MB-37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef
high
📛 Threat Title
Unknown: remotepe_2023-07-04_37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef.bin
Description
File type: exe. Size: 550912 bytes. Tags: exe, Lazarus, RemotePE. Reporter: foxit_srt. First seen: 2026-05-22 15:48:53.
Remediations (10)
-
web:4sysops.com
The April 2026 Patch Tuesday updates add anti-phishing protection to the Windows Remote Desktop client (mstsc.exe). The change — assigned CVE-2026-26151 — means that opening an .rdp file now triggers a security dialog that lists all requested resource-sharing settings, each disabled by default. Files without a verifiable publisher show a red "Caution: Unknown remote connection" banner. The ...
-
web:cybersecuritynews.com
A critical security vulnerability in Windows Remote Desktop Services, designated as CVE-2025-32710, which allows unauthorized attackers.
-
web:learn.microsoft.com
Starting with the April 2026 security update, the Remote Desktop Connection app shows new security warnings when you open RDP files. This article explains what these warnings mean and how to respond to them safely.
-
web:nubetia.com
The North Korea-linked cybercriminal organization Lazarus Group has been connected to a sophisticated social engineering campaign deploying three types of cross-platform malware: PondRAT, ThemeForestRAT, and RemotePE. According to research by NCC Group's Fox-IT, the attack was detected in 2024 and targeted a company in the decentralized finance (DeFi) sector, eventually compromising an ...
-
web:rewterz.com
Remediation Apply the October 2025 Patch Tuesday updates immediately on all affected Windows systems. Enable automatic Windows updates to ensure timely installation of future patches. Avoid connecting to untrusted or unknown RDP servers to reduce exposure. Educate users on phishing awareness, including recognizing fake links and malicious RDP ...
-
web:sechub.in
Introduction In the past few years, Fox-IT and NCC Group has conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to AppleJeus 1, Citrine Sleet 2, UNC4736 3, and Gleaming Pisces 4. This actor uses different remote access trojans (RATs) in ...
-
web:thehackernews.com
Lazarus Group used PondRAT, ThemeForestRAT, and RemotePE in a 2024 DeFi attack, likely via Chrome zero-day.
-
web:windowsforum.com
Remote Desktop Protocol (RDP), an essential technology in the remote access toolbox of Windows environments worldwide, has garnered renewed attention following the disclosure of CVE-2025-32715. This vulnerability, catalogued and published via the Microsoft Security Response Center (MSRC), targets the Remote Desktop Client and is described as an out-of-bounds read leading to information ...
-
web:woshub.com
The Encryption Oracle Remediation policy provides 3 levels of mitigation for the CredSSP vulnerability: Force Updated Clients - the most secure mode, which blocks vulnerable computer connections. If this option is enabled on the RDP host, it will block RDP connections from client computers with a vulnerable version of CredSSP.
-
web:www.cisa.gov
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.
Indicators of Compromise (4)
Each indicator is enriched from the IOC database, threat-intel feed corroboration (Threat Hunt) and VirusTotal. Click one to expand.
hash_sha256
37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef
VT 35 / 75
IOC database
- Type
- hash_sha256
- Value
37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef- First seen
- Last seen
- Attached to this threat
- Appears in
- 3 threats
- Description
- Unknown
Threat Hunt — feed corroboration
Not present in any configured threat-intel feed.
Flagged by 35 of 75 VirusTotal vendors
| Vendor | Verdict | Detection |
|---|---|---|
| AhnLab-V3 | malicious | Malware/Win.Generic.C5887711 |
| Alibaba | malicious | Backdoor:Win64/MalwareX.df7999e7 |
| alibabacloud | malicious | Backdoor:Win/Wacatac.C9nj |
| ALYac | malicious | Backdoor.Agent.status |
| Antiy-AVL | malicious | Trojan[Backdoor]/Win32.GenericML |
| Arcabit | malicious | Trojan.Generic.D4C76C0F |
| Avira | malicious | TR/W64.Agent |
| BitDefender | malicious | Trojan.GenericKD.80178191 |
| Bkav | malicious | W32.Malware.86C91F47 |
| CrowdStrike | malicious | win/malicious_confidence_100% (W) |
| CTX | malicious | dll.trojan.generic |
| Cynet | malicious | Malicious (score: 100) |
| DeepInstinct | malicious | MALICIOUS |
| Elastic | malicious | malicious (moderate confidence) |
| Emsisoft | malicious | Trojan.GenericKD.80178191 (B) |
| ESET-NOD32 | malicious | Win64/TrojanDownloader.Agent.DCJ trojan |
| F-Secure | malicious | Trojan.TR/W64.Agent |
| GData | malicious | Trojan.GenericKD.80178191 |
| huorong | malicious | Trojan/Generic!C772850BC0133F52 |
| Lionic | malicious | Trojan.Win32.Generic.4!c |
| Malwarebytes | malicious | Trojan.Downloader |
| McAfeeD | malicious | ti!37F5AFB9ED37 |
| Microsoft | malicious | Trojan:Win32/Qwexlafiba!rfn |
| MicroWorld-eScan | malicious | Trojan.GenericKD.80178191 |
| Paloalto | malicious | generic.ml |
| Panda | malicious | Trj/PhxBzA.A |
| Sangfor | malicious | Downloader.Win64.Agent.Vlmy |
| Sophos | malicious | Mal/Generic-S |
| Tencent | malicious | Win64.Trojan-Downloader.Oader.Fdhl |
| TrendMicro | malicious | Trojan.Win32.ZYX.USBLEP26 |
| TrendMicro-HouseCall | malicious | Trojan.Win32.ZYX.USBLEP26 |
| Varist | malicious | W64/ABmRisk.QERF-0277 |
| VBA32 | malicious | Trojan.Win64.NukeSpeed |
| VIPRE | malicious | Trojan.GenericKD.80178191 |
| ViRobot | malicious | Trojan.Win.S.NukeSped.550912 |
Details From VirusTotal
Basic Properties
| MD5 | 781e02b32ed5dff6e512d9850a5b5403 |
| SHA-1 | ea5cfdcab1e4894bebdb8f0a9652c4a4ae190933 |
| SHA-256 | 37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef |
| VHash | 155066655d15551550b3z42z79jz35zabz |
| SSDEEP | 6144:v0TRv97oOrE9Py7tXztt4LStDLt5xvcgA2VQd8L55Wf0Kg0R68b23/UEZcSa/TB3:8TrZtDZAnuV5Wf0I6d1ZBgTmQ95omr |
| TLSH | T17BC45A4AB6B513F5D4BAC0388883651FFAB178A603709BDB57D09A5B1F23BE0653E740 |
| File type | Win32 DLL |
| File type tag | pedll |
| File extension | dll |
| Magic | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| File size | 538.0 KB |
History
| Creation date | 2023-07-04 17:52 UTC |
| First seen on VirusTotal | 2026-05-22 15:07 UTC |
| Last submission | 2026-05-24 07:33 UTC |
| Last analysis | 2026-06-10 11:02 UTC |
| Last modified on VirusTotal | 2026-06-10 13:09 UTC |
Known Names
remotepe_2023-07-04_37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef.bin37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef.exeti84hz5.exe
hash_sha1
ea5cfdcab1e4894bebdb8f0a9652c4a4ae190933
VT 35 / 75
IOC database
- Type
- hash_sha1
- Value
ea5cfdcab1e4894bebdb8f0a9652c4a4ae190933- First seen
- Last seen
- Attached to this threat
- Appears in
- 2 threats
- Description
- SHA1 of 37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef
Threat Hunt — feed corroboration
Not present in any configured threat-intel feed.
Flagged by 35 of 75 VirusTotal vendors
| Vendor | Verdict | Detection |
|---|---|---|
| AhnLab-V3 | malicious | Malware/Win.Generic.C5887711 |
| Alibaba | malicious | Backdoor:Win64/MalwareX.df7999e7 |
| alibabacloud | malicious | Backdoor:Win/Wacatac.C9nj |
| ALYac | malicious | Backdoor.Agent.status |
| Antiy-AVL | malicious | Trojan[Backdoor]/Win32.GenericML |
| Arcabit | malicious | Trojan.Generic.D4C76C0F |
| Avira | malicious | TR/W64.Agent |
| BitDefender | malicious | Trojan.GenericKD.80178191 |
| Bkav | malicious | W32.Malware.86C91F47 |
| CrowdStrike | malicious | win/malicious_confidence_100% (W) |
| CTX | malicious | dll.trojan.generic |
| Cynet | malicious | Malicious (score: 100) |
| DeepInstinct | malicious | MALICIOUS |
| Elastic | malicious | malicious (moderate confidence) |
| Emsisoft | malicious | Trojan.GenericKD.80178191 (B) |
| ESET-NOD32 | malicious | Win64/TrojanDownloader.Agent.DCJ trojan |
| F-Secure | malicious | Trojan.TR/W64.Agent |
| GData | malicious | Trojan.GenericKD.80178191 |
| huorong | malicious | Trojan/Generic!C772850BC0133F52 |
| Lionic | malicious | Trojan.Win32.Generic.4!c |
| Malwarebytes | malicious | Trojan.Downloader |
| McAfeeD | malicious | ti!37F5AFB9ED37 |
| Microsoft | malicious | Trojan:Win32/Qwexlafiba!rfn |
| MicroWorld-eScan | malicious | Trojan.GenericKD.80178191 |
| Paloalto | malicious | generic.ml |
| Panda | malicious | Trj/PhxBzA.A |
| Sangfor | malicious | Downloader.Win64.Agent.Vlmy |
| Sophos | malicious | Mal/Generic-S |
| Tencent | malicious | Win64.Trojan-Downloader.Oader.Fdhl |
| TrendMicro | malicious | Trojan.Win32.ZYX.USBLEP26 |
| TrendMicro-HouseCall | malicious | Trojan.Win32.ZYX.USBLEP26 |
| Varist | malicious | W64/ABmRisk.QERF-0277 |
| VBA32 | malicious | Trojan.Win64.NukeSpeed |
| VIPRE | malicious | Trojan.GenericKD.80178191 |
| ViRobot | malicious | Trojan.Win.S.NukeSped.550912 |
Details From VirusTotal
Basic Properties
| MD5 | 781e02b32ed5dff6e512d9850a5b5403 |
| SHA-1 | ea5cfdcab1e4894bebdb8f0a9652c4a4ae190933 |
| SHA-256 | 37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef |
| VHash | 155066655d15551550b3z42z79jz35zabz |
| SSDEEP | 6144:v0TRv97oOrE9Py7tXztt4LStDLt5xvcgA2VQd8L55Wf0Kg0R68b23/UEZcSa/TB3:8TrZtDZAnuV5Wf0I6d1ZBgTmQ95omr |
| TLSH | T17BC45A4AB6B513F5D4BAC0388883651FFAB178A603709BDB57D09A5B1F23BE0653E740 |
| File type | Win32 DLL |
| File type tag | pedll |
| File extension | dll |
| Magic | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| File size | 538.0 KB |
History
| Creation date | 2023-07-04 17:52 UTC |
| First seen on VirusTotal | 2026-05-22 15:07 UTC |
| Last submission | 2026-05-24 07:33 UTC |
| Last analysis | 2026-06-10 11:02 UTC |
| Last modified on VirusTotal | 2026-06-10 13:09 UTC |
Known Names
remotepe_2023-07-04_37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef.bin37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef.exeti84hz5.exe
hash_md5
781e02b32ed5dff6e512d9850a5b5403
VT 35 / 75
IOC database
- Type
- hash_md5
- Value
781e02b32ed5dff6e512d9850a5b5403- First seen
- Last seen
- Attached to this threat
- Appears in
- 2 threats
- Description
- MD5 of 37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef
Threat Hunt — feed corroboration
Not present in any configured threat-intel feed.
Flagged by 35 of 75 VirusTotal vendors
| Vendor | Verdict | Detection |
|---|---|---|
| AhnLab-V3 | malicious | Malware/Win.Generic.C5887711 |
| Alibaba | malicious | Backdoor:Win64/MalwareX.df7999e7 |
| alibabacloud | malicious | Backdoor:Win/Wacatac.C9nj |
| ALYac | malicious | Backdoor.Agent.status |
| Antiy-AVL | malicious | Trojan[Backdoor]/Win32.GenericML |
| Arcabit | malicious | Trojan.Generic.D4C76C0F |
| Avira | malicious | TR/W64.Agent |
| BitDefender | malicious | Trojan.GenericKD.80178191 |
| Bkav | malicious | W32.Malware.86C91F47 |
| CrowdStrike | malicious | win/malicious_confidence_100% (W) |
| CTX | malicious | dll.trojan.generic |
| Cynet | malicious | Malicious (score: 100) |
| DeepInstinct | malicious | MALICIOUS |
| Elastic | malicious | malicious (moderate confidence) |
| Emsisoft | malicious | Trojan.GenericKD.80178191 (B) |
| ESET-NOD32 | malicious | Win64/TrojanDownloader.Agent.DCJ trojan |
| F-Secure | malicious | Trojan.TR/W64.Agent |
| GData | malicious | Trojan.GenericKD.80178191 |
| huorong | malicious | Trojan/Generic!C772850BC0133F52 |
| Lionic | malicious | Trojan.Win32.Generic.4!c |
| Malwarebytes | malicious | Trojan.Downloader |
| McAfeeD | malicious | ti!37F5AFB9ED37 |
| Microsoft | malicious | Trojan:Win32/Qwexlafiba!rfn |
| MicroWorld-eScan | malicious | Trojan.GenericKD.80178191 |
| Paloalto | malicious | generic.ml |
| Panda | malicious | Trj/PhxBzA.A |
| Sangfor | malicious | Downloader.Win64.Agent.Vlmy |
| Sophos | malicious | Mal/Generic-S |
| Tencent | malicious | Win64.Trojan-Downloader.Oader.Fdhl |
| TrendMicro | malicious | Trojan.Win32.ZYX.USBLEP26 |
| TrendMicro-HouseCall | malicious | Trojan.Win32.ZYX.USBLEP26 |
| Varist | malicious | W64/ABmRisk.QERF-0277 |
| VBA32 | malicious | Trojan.Win64.NukeSpeed |
| VIPRE | malicious | Trojan.GenericKD.80178191 |
| ViRobot | malicious | Trojan.Win.S.NukeSped.550912 |
Details From VirusTotal
Basic Properties
| MD5 | 781e02b32ed5dff6e512d9850a5b5403 |
| SHA-1 | ea5cfdcab1e4894bebdb8f0a9652c4a4ae190933 |
| SHA-256 | 37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef |
| VHash | 155066655d15551550b3z42z79jz35zabz |
| SSDEEP | 6144:v0TRv97oOrE9Py7tXztt4LStDLt5xvcgA2VQd8L55Wf0Kg0R68b23/UEZcSa/TB3:8TrZtDZAnuV5Wf0I6d1ZBgTmQ95omr |
| TLSH | T17BC45A4AB6B513F5D4BAC0388883651FFAB178A603709BDB57D09A5B1F23BE0653E740 |
| File type | Win32 DLL |
| File type tag | pedll |
| File extension | dll |
| Magic | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| File size | 538.0 KB |
History
| Creation date | 2023-07-04 17:52 UTC |
| First seen on VirusTotal | 2026-05-22 15:07 UTC |
| Last submission | 2026-05-24 07:33 UTC |
| Last analysis | 2026-06-10 11:02 UTC |
| Last modified on VirusTotal | 2026-06-10 13:09 UTC |
Known Names
remotepe_2023-07-04_37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef.bin37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef.exeti84hz5.exe
hash_imphash
af01990faf66ecd6ee7f9d35a36bea0c
IOC database
- Type
- hash_imphash
- Value
af01990faf66ecd6ee7f9d35a36bea0c- First seen
- Last seen
- Attached to this threat
- Appears in
- 1 threat
Threat Hunt — feed corroboration
Not present in any configured threat-intel feed.
Details From VirusTotal
No VirusTotal details cached for this IOC. Open the IOC page to query VirusTotal.
References (1)
-
MalwareBazaar sample page
Abuse.ch
File type: exe. Size: 550912 bytes. Tags: exe, Lazarus, RemotePE. Reporter: foxit_srt. First seen: 2026-05-22 15:48:53.
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.