MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61269eca1d774d5e3bc5fb9445de05bb7b0f9057876a9ef7779ecd5ca1582acc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemusStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61269eca1d774d5e3bc5fb9445de05bb7b0f9057876a9ef7779ecd5ca1582acc
SHA3-384 hash: 063360ea95dfb98c43e51fbfe8fa1ea353e1d52b3ea1a91b86b89f8ad06c54da8e67c820a06bcc8ff622068ade32d078
SHA1 hash: 594be30eb706112067443617d7690378c4113a37
MD5 hash: 4f8186a34c9b0580111641749d875faa
humanhash: jig-purple-earth-island
File name:4f8186a34c9b0580111641749d875faa
Download: download sample
Signature RemusStealer
Create hunting rule
File size:4'695'904 bytes
First seen:2026-06-22 08:01:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (487 x Vidar, 96 x Stealc, 92 x Rhadamanthys)
ssdeep 24576:QiPddW5b/631vKLY8XfTtzF8be/3eGwG50D4SuS1KRfl2MG/uJvA2Bele5IK2ml6:QiPbQW3oLzPxWBGwgUT1Kdl9Y18tH8fN
Threatray 6 similar samples on MalwareBazaar
TLSH T13E264A47FCA109EAC09AA37189B392867B34BC491B3223D32E50B7782F767D09D75758
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 88b88484a8d3d848 (1 x RemusStealer)
Reporter adrian__luca
Tags:exe RemusStealer signed

Code Signing Certificate

Organisation:heja.io
Issuer:heja.io
Algorithm:sha256WithRSAEncryption
Valid from:2026-06-20T03:37:45Z
Valid to:2027-06-20T03:37:45Z
Serial number: 6640257e29dac94c
Thumbprint Algorithm:SHA256
Thumbprint: b28a62d33e6b0f634932e580c1d09ad7e0174ea665654fc8a890aa4dce7ccf16
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_61269eca1d774d5e3bc5fb9445de05bb7b0f9057876a9ef7779ecd5ca1582acc.exe
Verdict:
Malicious activity
Analysis date:
2026-06-22 08:04:13 UTC
Tags:
golang
Link:
https://app.any.run/tasks/3c383b3d-5334-4bf5-8111-db19096098ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71490/
Detection(s):
SecuriteInfo.com.UntrustedCertificate-20.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a38ec791548daf709f8b27c
Tags:
injection obfusc crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Sending an HTTP POST request
Query of malicious DNS domain
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm crypto golang overlay packed signed
Link:
https://www.filescan.io/uploads/6a38ed2562d0679105fb150f/reports/1034ce4b-ce4e-4543-a8d4-b5164a58354b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/61269eca1d774d5e3bc5fb9445de05bb7b0f9057876a9ef7779ecd5ca1582acc
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-20T07:20:00Z UTC
Last seen:
2026-06-23T23:27:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Agent.smgnmv Trojan.Win64.Agent.sb
Link:
https://opentip.kaspersky.com/61269eca1d774d5e3bc5fb9445de05bb7b0f9057876a9ef7779ecd5ca1582acc/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/72730867-b4a5-443d-bc96-3e3ebb2f7d9a
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/61269eca1d774d5e3bc5fb9445de05bb7b0f9057876a9ef7779ecd5ca1582acc
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61269eca1d774d5e3bc5fb9445de05bb7b0f9057876a9ef7779ecd5ca1582acc/
Verdict:
Malicious
Threat:
Family.REMUS_STEALER
Link:
https://tip.neiki.dev/file/61269eca1d774d5e3bc5fb9445de05bb7b0f9057876a9ef7779ecd5ca1582acc
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-20 13:44:25 UTC
File Type:
PE+ (Exe)
Extracted files:
5
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=metj5sq5o5gv4o6f7okelxqfxn5q7ecxq5vj553xt3gvzikyflga._file
Verdict:
malicious
Label(s):
remus
Create hunting rule
Similar samples:
29352f59456553b5f5484561ad72727866119f00dfa50626b152ec47d68369a9
RemusStealer
5b32520c8250abf509ad7da4d9aa9715a45605aaba0bf340835698d30435b40d
RemusStealer
d34be339fd8c47756de5b4e6c402612a333c50b9e1fa4bffdd32cb3f9d5c1d74
RemusStealer
Result
Malware family:
remus_stealer
Create hunting rule
Score:
  10/10
Tags:
family:remus_stealer discovery spyware stealer
Link:
https://tria.ge/reports/260622-jx4l3sas7r/
Behaviour
Suspicious behavior: EnumeratesProcesses
Browser Information Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Detects Remus stealer
Family: Remus
Malware Config
C2 Extraction:
http://carogra.biz:4219
http://myrtler.biz:9549
http://youngel.biz:8768
Unpacked files
SH256 hash:
61269eca1d774d5e3bc5fb9445de05bb7b0f9057876a9ef7779ecd5ca1582acc
MD5 hash:
4f8186a34c9b0580111641749d875faa
SHA1 hash:
594be30eb706112067443617d7690378c4113a37
Link:
https://www.unpac.me/results/b8c5bb56-f6a9-426c-8473-0820c107568f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:Golang_Find_CSC846
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:Golang_Find_CSC846_Simple
Create hunting rule
Author:Ashar Siddiqui
Description:Find Go Signatuers
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RemusStealer_GoPayload
Create hunting rule
Author:burger
Description:Detects RemusStealer Go-compiled payload
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_Golang_Binary
Create hunting rule
Author:Tim Machac
Description:Triage: Golang-compiled binary with suspicious OS/persistence/network strings (not family-specific)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemusStealer

Executable exe 61269eca1d774d5e3bc5fb9445de05bb7b0f9057876a9ef7779ecd5ca1582acc

(this sample)

  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/3853311/
  
URLhaus
https://urlhaus.abuse.ch/url/3866177/
Cape
Cape
https://www.capesandbox.com/analysis/71490/

Comments