MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aebe8d0e01c9c905de67582daeb2dd28854f33dd41825fd78824a30fc018d499. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CyberGate


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aebe8d0e01c9c905de67582daeb2dd28854f33dd41825fd78824a30fc018d499
SHA3-384 hash: 8a617bf10bd92796441bb8ff38e7fcb59c6df834983d01f9c06adbfbfd36679b1a481d56945d2522abbb965a1d38da6b
SHA1 hash: 23ee91fe4f2e7bf8bcede42377cf4b220341e0da
MD5 hash: 47c6054e97c1aeaa8dc360aa1179882a
humanhash: nebraska-charlie-kansas-muppet
File name:DHL#AWB130501923096PDF.exe
Download: download sample
Signature CyberGate
Create hunting rule
File size:689'664 bytes
First seen:2025-10-29 15:58:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:IubmqKw4dI++xZ6EX9viu//4LhSbFajEEqIFJfCEkaBXOr:IubmVw4IH6EQq/4FQvI
Threatray 5'152 similar samples on MalwareBazaar
TLSH T10BE4E1883761F05EC863E77249B0ED7492357C9B9722C207A4D71E9FBA1D996CE102B3
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter abuse_ch
Tags:CyberGate DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
DHL#AWB130501923096PDF.exe
Verdict:
Malicious activity
Analysis date:
2025-10-30 00:53:35 UTC
Tags:
formbook stealer xloader
Link:
https://app.any.run/tasks/4027462c-a98a-4590-b6d9-d16952d18b47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34651/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69023a5e9942f1282eca2be7
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/69026847a3d16310951fe677/reports/26abc824-1f3f-4fbf-905f-4733649ffe7b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/aebe8d0e01c9c905de67582daeb2dd28854f33dd41825fd78824a30fc018d499
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-29T03:04:00Z UTC
Last seen:
2025-10-29T13:06:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/aebe8d0e01c9c905de67582daeb2dd28854f33dd41825fd78824a30fc018d499/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/58804948-df46-4c21-928d-86e593561ed6
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1804133
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1804133 Sample: DHL#AWB130501923096PDF.exe Startdate: 29/10/2025 Architecture: WINDOWS Score: 100 33 www.syicollc.com 2->33 35 www.jwv8d.top 2->35 37 3 other IPs or domains 2->37 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 7 other signatures 2->47 11 DHL#AWB130501923096PDF.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\...\DHL#AWB130501923096PDF.exe.log, ASCII 11->31 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Switches to a custom stack to bypass stack traces 11->61 15 DHL#AWB130501923096PDF.exe 11->15         started        18 DHL#AWB130501923096PDF.exe 11->18         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 20 explorer.exe 25 1 15->20 injected process9 dnsIp10 39 www.aviagro.com 76.223.54.146, 49690, 49692, 80 AMAZON-02US United States 20->39 49 System process connects to network (likely due to code injection or exploit) 20->49 24 svchost.exe 20->24         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 24->51 53 Maps a DLL or memory area into another process 24->53 55 Tries to detect virtualization through RDTSC time measurements 24->55 57 Switches to a custom stack to bypass stack traces 24->57 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aebe8d0e01c9c905de67582daeb2dd28854f33dd41825fd78824a30fc018d499
Verdict:
inconclusive
YARA:
12 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.71 Win 32 Exe x86
Link:
https://app.malva.re/file/47c6054e97c1aeaa8dc360aa1179882a
Gathering data
Threat name:
Win32.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2025-10-29 06:41:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v27i2dqbzheqlxthlaw25mw5fccu6m65igbf7v4iesrq7qay2smq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
xworm
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
099aab7e93cc90414b63769dba429546e4f98953f1c8304f6b8109e6fa0a824e
CyberGate
3d73ce6df0894382b15b762b63c16b983ded101731112bbbb1a78bdf6faf6226
CyberGate
41e4dd0218aed625e7883bd3dbe43a95796360bda2e2b7fcf020af9fe5e1f1dc
CyberGate
44a2b2a04288b8a218d80ea21b9b96de167b844fa7481adfbd48cfdf179aa0df
CyberGate
94976e161177276c6c1f03697f87bbbda781fedb937342a311728f51a3bce501
CyberGate
aebe8d0e01c9c905de67582daeb2dd28854f33dd41825fd78824a30fc018d499
CyberGate
c34753d6a802dcb3570354a7ecc7e930d957a28cca0d63e698ac0c0cbe67e6cc
CyberGate
da99e5e90a490e93120bd11d5bdb6226ad5e6fa21c10d5514b97d09b56dcc403
CyberGate
ee68d6bc31aa1661dfdbf95b66fccba4ec8678ee2b6f384d8f51cab0608e81df
CyberGate
error
CyberGate
f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4
CyberGate
+ 5'142 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gb52 discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251029-xwczmazrej/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
aebe8d0e01c9c905de67582daeb2dd28854f33dd41825fd78824a30fc018d499
MD5 hash:
47c6054e97c1aeaa8dc360aa1179882a
SHA1 hash:
23ee91fe4f2e7bf8bcede42377cf4b220341e0da
Link:
https://www.unpac.me/results/65a521b3-8c15-4058-a1cb-8bdf758c9b0b/
SH256 hash:
65f3421bd276902743367ced95b18227f045b7d5670d1097744afdb07e1076a1
MD5 hash:
9956235aa636ae22d84d33027f157f0d
SHA1 hash:
00759861c42a5962bec4dda7d38f443da22fdb31
Link:
https://www.unpac.me/results/65a521b3-8c15-4058-a1cb-8bdf758c9b0b/
SH256 hash:
ca1c1d7bad993e551c7fac300fd039e8606acb2c1d76609c6ad96b99a6d30c0b
MD5 hash:
b3018a752d0372600f2c492836460eec
SHA1 hash:
b96529103490f65d407f71693f8cfe8e32d51f5d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/65a521b3-8c15-4058-a1cb-8bdf758c9b0b/
SH256 hash:
ebf3173661c3805fe0aa1c6abf21f3519c8d3e4e017ebff1c8b65025651e8bfb
MD5 hash:
27599777fa32123bafaf48b3e2511d0e
SHA1 hash:
ead8a61dc554fbc5b5b094d7e5a35aa4ce9c1f6f
Detections:
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/65a521b3-8c15-4058-a1cb-8bdf758c9b0b/
Parent samples :
aebe8d0e01c9c905de67582daeb2dd28854f33dd41825fd78824a30fc018d499
5ce77e84e2cd14e6127858e392fdc37d53bc87a5af9f9321cf7d336c18c10b03
9e01b51f3fd3d019eb522b7794bb8407c43d85451fdaa4130579841600cc4c41
8dfa6515ab3df482f4c286932feec38420e606c8bb42e2055f4361db4fc638b9
22f10bf1295ad52d5b60b249cbb144fe1dade77c578e50a63991dac312a7b21e
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aebe8d0e01c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CyberGate
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aebe8d0e01c9c905de67582daeb2dd28854f33dd41825fd78824a30fc018d499

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34651/

Comments