MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2194042f5f4a385486b259dd6f174748a5fbc260dcafe8abac842382010f3b10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemusStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2194042f5f4a385486b259dd6f174748a5fbc260dcafe8abac842382010f3b10
SHA3-384 hash: 3b6754f9cf19d74315edaf64d40a3d21469fd78e0be4bf087170165a05921fb686344364f09872b5d2786c731e6bab65
SHA1 hash: 265667ba618eb33f4fee8c9532bca4bd8986cf55
MD5 hash: a1ac1aca3ff072afba875fc519fece7e
humanhash: uniform-sink-social-paris
File name:file
Download: download sample
Signature RemusStealer
Create hunting rule
File size:225'280 bytes
First seen:2026-05-20 00:41:35 UTC
Last seen:2026-05-20 10:03:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f7f06265082add6d6d0fec781c269c83 (3 x RemusStealer)
ssdeep 3072:5aKUJMTz5R4Rhb/e/Nb61iJj1m14+5umfU3pEVvL4mK5Z1+yUtMsGxjuX1B:7xtaiVQ4dmfUC1KFCB
TLSH T103241A27D26371FCD652C07892667232B733BA3847349EF702D2C3369D61AD06E7A925
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-gcleaner exe P RemusStealer UNIQPREM.file


Avatar
Bitsight
url: http://91.92.241.242/service

Intelligence

File Origin
# of uploads :
3
# of downloads :
223
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-05-20 00:46:13 UTC
Tags:
stealer remus
Link:
https://app.any.run/tasks/d8453e5d-e439-43b0-8c4f-25e8f7082a05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66515/
Detection(s):
SecuriteInfo.com.Variant.Zusy.605845.42363819.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0d03814159ce11f6017eac
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context infostealer packed similar-threat
Link:
https://www.filescan.io/uploads/6a0d037ced770578157c8582/reports/1a63a8b1-4c98-4943-978b-0f476534d445/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/2194042f5f4a385486b259dd6f174748a5fbc260dcafe8abac842382010f3b10
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-05-19T21:53:00Z UTC
Last seen:
2026-05-19T22:27:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/2194042f5f4a385486b259dd6f174748a5fbc260dcafe8abac842382010f3b10/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/42e14e70-7550-4963-9914-91298fa86294
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2194042f5f4a385486b259dd6f174748a5fbc260dcafe8abac842382010f3b10
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2194042f5f4a385486b259dd6f174748a5fbc260dcafe8abac842382010f3b10/
Verdict:
Malicious
Threat:
Family.D2FD0E44B3D4DC1F73831819E922CCF5
Link:
https://tip.neiki.dev/file/2194042f5f4a385486b259dd6f174748a5fbc260dcafe8abac842382010f3b10
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-05-20 00:42:46 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egkail27ji4fjbvslhow6f2hjcs7xqta3sx6rk5mqqryeaiphmia._file
Verdict:
malicious
Label(s):
remus
Create hunting rule
Similar samples:
error
RemusStealer
Result
Malware family:
remus_stealer
Create hunting rule
Score:
  10/10
Tags:
family:remus_stealer botnet:d2fd0e44b3d4dc1f73831819e922ccf5 discovery spyware stealer
Link:
https://tria.ge/reports/260520-a2d3jsey5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Browser Information Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Malware Config
C2 Extraction:
http://mandtar.shop:7538
http://woodfez.biz:7582
http://firewai.biz:48261
Unpacked files
SH256 hash:
2194042f5f4a385486b259dd6f174748a5fbc260dcafe8abac842382010f3b10
MD5 hash:
a1ac1aca3ff072afba875fc519fece7e
SHA1 hash:
265667ba618eb33f4fee8c9532bca4bd8986cf55
Link:
https://www.unpac.me/results/c72ada02-7d15-4054-86dc-601abb09b3ea/
Malware family:
RemusStealer
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2194042f5f4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2194042f5f4a385486b259dd6f174748a5fbc260dcafe8abac842382010f3b10

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemusStealer

Executable exe 2194042f5f4a385486b259dd6f174748a5fbc260dcafe8abac842382010f3b10

(this sample)

  
Dropped by
Gcleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/66515/

Comments