MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71cba217e9878542c95b8fee784bba83a6d4cc9c0e1d8aaccf7186f742e3fc36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemusStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71cba217e9878542c95b8fee784bba83a6d4cc9c0e1d8aaccf7186f742e3fc36
SHA3-384 hash: 0f7f4e94d85d048d33089e060355787a378b9cf84d37aeab1611e5f05cc2f495d2e74be382536f0eef94be4f49c5909f
SHA1 hash: bd2782ac3fc8d64238ca407075dcfffe164acb61
MD5 hash: 0bb18e2cdcd593bcad15bae3a506256a
humanhash: oranges-wolfram-blossom-one
File name:file
Download: download sample
Signature RemusStealer
Create hunting rule
File size:229'376 bytes
First seen:2026-06-16 19:49:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 17081ce96f78327d576e14ddd5592fba (2 x RemusStealer)
ssdeep 3072:KnlM9AEUZlahswkWnOX6Z0NTP7Az9r0EpPzv009BGL+FV9UEHA:7H69Sa6jz9r0ElFjhVZA
TLSH T177243967D26371FCD652C07852667232FB33BA7943349DF70292C7319E22AC0AE79925
TrID 51.9% (.EXE) Win64 Executable (generic) (6522/11/2)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter Bitsight
Tags:9d2ca3 dropped-by-amadey exe RemusStealer


Avatar
Bitsight
url: http://91.92.242.236/files-129312398/files/file_1aa54dbfab99756a.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
71cba217e9878542c95b8fee784bba83a6d4cc9c0e1d8aaccf7186f742e3fc36.bin.exe
Verdict:
No threats detected
Analysis date:
2026-06-16 19:50:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fe438b7a-4cd8-40f1-8d28-528cdf35f3f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70996/
Detection(s):
SecuriteInfo.com.Variant.Stealer.396.68738221.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a31a91c1a97308eef89b1fc
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context
Link:
https://www.filescan.io/uploads/6a31a914bf16337e43c9dded/reports/6734dda2-ed26-43d7-a11a-f5a8332452a2/overview
Verdict:
Malicious
Labled as:
Stealer.Generic
Link:
https://www.hybrid-analysis.com/sample/71cba217e9878542c95b8fee784bba83a6d4cc9c0e1d8aaccf7186f742e3fc36
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-16T15:53:00Z UTC
Last seen:
2026-06-17T01:06:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/71cba217e9878542c95b8fee784bba83a6d4cc9c0e1d8aaccf7186f742e3fc36/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/68aa0563-0931-40f2-9655-22d9372249d3
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/71cba217e9878542c95b8fee784bba83a6d4cc9c0e1d8aaccf7186f742e3fc36
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71cba217e9878542c95b8fee784bba83a6d4cc9c0e1d8aaccf7186f742e3fc36/
Verdict:
Malicious
Threat:
Family.REMUS_STEALER
Link:
https://tip.neiki.dev/file/71cba217e9878542c95b8fee784bba83a6d4cc9c0e1d8aaccf7186f742e3fc36
Threat name:
Win64.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-06-16 19:50:47 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 36 (55.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ohf2ef7jq6cufsk3r7xhqs52qotnjte4byoyvlgpogdpoqxd7q3a._file
Verdict:
malicious
Label(s):
remus
Create hunting rule
Similar samples:
error
RemusStealer
Result
Malware family:
remus_stealer
Create hunting rule
Score:
  10/10
Tags:
family:remus_stealer discovery spyware stealer
Link:
https://tria.ge/reports/260616-ykl9ladw3j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Browser Information Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Malware Config
C2 Extraction:
http://carogra.biz:4219
http://myrtler.biz:9549
http://youngel.biz:8768
Unpacked files
SH256 hash:
71cba217e9878542c95b8fee784bba83a6d4cc9c0e1d8aaccf7186f742e3fc36
MD5 hash:
0bb18e2cdcd593bcad15bae3a506256a
SHA1 hash:
bd2782ac3fc8d64238ca407075dcfffe164acb61
Link:
https://www.unpac.me/results/ceaedfd9-5684-44dc-bdaf-328fe869597e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/71cba217e987/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71cba217e9878542c95b8fee784bba83a6d4cc9c0e1d8aaccf7186f742e3fc36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RemusStealer_MSVC_Loader
Create hunting rule
Author:burger
Description:Detects RemusStealer MSVC C++ loader (register-variant tolerant)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemusStealer

Executable exe 71cba217e9878542c95b8fee784bba83a6d4cc9c0e1d8aaccf7186f742e3fc36

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/70996/

Comments