MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5eb440933efc934628399697e2bca83ac41cefbb7c653dae1b91113596c4755e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemusStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5eb440933efc934628399697e2bca83ac41cefbb7c653dae1b91113596c4755e
SHA3-384 hash: e438bf26ad5517fad2a03b13b862518356d5909ad3c7ba1a3b47c8e007a23244c9f9ebaac052c936b047882fd9228402
SHA1 hash: c23da96e2e71d8487c839b75bfaad1e7f8b7a3a8
MD5 hash: 8c0b07374898e76cadd6d36e68959682
humanhash: cup-tennis-apart-sweet
File name:sunwukongs.exe
Download: download sample
Signature RemusStealer
Create hunting rule
File size:757'216 bytes
First seen:2026-05-01 15:28:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:VJNtbWAce4u+jylPusfldaDEfrL19LEV46xwZAVqxSFUMlom4Gl1f1rcr7:NkO46lpkIjLt4+APiGXg7
Threatray 60 similar samples on MalwareBazaar
TLSH T1D6F440EF6F2E78C9D9556BFC94B46D2197A0FCB075D1608A1342F75BCC189238E2A123
TrID 21.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
21.2% (.EXE) Win64 Executable (generic) (6522/11/2)
16.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
14.6% (.EXE) Win32 Executable (generic) (4504/4/1)
6.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 71e8d4d292d4f871 (2 x RemusStealer)
Reporter aachum
Tags:dropped-by-OffLoader exe firewai-biz RemusStealer signed SunWukong

Code Signing Certificate

Organisation:Bahringer - Altenwerth
Issuer:Bahringer - Altenwerth Intermediate CA 2
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-30T14:25:12Z
Valid to:2028-04-30T14:25:12Z
Serial number: 010cb8ae3afbded0
Thumbprint Algorithm:SHA256
Thumbprint: 392c3c7584987eca06b39a37354bc501c6d845926c4c734ab313bd66bd8cae3b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
iamaachum
http://plasteredplayn.com/sunwukongs.exe

RemusStealer C2:
prodxk.lol (147.93.81.142:5674)
firewai.biz (194.164.72.136:48261)

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
ES ES
Vendor Threat Intelligence
No detections
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
main.exe
Verdict:
Malicious activity
Analysis date:
2026-05-01 06:26:40 UTC
Tags:
auto xworm rat anti-evasion github possible-phishing botnet phorpiex stealer stealc python quasar clickfix powershell remcos generic violetworm worm phishing smoke loader tinynuke adaptixc2 remote xenorat telegram pastebin screenconnect tool rmm-tool rustystealer action1 redline adware guloader action1rmm clipbanker cobaltstrike havoc cryptowall ransomware evasion pyinstaller uac discord networm amus cryptolocker wannacry pythonstealer susp-powershell datto autoit exfiltration lumma websocket koiloader putty neshta pushware ghostsocks proxyware njrat bladabindi evelyn muckstealer api-base64 wmi-base64 dattormm delphi xred backdoor amadey openssl coinminer miner chromelevator hacktool inject stealerium vidar meterpreter salatstealer whitesnake rhadamanthys gh0st asyncrat santastealer evelynstealer rustdesk donutloader ultravnc jeefo bruteratel gotohttp iqvw64-sys vuln-driver blankgrabber netsupport whitesnakestealer discordrat hijackloader rdpwrap vshell
Link:
https://app.any.run/tasks/60ff2d74-ea65-47a7-b5d8-7de323088f1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64192/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.86627788.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt installer-heuristic packed signed
Link:
https://www.filescan.io/uploads/69f4c69286e92bda701ab039/reports/9bd77559-c0eb-4a16-acd5-a30b3e2b6ea1/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5eb440933efc934628399697e2bca83ac41cefbb7c653dae1b91113596c4755e
Verdict:
Clean
File Type:
exe x64
First seen:
2026-04-30T12:45:00Z UTC
Last seen:
2026-05-03T03:16:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/5eb440933efc934628399697e2bca83ac41cefbb7c653dae1b91113596c4755e/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fae94ba8-3844-4b3a-a1da-9e947e9277d8
Result
Threat name:
EtherHiding
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1907342
Signature
AI detected suspicious PE digital signature
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found stalling execution ending in API Sleep call
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses known network protocols on non-standard ports
Yara detected EtherHiding
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1907342 Sample: sunwukongs.exe Startdate: 01/05/2026 Architecture: WINDOWS Score: 100 29 prodxk.lol 2->29 31 cronicasdelcentro.com 2->31 33 3 other IPs or domains 2->33 47 Suricata IDS alerts for network traffic 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 7 sunwukongs.exe 1 2->7         started        12 0eWwfjJD.exe 1 2->12         started        14 0eWwfjJD.exe 1 2->14         started        signatures3 process4 dnsIp5 35 cronicasdelcentro.com 195.250.27.211, 443, 49699, 49700 OPTIMITYGB United Kingdom 7->35 37 prodxk.lol 147.93.81.142, 49687, 5674 ICN-ASUS Belgium 7->37 23 C:\...\k35gLa34D2FcmaD3RoJma3BskVuayV.exe, PE32+ 7->23 dropped 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->55 57 Query firmware table information (likely to detect VMs) 7->57 59 Tries to steal Mail credentials (via file / registry access) 7->59 65 4 other signatures 7->65 16 k35gLa34D2FcmaD3RoJma3BskVuayV.exe 1 14 7->16         started        61 Multi AV Scanner detection for dropped file 12->61 63 Unusual module load detection (module proxying) 12->63 file6 signatures7 process8 dnsIp9 25 celebration-internet.cc 104.21.4.73, 443, 49702 CLOUDFLARENETUS United States 16->25 27 k8s-ingressn-bscmainn-3f9a19480b-888004326.us-east-1.elb.amazonaws.com 44.208.16.18, 443, 49701 AMAZON-AESUS United States 16->27 21 C:\Users\user\AppData\...\0eWwfjJD.exe, PE32+ 16->21 dropped 39 Multi AV Scanner detection for dropped file 16->39 41 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->41 43 Found stalling execution ending in API Sleep call 16->43 45 Found direct / indirect Syscall (likely to bypass EDR) 16->45 file10 signatures11
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5eb440933efc934628399697e2bca83ac41cefbb7c653dae1b91113596c4755e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5eb440933efc934628399697e2bca83ac41cefbb7c653dae1b91113596c4755e/
Verdict:
Malicious
Threat:
Family.SMOKE LOADER
Link:
https://tip.neiki.dev/file/5eb440933efc934628399697e2bca83ac41cefbb7c653dae1b91113596c4755e
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-30 21:09:34 UTC
File Type:
PE+ (Exe)
Extracted files:
19
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l22ebez67sjumkbzs2l6fpfihlcbz353prst3lq3seitlfweovpa._file
Verdict:
malicious
Label(s):
unc_rust_clipper_001
Create hunting rule
Similar samples:
113a05106b85844a4fcc943e5b06af75bb45c22cec1e6aa30400a13e00dcfc22
RemusStealer
1713b425157a02715f62c250ab2ca039f02923be43ed8715044a99f9947c7be3
RemusStealer
8bbd5525d11b0aeecd5d9bc385c080cf2fd1b4a6aba76caf62b16426a0840ba2
RemusStealer
bf8578b5c7d90be1668df5bc90280617891a5b2f1fa5cc94f04884cddf3e36f8
RemusStealer
cf87e503337479f15b7f9394e70269dccb351dcecf1f9d82620a8af6618bff92
RemusStealer
error
RemusStealer
f82d272a52c56f65d66ac665f3074639b93b61c094d27c75e0c77b9baffe896f
RemusStealer
fe39618cf95e1aed7487364f17ebc3a727a3c1f8f68722671214bc6252045f61
RemusStealer
+ 50 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260501-swfnascx8m/
Unpacked files
SH256 hash:
5eb440933efc934628399697e2bca83ac41cefbb7c653dae1b91113596c4755e
MD5 hash:
8c0b07374898e76cadd6d36e68959682
SHA1 hash:
c23da96e2e71d8487c839b75bfaad1e7f8b7a3a8
Link:
https://www.unpac.me/results/b6118723-8642-4660-b705-149327e6a72d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/5eb440933efc934628399697e2bca83ac41cefbb7c653dae1b91113596c4755e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemusStealer

Executable exe 5eb440933efc934628399697e2bca83ac41cefbb7c653dae1b91113596c4755e

(this sample)

  
Link
https://tria.ge/260501-sj7w1sgx3x/behavioral2
  
Dropped by
OffLoader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3835260/
Cape
Cape
https://www.capesandbox.com/analysis/64192/

Comments