File name:

BAMParser.exe

Full analysis: https://app.any.run/tasks/70740a40-e0a5-4ac0-9973-c396c677d201
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: February 08, 2025, 13:10:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
xworm
crypto-regex
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

AF7B3C91F0C2FF78F7E677A94DD6D68F

SHA1:

41236C821564CC2523926DC8BB4CA231F9F6FB28

SHA256:

D27D245B438D373BA8B213F1EB9634B82C4251B64BB95EDEE8DEF9CB93AEDB9B

SSDEEP:

98304:nURgJZpT04Jxfo62176KcbvUxz5rcnJJSMLWpKAdFoMLjifjHhd1sdAoO+SPdbm+:4Qus/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • BAMParser 2.exe (PID: 4540)

    • Create files in the Startup directory

      • BAMParser 2.exe (PID: 4540)

    • XWORM has been detected (SURICATA)

      • BAMParser 2.exe (PID: 4540)

    • XWORM has been detected (YARA)

      • BAMParser 2.exe (PID: 4540)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • BAMParser.exe (PID: 4300)
      • BAMParser (1).exe (PID: 4076)

    • Reads the date of Windows installation

      • BAMParser.exe (PID: 4300)

    • Executable content was dropped or overwritten

      • BAMParser.exe (PID: 4300)
      • BAMParser (1).exe (PID: 4076)
      • BAMParser 2.exe (PID: 4540)

    • Checks Windows Trust Settings

      • BAMParser (1).exe (PID: 4076)

    • Contacting a server suspected of hosting an CnC

      • BAMParser 2.exe (PID: 4540)

    • Found regular expressions for crypto-addresses (YARA)

      • BAMParser 2.exe (PID: 4540)

    • Connects to unusual port

      • BAMParser 2.exe (PID: 4540)

    • There is functionality for communication over UDP network (YARA)

      • BAMParser (1).exe (PID: 4076)

  • INFO

    • Creates files or folders in the user directory

      • BAMParser.exe (PID: 4300)
      • BAMParser 2.exe (PID: 4540)
      • BAMParser (1).exe (PID: 4076)

    • Reads the machine GUID from the registry

      • BAMParser.exe (PID: 4300)
      • BAMParser 2.exe (PID: 4540)
      • BAMParser (1).exe (PID: 4076)

    • Reads the computer name

      • BAMParser.exe (PID: 4300)
      • BAMParser (1).exe (PID: 4076)
      • replaceparser.exe (PID: 3524)
      • BAMParser 2.exe (PID: 4540)

    • Checks supported languages

      • BAMParser.exe (PID: 4300)
      • BAMParser (1).exe (PID: 4076)
      • BAMParser 2.exe (PID: 4540)
      • replaceparser.exe (PID: 3524)

    • Process checks computer location settings

      • BAMParser.exe (PID: 4300)

    • Create files in a temporary directory

      • replaceparser.exe (PID: 3524)
      • BAMParser (1).exe (PID: 4076)

    • Reads the software policy settings

      • BAMParser (1).exe (PID: 4076)

    • Checks proxy server information

      • BAMParser (1).exe (PID: 4076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:08 01:07:34+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 3186688
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x30bece
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: BAMParser.exe
LegalCopyright:
OriginalFileName: BAMParser.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start bamparser.exe bamparser (1).exe no specs bamparser (1).exe #XWORM bamparser 2.exe replaceparser.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1536"C:\Users\admin\AppData\Roaming\BAMParser (1).exe" C:\Users\admin\AppData\Roaming\BAMParser (1).exeBAMParser.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\roaming\bamparser (1).exe
c:\windows\system32\ntdll.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exereplaceparser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3524"C:\Users\admin\AppData\Local\Temp\replaceparser\replaceparser.exe" "C:\Users\admin\AppData\Local\Temp\replaceparser\replaces.txt"C:\Users\admin\AppData\Local\Temp\replaceparser\replaceparser.exeBAMParser (1).exe
User:
admin
Integrity Level:
HIGH
Description:
ConsoleApp14
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\replaceparser\replaceparser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4076"C:\Users\admin\AppData\Roaming\BAMParser (1).exe" C:\Users\admin\AppData\Roaming\BAMParser (1).exe
BAMParser.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\bamparser (1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4300"C:\Users\admin\Desktop\BAMParser.exe" C:\Users\admin\Desktop\BAMParser.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\bamparser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4540"C:\Users\admin\AppData\Roaming\BAMParser 2.exe" C:\Users\admin\AppData\Roaming\BAMParser 2.exe
BAMParser.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\bamparser 2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
10 673
Read events
10 672
Write events
1
Delete events
0

Modification events

(PID) Process:(4540) BAMParser 2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:echo-userassist
Value:
C:\Users\admin\AppData\Roaming\echo-userassist.exe
Executable files
4
Suspicious files
7
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3524replaceparser.exeC:\Users\admin\AppData\Local\Temp\replaceparser\replaces.txt
MD5:
SHA256:
4076BAMParser (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:BB148187A85E826D9F04F30A242F8647
SHA256:569FD129CDDBCD13CA12E73C48D326043C5E4649C4B6DB82757E10EEE6E27595
4076BAMParser (1).exeC:\Users\admin\AppData\Local\Temp\replaceparser\replaceparser.exeexecutable
MD5:4E0DB2FC757D7297E2BD53F984130C75
SHA256:5E20632744840196BD36FE928F462BBDD166180ABE22FB98537B1D94544DD59D
4076BAMParser (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:F0AFEE879C9FCE59E41DED6C5BC84FF1
SHA256:6AE15E882D4D67F2D4FF68C57EAD463917EF0113975CA57F24B2EF739E3F3A8D
4076BAMParser (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2CD1F910DD5DC23C234E99A91DE345C0binary
MD5:52E0002ABB68FA0A664D3FC106244991
SHA256:A7A924D6E12561E800195D9442F60394C85849852EFA21036AA74B69DC431B3F
4076BAMParser (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEbinary
MD5:36B0182C996DC13725E0A8DE669E848C
SHA256:84BF6684AB6246B9180C30727191203619FF653F885C7D0C57B1FC638178FD1E
4076BAMParser (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CD1F910DD5DC23C234E99A91DE345C0binary
MD5:70FB280A5AA82D31CB17DF5599549BA0
SHA256:43B04786D54EF7A0C95AEB1FF86D3CACF6CBDE3BC01D00C55038B330285B4728
4540BAMParser 2.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\echo-userassist.lnkbinary
MD5:16B5286BAB43FC4437EBD48963903D29
SHA256:DC9400C3986059BCA1442285A3AC2DAA8BAD8E6449B77374BF1886F5D4FF6981
4540BAMParser 2.exeC:\Users\admin\AppData\Roaming\echo-userassist.exeexecutable
MD5:7730E175C5186DCECC9A66B929DBDD43
SHA256:527DF45B8DBB330C1F103ED2C84BD2E8C2F412E720DF556CD03EEBFA305EEE50
4076BAMParser (1).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FEbinary
MD5:293AC123B4E94D88C2389CED8266A1C4
SHA256:F03E1547B24A4813DEFBBDF4E6AC578E6A20DCD5B0CB354BA793BD7F97BDD599
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
7
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5892
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4076
BAMParser (1).exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4076
BAMParser (1).exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
unknown
whitelisted
4076
BAMParser (1).exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
POST
204
104.126.37.162:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5892
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5892
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5892
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.21.65.153
  • 2.21.65.154
  • 2.21.65.132
whitelisted
fund-jacob.gl.at.ply.gg
  • 147.185.221.25
malicious
self.events.data.microsoft.com
  • 20.42.65.88
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
2192
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
4540
BAMParser 2.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Packet
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BAMParser.exe