MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e44cd37557321d7a03eae26b4c8f124c458c1771bb3c427774276d272ac6718. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Remus

Vendor detections: 13

Intelligence 13 IOCs YARA 19 File information Comments

SHA256 hash:	2e44cd37557321d7a03eae26b4c8f124c458c1771bb3c427774276d272ac6718
SHA3-384 hash:	c1e1f47b2c603de7040c7731fab26012c2b1d94b9224efe3865a32ae91dc860b04627392da296466642b53bed94422a4
SHA1 hash:	25b46be413e32f8768a5502291388f1475538cf1
MD5 hash:	a7f46aa609d9ae94fd043550b101fa82
humanhash:	equal-salami-idaho-december
File name:	Setup.exe
Download:	download sample
Signature	Remus Create hunting rule
File size:	2'048'688 bytes
First seen:	2026-04-24 21:54:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d42595b695fc008ef2c56aabd8efd68e (434 x Vidar, 94 x Stealc, 92 x Rhadamanthys)
ssdeep	49152:+wx3RNgJTlIO7so5xfb3o8konnLbwip/KMXdJ:+kkKSxkonn/b
Threatray	92 similar samples on MalwareBazaar
TLSH	T18C954B067C9105EDC099B73248F23681BB35F8180B3627D32E95AA783E37BE05D7675A
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	aachum
Tags:	baxe-pics exe iuta-today Remus

iamaachum

https://pcsofthub.cfd/rapid-99/ => https://www.mediafire.com/file/ig1ayfkvpnk15yx

Remus C2:
31.97.61.212:8521
67.205.186.254:48261
iuta.today
baxe.pics

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

https://igames.ink/steamrip/

Verdict:

Malicious activity

Analysis date:

2026-04-24 19:22:10 UTC

Tags:

fingerprinting generic golang stealer

Link:

https://app.any.run/tasks/560e0ead-b613-4817-b4b3-c529f9436d0f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/63510/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ebe7864aed15d07930075c

Tags:

injection obfusc crypt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP POST request

Connection attempt to an infection source

Query of malicious DNS domain

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-vm crypt golang signed similar-threat

Link:

https://www.filescan.io/uploads/69ebe69b81aa9ec3bc25ad2d/reports/dfa43cde-87a6-4f91-a09c-c0349647ac90/overview

Verdict:

Malicious

Labled as:

Win64/GenKryptik_AGeneric.CKZ trojan

Link:

https://www.hybrid-analysis.com/sample/2e44cd37557321d7a03eae26b4c8f124c458c1771bb3c427774276d272ac6718

Verdict:

Malicious

File Type:

exe x64

First seen:

2026-04-24T09:09:00Z UTC

Last seen:

2026-04-26T14:07:00Z UTC

Hits:

~100

Detections:

Trojan.Win64.Agent.smgbvb Trojan.Win64.Agent.sb

Link:

https://opentip.kaspersky.com/2e44cd37557321d7a03eae26b4c8f124c458c1771bb3c427774276d272ac6718/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ba9e1069-7afc-41b2-9a6e-4907b343602d

Result

Threat name:

Clipboard Hijacker, GO Stealer

Detection:

malicious

Classification:

troj.spyw.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1904510

Signature

Antivirus detection for URL or domain

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal from password manager

Tries to steal Mail credentials (via file / registry access)

Unusual module load detection (module proxying)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Clipboard Hijacker

Yara detected GO Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2e44cd37557321d7a03eae26b4c8f124c458c1771bb3c427774276d272ac6718

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/a7f46aa609d9ae94fd043550b101fa82

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e44cd37557321d7a03eae26b4c8f124c458c1771bb3c427774276d272ac6718/

Verdict:

Malicious

Threat:

Family.SMOKE LOADER

Link:

https://tip.neiki.dev/file/2e44cd37557321d7a03eae26b4c8f124c458c1771bb3c427774276d272ac6718

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fzcm2n2vomq5pib6vytljshretcfrqlxdoz4ij3xij3ne4vmm4ma._file

Verdict:

malicious

Label(s):

unc_clipper

Remus

5f6c6f4b31ef79e5ef7c6b952dfe3dd2ea58d68314389dbf959116e4e940067f

Remus

825767047df77277e94c6114bfaaac9bb3b45cd850a733800cdd8f9544f5201e

Remus

88081f66ba8c0a2b9ef60c2b5d63f95f69bdf99555cb3f60f8ff23b40928d4d8

Remus

97cc51baae950c680b213219d19cd6425446d2be6a595a878dfcdb321fdc4102

Remus

98f4c865369c0e2a308c0d00df96bda6e9939c5ce907490af2e01efd9e661eff

Remus

error

Remus

+ 82 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260424-1shbqadw7n/

Unpacked files

SH256 hash:

2e44cd37557321d7a03eae26b4c8f124c458c1771bb3c427774276d272ac6718

MD5 hash:

a7f46aa609d9ae94fd043550b101fa82

SHA1 hash:

25b46be413e32f8768a5502291388f1475538cf1

Link:

https://www.unpac.me/results/f74c12ff-d741-4da4-9473-86d8db5eca04/

Malware family:

RemusStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2e44cd375573/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/2e44cd37557321d7a03eae26b4c8f124c458c1771bb3c427774276d272ac6718

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	Golang_Find_CSC846 Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	Golang_Find_CSC846_Simple Create hunting rule
Author:	Ashar Siddiqui
Description:	Find Go Signatuers

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Suspicious_Golang_Binary Create hunting rule
Author:	Tim Machac
Description:	Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.