MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f50ff9e2d8b9e236f907ee98010b8ebdcf5e7ecbe88a8e1e713cacd61348bd8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XWorm

Vendor detections: 15

Intelligence 15 IOCs YARA 8 File information Comments

SHA256 hash:	3f50ff9e2d8b9e236f907ee98010b8ebdcf5e7ecbe88a8e1e713cacd61348bd8
SHA3-384 hash:	9bbcffee21e23784f75dda9708d2200840d490eb1d394f1d54707a36a98b36359a2b13a9c68ea5216fb36ceb708590ff
SHA1 hash:	2a77619126ac5c1a1d74291e68f7c6f38d017f2e
MD5 hash:	1dbb6e7eac2e37402b3d5a632d81e513
humanhash:	beryllium-papa-high-william
File name:	Eternity Mod Menu v2.1.2.exe
Download:	download sample
Signature	XWorm Create hunting rule
File size:	5'869'056 bytes
First seen:	2025-08-05 13:21:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep	98304:l3Xekz/KTWUNL9W+oH3H0+EjDmRGi2Mla0PUKO6SxIPFYymMMM:NxrYpNLwkjDYJlawlO6SxIPFYy
TLSH	T11046331FB7D935E2F14865F5D02FE87E09D18ACA2C8082492D5B58DF3C26BF06C76A94
TrID	32.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 28.8% (.EXE) Win32 Executable (generic) (4504/4/1) 13.0% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3) 12.8% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
dhash icon	c8b424d6d6caea34 (1 x XWorm)
Reporter	Vip5676
Tags:	exe xworm

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Eternity Mod Menu v2.1.2.exe

Verdict:

Malicious activity

Analysis date:

2025-08-05 13:22:07 UTC

Tags:

github evasion stealer telegram exfiltration ims-api generic auto-reg auto-startup remote xworm

Link:

https://app.any.run/tasks/2814aea3-9011-490a-8fa5-eb1554f3a0af

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/19010/

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6892058d1e8a59ee04e5a837

Tags:

vmdetect asyncrat autorun lien

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Searching for analyzing tools

Searching for the window

DNS request

Connection attempt

Sending a custom TCP request

Creating a file

Searching for synchronization primitives

Sending an HTTP GET request

Creating a process with a hidden window

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process

Adding an exclusion to Microsoft Defender

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fasm obfuscated packed peunion

Link:

https://www.filescan.io/uploads/6892058d9ef4d2ff7cebc23d/reports/1697a929-b4b7-4c06-ba89-aa2f035ec45e/overview

Verdict:

Malicious

Labled as:

ExNuma.Generic

Link:

https://www.hybrid-analysis.com/sample/3f50ff9e2d8b9e236f907ee98010b8ebdcf5e7ecbe88a8e1e713cacd61348bd8

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1ff97b1-3368-4710-8d51-f6ab45f149d6

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3f50ff9e2d8b9e236f907ee98010b8ebdcf5e7ecbe88a8e1e713cacd61348bd8

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/1dbb6e7eac2e37402b3d5a632d81e513

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3f50ff9e2d8b9e236f907ee98010b8ebdcf5e7ecbe88a8e1e713cacd61348bd8/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/3f50ff9e2d8b9e236f907ee98010b8ebdcf5e7ecbe88a8e1e713cacd61348bd8

Threat name:

Win32.Trojan.ExNuma

Status:

Malicious

First seen:

2025-08-05 13:22:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 38 (84.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h5ip7hrnropcg34qp3uyaefy5poplz7mx2ekryphcpfm2yjurpma._file

Verdict:

malicious

Label(s):

pulsepack

Similar samples:

error

XWorm

Result

Malware family:

xworm

Score:

10/10

Tags:

family:phemedrone family:xworm credential_access discovery execution persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/250805-qmc5pstvfz/

Behaviour

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Detect Xworm Payload

Phemedrone

Phemedrone family

Xworm

Xworm family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8284420386:AAH2eqWIgZglNbjoPm1jseKZ-_RRn_-eWZA/sendMessage?chat_id=5695636067
92.113.146.251:9944

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/858c7695-7595-492b-8015-cbe6a7bee841

Unpacked files

SH256 hash:

3f50ff9e2d8b9e236f907ee98010b8ebdcf5e7ecbe88a8e1e713cacd61348bd8

MD5 hash:

1dbb6e7eac2e37402b3d5a632d81e513

SHA1 hash:

2a77619126ac5c1a1d74291e68f7c6f38d017f2e

Link:

https://www.unpac.me/results/cfb226a4-adda-4e6c-8c4f-f7707e7c498d/

SH256 hash:

791d5bfc115500493462d8324ff4ff91582f481847d8b1f15c62917309f18cf9

MD5 hash:

265559ab0e4391ef0bccf81c5f0cd865

SHA1 hash:

70f3518849b3b352bc4ece593c0b0e901f390acd

Link:

https://www.unpac.me/results/cfb226a4-adda-4e6c-8c4f-f7707e7c498d/

SH256 hash:

fb5114dd9350d8590b19703c9f614f7c8fa7deb60e8e1d1afa9b0ad650d2ac82

MD5 hash:

0872be8e857205458756411dc8d2c5d9

SHA1 hash:

3166a245309658a266a0da02f78bd731a2a22d58

Link:

https://www.unpac.me/results/cfb226a4-adda-4e6c-8c4f-f7707e7c498d/

SH256 hash:

6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c

MD5 hash:

c5124caf4aea3a83b63a9108fe0dcef8

SHA1 hash:

a43a5a59038fca5a63fa526277f241f855177ce6

Link:

https://www.unpac.me/results/cfb226a4-adda-4e6c-8c4f-f7707e7c498d/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3f50ff9e2d8b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.66

Link:

https://yomi.yoroi.company/submissions/3f50ff9e2d8b9e236f907ee98010b8ebdcf5e7ecbe88a8e1e713cacd61348bd8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/19010/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::VirtualAllocExNuma kernel32.dll::CreateThread
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::GetComputerNameA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample