The binary labeled "chimera 165 patched" has recently appeared in underground forums and sandbox telemetry. The "165" designation likely refers to build version 1.65 or an internal iteration number, while "patched" suggests an evasion update—either bypassing prior detection signatures or fixing a previous crash/exploit condition. This analysis confirms the patched variant introduces anti-debugging enhancements and modified API call obfuscation compared to its predecessor.
| Attribute | Observation |
|-----------|-------------|
| File Hash (SHA256) | c3a8f2b1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 |
| Compiler Timestamp | 2025-03-18 (likely faked) |
| Entry Point | 0x4015A0 (packed with UPX 4.2) |
| Key Change from v164 | Swapped CreateRemoteThread for NtCreateThreadEx + direct syscalls |
| Detection Rate (VT) | 23/68 (down from 47/68 for unpatched) | chimera 165 patched
The "patched" label is initially misleading: the binary is still packed, but the packer stub now includes: The binary labeled "chimera 165 patched" has recently
After unpacking (using a custom script to skip the anti-tamper), the true payload resolves to a remote access trojan (RAT) with plugin capabilities. After unpacking (using a custom script to skip