ac468b5536a0b3f8c6b88968a7f3761f
Hash
- MD5: ac468b5536a0b3f8c6b88968a7f3761f
- SHA1: 111904fcc3e2f0fba7b24913a8f54d2b3fd9de06
- SHA256: 6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d
- First Seen: 2026-05-22
- Last Seen: 2026-05-22
-
2
Related Reports
-
0
Related IOCs
Additional Information
MalwareBazaar
{
"query_status": "ok",
"data": [
{
"sha256_hash": "6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d",
"sha3_384_hash": "264ba1d22f3a001f77256a4b5a2c22b1872c0d1e51fd963e54887047d5d339fbcf868e7879e26941db51f651bcd6f136",
"sha1_hash": "111904fcc3e2f0fba7b24913a8f54d2b3fd9de06",
"md5_hash": "ac468b5536a0b3f8c6b88968a7f3761f",
"first_seen": "2026-05-22 15:48:43",
"last_seen": null,
"file_name": "remotepe_2023-10-17_6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d.bin",
"file_size": 553030,
"file_type_mime": "application/x-dosexec",
"file_type": "exe",
"file_format": "PE",
"file_arch": "AMD64",
"reporter": "foxit_srt",
"origin_country": "NL",
"anonymous": 0,
"signature": "Lazarus",
"imphash": "7d1603f1c5c7a1b38e8dd1babbb4c032",
"tlsh": "T1FDC45B0AB6B513F5D4BAC0388993652FF97278A603709BDB53D09A5B1F23BE4653E340",
"telfhash": null,
"gimphash": null,
"ssdeep": "12288:c9UtuqMzrKMjkQm/WqTYSN5Bfs2qT+Q6oNH:E4udPVjkQG5TLH0Tj6m",
"magika": "pebin",
"dhash_icon": null,
"trid": [
"37.0% (.EXE) Win64 Executable (generic) (6522/11/2)",
"28.6% (.EXE) Win16 NE executable (generic) (5038/12/1)",
"11.5% (.EXE) OS/2 Executable (generic) (2029/13)",
"11.3% (.EXE) Generic Win/DOS Executable (2002/3)",
"11.3% (.EXE) DOS Executable (generic) (2000/1)"
],
"comment": null,
"archive_pw": null,
"tags": [
"exe",
"Lazarus",
"RemotePE"
],
"code_sign": null,
"delivery_method": null,
"intelligence": {
"clamav": null,
"downloads": "133",
"uploads": "1",
"mail": null
},
"file_information": [
{
"context": "links",
"value": "https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/"
},
{
"context": "cape",
"value": "https://www.capesandbox.com/analysis/67565/"
}
],
"ole_information": [],
"yara_rules": [
{
"rule_name": "cobalt_strike_tmp01925d3f",
"author": "The DFIR Report",
"description": "files - file ~tmp01925d3f.exe",
"reference": "https://thedfirreport.com"
},
{
"rule_name": "DebuggerCheck__API",
"author": null,
"description": null,
"reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
},
{
"rule_name": "DebuggerCheck__QueryInfo",
"author": null,
"description": null,
"reference": "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
},
{
"rule_name": "dgaagas",
"author": "Harshit",
"description": "Uses certutil.exe to download a file named test.txt",
"reference": null
},
{
"rule_name": "golang_bin_JCorn_CSC846",
"author": "Justin Cornwell",
"description": "CSC-846 Golang detection ruleset",
"reference": null
},
{
"rule_name": "meth_stackstrings",
"author": "Willi Ballenthin",
"description": null,
"reference": null
},
{
"rule_name": "pe_detect_tls_callbacks",
"author": null,
"description": null,
"reference": null
},
{
"rule_name": "VECT_Ransomware",
"author": "Mustafa Bakhit",
"description": "Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.",
"reference": null
}
],
"vendor_intel": {
"CERT-PL_MWDB": {
"detection": null,
"link": "https://mwdb.cert.pl/sample/6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d/"
},
"YOROI_YOMI": {
"detection": "Malicious File",
"score": "1.00"
},
"vxCube": {
"verdict": "clean2",
"maliciousness": "19",
"behaviour": [
{
"threat_level": "neutral",
"rule": "Launching a service"
}
]
},
"Intezer": {
"verdict": "unknown",
"family_name": null,
"analysis_url": "https://analyze.intezer.com/analyses/0f5fa8a9-908b-4a94-8787-3d1c3302a261?utm_source=MalwareBazaar"
},
"CAPE": {
"detection": null,
"link": "https://www.capesandbox.com/analysis/67565/"
},
"Triage": {
"malware_family": null,
"score": "3",
"link": "https://tria.ge/reports/260522-s9g4aaax9z/",
"tags": [],
"signatures": [],
"malware_config": []
},
"ReversingLabs": {
"threat_name": "Win64.Trojan.Yomal",
"status": "MALICIOUS",
"first_seen": "2026-05-22 15:49:31",
"scanner_count": "24",
"scanner_match": "8",
"scanner_percent": "33.33"
},
"Spamhaus_HBL": [
{
"detection": "suspicious",
"link": "https://www.spamhaus.org/hbl/"
}
],
"UnpacMe": [
{
"sha256_hash": "6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d",
"md5_hash": "ac468b5536a0b3f8c6b88968a7f3761f",
"sha1_hash": "111904fcc3e2f0fba7b24913a8f54d2b3fd9de06",
"detections": [],
"link": "https://www.unpac.me/results/6fe50866-9625-4ff1-9a52-8e454996c1c1/"
}
],
"FileScan-IO": {
"verdict": "LIKELY_MALICIOUS",
"threatlevel": "0.75",
"confidence": "1.0",
"report_link": "https://www.filescan.io/uploads/6a107b02861ee596e646e609/reports/327f4ea0-f5fd-43f7-a611-e6dabefa258c/overview"
},
"Kaspersky": {
"verdict": "Malware",
"file_type": "dll x64",
"first_seen": "2026-05-22T13:23:00Z",
"last_seen": "2026-05-22T23:55:00Z",
"hitscount": 10,
"report_link": "https://opentip.kaspersky.com/6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d/results?tab=lookup",
"detections": []
}
},
"comments": null
}
]
}