MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99d6ea218c93a9e3208a4066cfa08b84e23ed8a7688daca82809fa22040f32e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemusStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	99d6ea218c93a9e3208a4066cfa08b84e23ed8a7688daca82809fa22040f32e0
SHA3-384 hash:	d015e22011ba169361633355da534a184dadfbfce9124e40ca475cab8c89e2dc14f9f6126ab912c91f18e2cf83445b36
SHA1 hash:	ba98c29205ed525b6c05352918e2b155d2c12f3b
MD5 hash:	4c65ef16ec9e6425be291f170ecf2e3d
humanhash:	speaker-vermont-fanta-cardinal
File name:	99d6ea218c93a9e3208a4066cfa08b84e23ed8a7688daca82809fa22040f32e0
Download:	download sample
Signature	RemusStealer Create hunting rule
File size:	4'816'896 bytes
First seen:	2026-06-05 06:56:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2357c925d5987053dcf0c59a30ebf2d4 (2 x RemusStealer)
ssdeep	98304:kBXwY53vIMvUnh9bqnWkI/B5NJ2dIaZ7L/Foze:kBAs3Ji+WhpXJ2dRZH/Fo
Threatray	60 similar samples on MalwareBazaar
TLSH	T11326E0212DED202AF87ADDF1A0F0B5C91DA4BD7D45A508EC68CCB675DC128533BAF819
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	f0ccf2b1f0ccccf0 (2 x RemusStealer, 1 x AsyncRAT, 1 x njrat)
Reporter	JAMESWT_WT
Tags:	Click-Hijacking-TDS exe RemusStealer

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_99d6ea218c93a9e3208a4066cfa08b84e23ed8a7688daca82809fa22040f32e0.exe

Verdict:

No threats detected

Analysis date:

2026-06-05 07:43:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b0398440-b492-4205-9cc4-c6541acc82c0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/69142/

Detection(s):

SecuriteInfo.com.Trojan.Siggen32.25813.8026.100.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a22732257b7bf261d6110b0

Tags:

virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Connection attempt to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug installer-heuristic keylogger packed reconnaissance

Link:

https://www.filescan.io/uploads/6a22731d099ef368af210ef2/reports/1770899e-6f6f-42d5-8b4f-e3e056473512/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/99d6ea218c93a9e3208a4066cfa08b84e23ed8a7688daca82809fa22040f32e0

Verdict:

Clean

File Type:

exe x64

First seen:

2026-02-18T10:49:00Z UTC

Last seen:

2026-02-18T11:00:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/99d6ea218c93a9e3208a4066cfa08b84e23ed8a7688daca82809fa22040f32e0/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/80439a11-4e29-4053-a6c1-8ba8328194d2

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/99d6ea218c93a9e3208a4066cfa08b84e23ed8a7688daca82809fa22040f32e0

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/99d6ea218c93a9e3208a4066cfa08b84e23ed8a7688daca82809fa22040f32e0/

Verdict:

Malicious

Threat:

Family.REMUSSTEALER

Link:

https://tip.neiki.dev/file/99d6ea218c93a9e3208a4066cfa08b84e23ed8a7688daca82809fa22040f32e0

Threat name:

Win64.Trojan.StealC

Status:

Malicious

First seen:

2026-02-19 02:29:12 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

20 of 36 (55.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=thlouimmsou6giekibtm7ielqtrd5wfhncg2zkbibh5cebapglqa._file

Verdict:

malicious

Label(s):

remus

RemusStealer

7e7e53a2dc5a386a08eb7b0716ff32280be9b94b728d6a358788c62080288e27

RemusStealer

bf1b8188e4a025237264e670cf5eec1a56d6e5ef10ee837d325f642626f97fe7

RemusStealer

error

RemusStealer

f71cbfb508a0e21d6304b2d83d7fe56fd8c6b27fd720e2d45984923e17442c9b

RemusStealer

fdcc3d417094c32b9bfb9f012173ff0335f86518c789b0ef1d8c12504cd9cf5b

RemusStealer

+ 50 additional samples on MalwareBazaar

Result

Malware family:

remus_stealer

Score:

10/10

Tags:

family:remus_stealer stealer

Link:

https://tria.ge/reports/260605-hqk1qabz8w/

Behaviour

Detects Remus stealer

Family: Remus

Unpacked files

SH256 hash:

99d6ea218c93a9e3208a4066cfa08b84e23ed8a7688daca82809fa22040f32e0

MD5 hash:

4c65ef16ec9e6425be291f170ecf2e3d

SHA1 hash:

ba98c29205ed525b6c05352918e2b155d2c12f3b

Link:

https://www.unpac.me/results/84c2b058-847f-4a20-8c46-0536280f8530/

Malware family:

RemusLogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/99d6ea218c93/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/99d6ea218c93a9e3208a4066cfa08b84e23ed8a7688daca82809fa22040f32e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RemusStealer_MSVC_Loader Create hunting rule
Author:	burger
Description:	Detects RemusStealer MSVC C++ loader (register-variant tolerant)

Rule name:	TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/69142/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample