MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemusStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1
SHA3-384 hash:	611677df1908bc3aefefc87062c0fcd4abfa969a6043b3317d11142cd9ba188a20cf53ce69b567a6edce7e172c2fb725
SHA1 hash:	7105e52803914e37050b6f2a4c0d8a8339a2a381
MD5 hash:	8368894761e8f296575356fe49978880
humanhash:	romeo-seven-lemon-finch
File name:	file
Download:	download sample
Signature	RemusStealer Create hunting rule
File size:	2'634'720 bytes
First seen:	2026-06-13 01:39:09 UTC
Last seen:	2026-06-13 03:09:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d9c0bfb4053066384ee7484b4c2917f9 (2 x RemusStealer)
ssdeep	49152:EY+Xo+hwaBZ4yNM3JEXOJP7zn+x2qj3sXU7j3nyg8aC16ko:EYAioZpO3HP7z+D1f3yPB1do
TLSH	T11AC533D997EA2B41C28248F4F5B260057EF0E520E557460D90390EB9AC5DCEF1F792BE
TrID	33.6% (.EXE) OS/2 Executable (generic) (2029/13) 33.1% (.EXE) Generic Win/DOS Executable (2002/3) 33.1% (.EXE) DOS Executable (generic) (2000/1)
Magika	pebin
dhash icon	00e8c8c0c0c0c000 (1 x RemusStealer)
Reporter	Bitsight
Tags:	c dropped-by-gcleaner exe MIX4.file RemusStealer signed

Code Signing Certificate

Organisation:	Port Forward Signal Meter
Issuer:	Port Forward Signal Meter
Algorithm:	sha384WithRSAEncryption
Valid from:	2026-06-13T01:00:25Z
Valid to:	2027-06-13T01:10:25Z
Serial number:	54c7e5d3360476b4404fc1d4c0122acb
Thumbprint Algorithm:	SHA256
Thumbprint:	a6915d8ac08c9f03dc4ade6aac26dfe161ebb3d537be35b62cf55697d0c83788
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Bitsight

url: http://158.94.209.95/service

Intelligence

File Origin

# of uploads :

# of downloads :

149

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1.exe

Verdict:

Malicious activity

Analysis date:

2026-06-13 01:39:42 UTC

Tags:

themida

Link:

https://app.any.run/tasks/98c57eb5-24d2-423a-a3b7-8b913deb9455

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70606/

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2cb4d934eaf30d8ce55be7

Tags:

injection packed obfusc

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed packed signed themidawinlicense

Link:

https://www.filescan.io/uploads/6a2cb4d31f652d68657c2d02/reports/7818749b-cb95-4996-8b16-2e9d248796cf/overview

Verdict:

Suspicious

Labled as:

Malware_

Link:

https://www.hybrid-analysis.com/sample/13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1

Verdict:

Unknown

File Type:

Link:

https://opentip.kaspersky.com/13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b1a006b4-043c-43be-aaf4-65055dadb721

Score:

36%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1/

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=coqvq4yfrag2l66zk3hzue2tum3js2tgonpyq4ae4ohnmwzpp7yq._file

Verdict:

malicious

Label(s):

remus

Similar samples:

error

RemusStealer

Result

Malware family:

remus_stealer

Score:

10/10

Tags:

family:remus_stealer defense_evasion discovery spyware stealer themida trojan

Link:

https://tria.ge/reports/260613-b27wasdv2z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Browser Information Discovery

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects Remus stealer

Family: Remus

Malware Config

C2 Extraction:

http://none
http://myrtler.biz:9549
http://carogra.biz:4219

Unpacked files

SH256 hash:

13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1

MD5 hash:

8368894761e8f296575356fe49978880

SHA1 hash:

7105e52803914e37050b6f2a4c0d8a8339a2a381

Link:

https://www.unpac.me/results/949b324f-486d-4bdb-99bb-4a28cb47661e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/13a158730588/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemusStealer

exe 13a1587305880da5fbd956cf9a1353a336996a66735f887004e38ed65b2f7ff1

(this sample)

Dropped by

Gcleaner

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/70606/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample