Malware

Win32/Packed.Themida.IDF removal

Malware Removal

The Win32/Packed.Themida.IDF is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What Win32/Packed.Themida.IDF virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • NtSetInformationThread: attempt to hide thread from debugger
  • Creates RWX memory
  • A process attempted to delay the analysis task.
  • Dynamic (imported) function loading detected
  • Performs HTTP requests potentially not found in PCAP.
  • Expresses interest in specific running processes
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • Executable file is packed/obfuscated with Themida
  • Authenticode signature is invalid
  • Checks for the presence of known windows from debuggers and forensic tools
  • The following process appear to have been packed with Themida: 03845951865FF9A97110.mlw
  • CAPE detected the Vidar malware family
  • Checks the version of Bios, possibly for anti-virtualization
  • Detects VirtualBox through the presence of a registry key
  • Attempts to modify proxy settings
  • Harvests cookies for information gathering
  • Collects information to fingerprint the system
  • Anomalous binary characteristics

How to determine Win32/Packed.Themida.IDF?


File Info:

name: 03845951865FF9A97110.mlw
path: /opt/CAPEv2/storage/binaries/d17110326526fbf4c1753b39e2c8532ea4cce0d24ece1b77f233e770539be710
crc32: 695AF4FE
md5: 03845951865ff9a971103ba261ab05b4
sha1: 607bf1bed783e453ce4fac72ad7a552f902662be
sha256: d17110326526fbf4c1753b39e2c8532ea4cce0d24ece1b77f233e770539be710
sha512: 229e6fcb176fb623ea00a8ba13453e6a48d556d4972f3fc4db9389e17ca1086b35e85a4fe4e542b19f28529c26c939b208b6c1ed9c2d86c9b05bde14c48b91dc
ssdeep: 49152:CbLxZ8497Qm1HbJmAW6PeT48nhF8aIQGf0JCs+K01:Sf/71HBXeT48saIQ4co1
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T17DD5332908642284D2868FF70F15291F392CF14E534387582BAF55EC7B8AF6CDBB54B6
sha3_384: 47cbd38b514382ab2890b414b5b93b7761ec990b02bdfd93ebad1a9a404b392018688bead2e5983f75d33d64343fb1ed
ep_bytes: e84b0100005389e3538b73088b7b10fc
timestamp: 2022-05-09 14:25:49

Version Info:

0: [No Data]

Win32/Packed.Themida.IDF also known as:

BkavW32.AIDetect.malware1
Elasticmalicious (high confidence)
ALYacGen:Variant.Zusy.423229
CylanceUnsafe
SangforSuspicious.Win32.Save.a
BitDefenderGen:Variant.Zusy.423229
Cybereasonmalicious.1865ff
ArcabitTrojan.Zusy.D6753D
SymantecML.Attribute.HighConfidence
tehtrisGeneric.Malware
ESET-NOD32a variant of Win32/Packed.Themida.IDF
APEXMalicious
AvastWin32:Malware-gen
CynetMalicious (score: 100)
KasperskyHEUR:Trojan.Win32.Generic
NANO-AntivirusVirus.Win32.Gen-Crypt.ccnc
MicroWorld-eScanGen:Variant.Zusy.423229
RisingTrojan.Generic@AI.100 (RDMK:cmRtazrDCm7d52hHyOwuqofctml5)
Ad-AwareGen:Variant.Zusy.423229
SophosGeneric ML PUA (PUA)
F-SecureTrojan.TR/Crypt.XPACK.Gen
McAfee-GW-EditionBehavesLike.Win32.Generic.vc
FireEyeGeneric.mg.03845951865ff9a9
EmsisoftGen:Variant.Zusy.423229 (B)
AviraTR/Crypt.XPACK.Gen
MAXmalware (ai score=83)
MicrosoftTrojan:Win32/Sabsik.FL.B!ml
ZoneAlarmHEUR:Trojan.Win32.Generic
GDataGen:Variant.Zusy.423229
Acronissuspicious
VBA32BScope.Trojan.Wacatac
ZonerProbably Heur.ExeHeaderL
SentinelOneStatic AI – Malicious PE
MaxSecureTrojan.Malware.300983.susgen
BitDefenderThetaAI:Packer.EABDB87A1E
AVGWin32:Malware-gen
CrowdStrikewin/malicious_confidence_70% (D)

How to remove Win32/Packed.Themida.IDF?

Win32/Packed.Themida.IDF removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment