XWorm | c5345c545dc3

Remarks

Maximum Dump Total Size Reached (0x0200005D): 122 additional dumps with the reason "Content Changed" and a total of 424 MB were skipped because the respective maximum limit was reached.

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\OqXZRaykm\Desktop\magamed.exe

Sample File

Binary

Also Known As	\??\c:\users\oqxzraykm\desktop\magamed.exe (Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	1.23 MB
MD5	7f1fa0268cc3cb7e8d01a41bda21c1b7
SHA1	b233ac4e05e10c2323694630c78f83bc88347ec6
SHA256	c5345c545dc3c8b126ab394b6213d8e5ea0764275b3bf5f530de7b7e8a89e4d4
SSDeep	24576:ZCnyEVxquTQh61L0Kuv4nfqpbyyLXrkOV+N7FO8gD+2Sk:XEVxqxhUL0v4fGbyyLGNw8gdSk
ImpHash	2e5467cba76f44a088d39f78c5e807b6

File Reputation Information

Verdict

Malicious

PE Information

Image Base	0x00400000
Entry Point	0x004087CE
Size Of Code	0x00013200
Size Of Initialized Data	0x00020000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2025-01-11 07:45 (UTC+1)

Version Information (7)

FileDescription
FileVersion	1.0.0.0
InternalName	magamed.exe
LegalCopyright
OriginalFilename	magamed.exe
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Sections (6)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
	0x00402000	0x00014000	0x0000CC00	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.99
	0x00416000	0x00020000	0x00000000	0x0000D000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.0
	0x00436000	0x00002000	0x00000200	0x0000D000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.28
.rsrc	0x00438000	0x00020000	0x0001FE00	0x0000D200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	6.17
	0x00458000	0x00280000	0x0002BA00	0x0002D000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	8.0
fuckyou	0x006D8000	0x000E4000	0x000E3000	0x00058A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.99

Imports (8)

kernel32.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetModuleHandleA	-	0x006D80D4	0x002D80D4	0x00058AD4	0x00000000
GetProcAddress	-	0x006D80D8	0x002D80D8	0x00058AD8	0x00000000
ExitProcess	-	0x006D80DC	0x002D80DC	0x00058ADC	0x00000000
LoadLibraryA	-	0x006D80E0	0x002D80E0	0x00058AE0	0x00000000

user32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
MessageBoxA	-	0x006D80E8	0x002D80E8	0x00058AE8	0x00000000

advapi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
RegCloseKey	-	0x006D80F0	0x002D80F0	0x00058AF0	0x00000000

oleaut32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SysFreeString	-	0x006D80F8	0x002D80F8	0x00058AF8	0x00000000

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontA	-	0x006D8100	0x002D8100	0x00058B00	0x00000000

shell32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ShellExecuteA	-	0x006D8108	0x002D8108	0x00058B08	0x00000000

version.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetFileVersionInfoA	-	0x006D8110	0x002D8110	0x00058B10	0x00000000

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x006D8118	0x002D8118	0x00058B18	0x00000000

Memory Dumps (31)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
magamed.exe	1	0x00AE0000	0x00E9BFFF	First Execution	32-bit	0x00AE87CE	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00C9B56C	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00C9F31C	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00C9BAD0	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00D9F24C	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00CA55D0	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00B3BF6B	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00B47C74	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00B8C148	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00B8BD50	... Actions Go to Process Download Dump
buffer	1	0x00550000	0x00550FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00B8E2F8	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00B8FF40	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00B940C4	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00B91A20	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00BBDA50	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00BBA228	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00B96BAC	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00BC0B44	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00DA3EA0	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00BE5138	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00BE93C4	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00B3BE3C	... Actions Go to Process Download Dump
buffer	1	0x00A90000	0x00A90FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Content Changed	32-bit	0x00C1BA90	... Actions Go to Process Download Dump
buffer	1	0x02674000	0x02687FFF	First Execution	32-bit	0x02684650	... Actions Go to Process Download Dump
buffer	1	0x02440000	0x02567FFF	First Execution	32-bit	0x024D34C4	... Actions Go to Process Download Dump
buffer	1	0x02820000	0x028C7FFF	First Execution	32-bit	0x02820034	... Actions Go to Process Download Dump
buffer	1	0x005A0000	0x005A0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00990000	0x00A8FFFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
magamed.exe	1	0x00AE0000	0x00E9BFFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

0607c3e673c884419dabe28df35738e649ad63efce71d42ac8d54dcc80665d1b

Extracted File

Image

Parent File	cb716ce233a8fa0e64de4217d2ce8c33eb9735e3fe8c0727cfa374dffe2acfe7
MIME Type	image/png
File Size	28.39 KB
MD5	e54656af0db43e616832174b5b85d358
SHA1	954ca98ae184f42e6bf7ca3e05c132d4cc943efc
SHA256	0607c3e673c884419dabe28df35738e649ad63efce71d42ac8d54dcc80665d1b
SSDeep	768:vVTFUhtKgeTWxcTLJsQD+S8m23UZG3AgA7D:vVRUhw3TWxcZss+SP21wH7D
ImpHash	-

Remarks (1/1)

Remarks

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information