin\AppData\Roaming\echo-userassist.exeexecutable
MD5:5D3E757FD149FDA246275106FB91CC98
SHA256:976E586FFB1E04A061306B2B7C173645FDA9ECE3FEB7D9FD44FE6B2EB696697C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
20
DNS requests
5
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
404
104.26.6.44:443
https://api.echo.ac/latest-bam
unknown
binary
41 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
92.123.104.52:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4556
echo-bam (1).exe
172.67.69.115:443
api.echo.ac
CLOUDFLARENET
US
suspicious
5460
echo-bam.exe
147.185.221.25:54816
fund-jacob.gl.at.ply.gg
PLAYIT-GG
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.52
  • 92.123.104.28
  • 92.123.104.34
  • 92.123.104.62
  • 92.123.104.59
  • 92.123.104.32
whitelisted
google.com
  • 142.250.186.174
whitelisted
api.echo.ac
  • 172.67.69.115
  • 104.26.6.44
  • 104.26.7.44
unknown
fund-jacob.gl.at.ply.gg
  • 147.185.221.25
unknown
self.events.data.microsoft.com
  • 51.105.71.136
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2192
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
5460
echo-bam.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
echo-bam.exe