MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e130ed9dfb63d8df7b7eb249c4a7ad8726a91a9c3a235ff6eb289e5557b386df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Cymulion

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	e130ed9dfb63d8df7b7eb249c4a7ad8726a91a9c3a235ff6eb289e5557b386df
SHA3-384 hash:	3f70614c906ee095c66cde70f61c6dd8b99102ca910e6bc6238644fee3de9184cb4b9059779a4f1f056a44d7cbb98bdc
SHA1 hash:	049a1449b0f792d5041e273edc19599ea249d0bf
MD5 hash:	0d7196822b8b0693b8eb9cac81246992
humanhash:	emma-quiet-river-quebec
File name:	z2qlum5.exe
Download:	download sample
Signature	Cymulion Create hunting rule
File size:	1'222'144 bytes
First seen:	2026-04-01 14:48:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	677f09f17b9d49a277e80fbca9bb1c70 (1 x Cymulion)
ssdeep	24576:E329y1J8qCxeAqQATm9UrZbyxSktoL3b8mEB0+nf:EG9y1yTeFlmokGL3bqm+n
TLSH	T1DC457B02FBD044B5E4BB813989B35616EBB5B8650730DBCF23848A6A9F377D0AD39711
TrID	65.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 10.2% (.EXE) Win64 Executable (generic) (6522/11/2) 7.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4504/4/1) 3.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Alex_sev
Tags:	CymRan CymTest Cymulate Cymulion exe

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

Vendor Threat Intelligence

Gathering data

Malware family:

n/a

ID:

File name:

e130ed9dfb63d8df7b7eb249c4a7ad8726a91a9c3a235ff6eb289e5557b386df.exe

Verdict:

No threats detected

Analysis date:

2025-08-24 18:54:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/196a220a-6346-4408-b514-f948c43c40f2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DLAgent10

Link:

https://www.capesandbox.com/analysis/60093/

Detection(s):

SecuriteInfo.com.Variant.Application.Cymulate.14.UNOFFICIAL

SecuriteInfo.com.Trojan.Encoder.42781.9122.31576.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69cd306d6363ca5d27f09e91

Tags:

downloader emotet agent micro

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Moving a recently created file

Creating a process from a recently created file

DNS request

Connection attempt

Verdict:

Malicious

Labled as:

Application.Cymulion.ZB.Generic

Link:

https://www.hybrid-analysis.com/sample/e130ed9dfb63d8df7b7eb249c4a7ad8726a91a9c3a235ff6eb289e5557b386df

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-24T15:16:00Z UTC

Last seen:

2026-04-02T20:57:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/e130ed9dfb63d8df7b7eb249c4a7ad8726a91a9c3a235ff6eb289e5557b386df/results?tab=lookup

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bb9b3a6d-69ab-4fd6-972a-b236cbeb7de9

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e130ed9dfb63d8df7b7eb249c4a7ad8726a91a9c3a235ff6eb289e5557b386df

Verdict:

inconclusive

YARA:

8 match(es)

Tags:

.Net Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/0d7196822b8b0693b8eb9cac81246992

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e130ed9dfb63d8df7b7eb249c4a7ad8726a91a9c3a235ff6eb289e5557b386df/

Verdict:

Malicious

Threat:

RiskTool.Win32.Cymulate

Link:

https://tip.neiki.dev/file/e130ed9dfb63d8df7b7eb249c4a7ad8726a91a9c3a235ff6eb289e5557b386df

Threat name:

Win32.Trojan.Cymulion

Status:

Malicious

First seen:

2025-08-21 00:43:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 36 (80.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4eyo3hp3mpmn6636wje4jj5nq4tksgu4hirv75xlfcpfkv5tq3pq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/260401-r64x7sgw6w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Executes dropped EXE

Unpacked files

SH256 hash:

e130ed9dfb63d8df7b7eb249c4a7ad8726a91a9c3a235ff6eb289e5557b386df

MD5 hash:

0d7196822b8b0693b8eb9cac81246992

SHA1 hash:

049a1449b0f792d5041e273edc19599ea249d0bf

Detections:

CymulateEDRTester

Link:

https://www.unpac.me/results/345eaf13-555b-4c3a-a7d0-509bfbce3323/

SH256 hash:

2ed6f2de50285a66f1708c6ba8dd010639ec49839231640582b9470404e6314a

MD5 hash:

40aa10c6177770999575dca0fbccff6d

SHA1 hash:

4efb1dbc877a620683909542ed08dda182c329c1

Detections:

CymulateEDRTester

MALWARE_Win_DLAgent10

Link:

https://www.unpac.me/results/345eaf13-555b-4c3a-a7d0-509bfbce3323/

SH256 hash:

e446ded1cc8ed6c73271e99ec12ea7001eae1e5c23a82b2d89c6bf18b97f4d26

MD5 hash:

7e0f9570dcbd28b7078f11ce3b89be5a

SHA1 hash:

ae21695f2089c35467101ef56c72aa148b26535a

Link:

https://www.unpac.me/results/345eaf13-555b-4c3a-a7d0-509bfbce3323/

SH256 hash:

66c7921a307b4dad1cabbdd251bdd4a0469f09715cf85ca2148ae66e764d2e15

MD5 hash:

4c966b2ecd6630fc74dd372ba003d9bb

SHA1 hash:

2c13f5db2a07f3e51342879b446c5dc7ce465828

Link:

https://www.unpac.me/results/345eaf13-555b-4c3a-a7d0-509bfbce3323/

SH256 hash:

c9030c42d735f0a050c599093b7db5448f10e96c17bf2cb1402f239020071bca

MD5 hash:

d0b4f9f8cb75dafec6a30813d32d1f10

SHA1 hash:

f3896f24f060512981337c3c2f0b3d202b5c8d97

Link:

https://www.unpac.me/results/345eaf13-555b-4c3a-a7d0-509bfbce3323/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e130ed9dfb63d8df7b7eb249c4a7ad8726a91a9c3a235ff6eb289e5557b386df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	detect_powershell Create hunting rule
Author:	daniyyell
Description:	Detects suspicious PowerShell activity related to malware execution

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_DLAgent10 Create hunting rule
Author:	ditekSHen
Description:	Detects known downloader agent

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/60093/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample