Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 1+ days, this malware remained undetected — a brief but concerning window that permitted the adversary to establish initial foothold, perform basic system enumeration, and potentially access immediate system resources.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 56. Missed: 17. Coverage: 76.7%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (72.86% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1129 – parse PE header
• T1027 – encrypt data using Salsa20 or ChaCha
• T1027 – encrypt data using HC-128 via WolfSSL
• T1543.003 – modify service
• T1569.002 – modify service
• T1027 – encrypt data using AES via x86 extensions
• T1057 – enumerate process modules
• T1112 – delete registry value
• T1543.003 – stop service
• T1489 – stop service
• T1027 – encrypt data using speck
• T1059 – accept command line arguments
• T1497.001 – reference anti-VM strings targeting VMWare
• T1082 – get hostname
• T1129 – link many functions at runtime
• T1490 – delete volume shadow copies
• T1070.004 – delete volume shadow copies
• T1497.001 – reference anti-VM strings targeting VirtualPC
• T1027 – encode data using Base64
• T1497.001 – reference anti-VM strings targeting Xen
• T1134 – modify access privileges
• T1027 – encrypt data using RC4 PRGA
• T1007 – query service status
• T1016 – get local IPv4 addresses
• T1529 – shutdown system
• T1012 – query or enumerate registry value
• T1082 – get system information on Windows
• T1135 – enumerate network shares
• T1082 – query environment variable
• T1027.005 – contain obfuscated stackstrings
• T1082 – get MAC address on Windows
• T1033 – get session user name
• T1087 – get session user name
• T1083 – get common file path
• T1027 – encode data using XOR
• T1497.001 – reference anti-VM strings targeting Parallels
• T1007 – enumerate services
• T1222 – set file attributes
• T1082 – get disk information
• T1083 – check if file exists
• T1082 – enumerate disk volumes
• T1497.001 – reference anti-VM strings
• T1129 – link function at runtime on Windows
• T1547.001 – persist via Run registry key
• T1497.001 – reference anti-VM strings targeting VirtualBox
• T1071 – Binary file triggered multiple YARA rules
• T1106 – Guard pages use detected – possible anti-debugging.
• T1055 – Contains .tls (Thread Local Storage) section
• T1027 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary likely contains encrypted or compressed data
• T1569.002 – Found PSEXEC tool (often used for remote process execution)
• T1542.003 – May use bcdedit to modify the Windows boot settings
• T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
• T1070.004 – May delete shadow drive data (may be related to ransomware)
• T1560 – Public key (encryption) found
• T1090 – Found Tor onion address

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.