Malicious
Unsigned Themida-packed executable showing process injection, credential dumping, and direct-IP C2 with 13 tier-1 detections.
e8e7e6ed24bd6932c4…93cdf38634The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
The engine set shows clear tier-1 consensus on a win64 family with 13 high-trust detections and only 3 clean tier-1 results. The file is unsigned and exhibits seven offensive MITRE techniques including credential access and process injection. Direct-IP C2 without DNS usage and a matching Themida YARA rule further support malicious classification. Medium prevalence does not offset the strong detection and behavioural signals.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.tier1Malicious=13 with tier1FamilyConsensus.strong=true on win64
behaviour.offensiveTechniques=[T1055,T1003,T1555,T1548,T1552.001] and MalwareTips.Synth.ProcessInjection fired
externalIntel.yaraify.rules[0].name=INDICATOR_EXE_Packed_Themida
signing.verified=false and signerStats.found=false
file.tags contain themida and popularThreatLabel=trojan.themida/misc
- No malicious dropped children detected
- No malicious sandbox verdicts recorded
- 13 tier-1 malicious detections with strong family consensus
- Unsigned executable
- Themida packing confirmed by YARA and tags
- Process injection and credential-dumping techniques observed
- Direct-IP C2 bypassing DNS reputation systems
Treat as malicious; avoid execution and remove all associated files immediately.
themida corroborated by 3 sources
- 1 YARA ruleINDICATOR_EXE_Packed_Themida
- VT (74 engines)themida
- MT AI Enginethemida
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 185.199.108.133
- 140.82.116.3
- 162.159.133.234
- 13.107.226.70
- 150.171.74.13
- 162.159.130.233
- 150.171.110.147
- 173.194.203.132
- 13.107.253.70
- 35.190.80.1
- C:\Users\<USER>\AppData\Roaming\Ronix\Bin\Loader.exe.download
- C:\Users\<USER>\AppData\Roaming\Ronix\Bin\Loader.exe
- C:\Users\<USER>\AppData\Roaming\Ronix\Bin\Ronix-Module.dll.download
- C:\Users\<USER>\AppData\Roaming\Ronix\Bin\Ronix-Module.dll
- C:\Users\<USER>\Desktop\Ronix.exe.download
- C:\Users\<USER>\AppData\Roaming\Ronix\Bin\Loader.exe.download
- C:\Users\<USER>\AppData\Roaming\Ronix\Bin\Ronix-Module.dll.download
- C:\Users\<USER>\Desktop\Ronix.exe.download
- cversions.3.m
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- f3314853dd50e35c78c5…0a297fNever scannednever seen before
- ac3706ebbb78cfba74e5…0aba8fNever scannednever seen before
- bfec2e34583ada7e6af2…577b90Never scannednever seen before
- b028630e5de06dc376ef…1481d2Never scannednever seen before
- bb8fa7341fb84d9e7fcf…8842d5Never scannednever seen before
- 617bf538df6b4ba8c168…d5a771Never scannednever seen before
- e23040951e464b53b84b…09bc25Never scannednever seen before
- 5557080d062f953443f6…af77a4Never scannednever seen before
- 0cf13ed4ab8567b81b79…6953b2Never scannednever seen before
- d8fee07da968a492fd1b…b259c2Never scannednever seen before
1 corroborating signal from researcher-curated sources
- INDICATOR_EXE_Packed_Themidaby ditekSHenDetects executables packed with Themida
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
- INDICATOR_EXE_Packed_Themida
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\Explorer.EXESandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 14 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence185.199.108.133 · 140.82.116.3 · 162.159.133.234
49 detections across 74 engines
Section entropy & packers
Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- Ronix-Installer (1).exe
- Size
- 5.35 MB
- MIME type
- (unknown)
- Detected type
- Win32 EXE
- SHA-256
- e8e7e6ed24bd6932c402828334cdb17d08eb4ce9b2afc30b49b73e93cdf38634
- MD5
- 00e7c93d610841d179eb75683b05f1f7
- SHA-1
- fa51d17b3e8edc2315341f46c72201fa3506b564
- PE imphash
- cfaae10b77b9dd6fdce0b44fb5150a2f
- First seen (VT)
- 4/19/2026, 2:38:06 PM
- Last analysis (VT)
- 7/2/2026, 10:06:05 AM
- First scan (MalwareTips)
- 7/3/2026, 2:05:00 PM
- Last scan (MalwareTips)
- 7/3/2026, 2:05:00 PM
- Community reputation
- -1flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.