Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 52. Missed: 20. Coverage: 72.2%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (62.00% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1083 – enumerate files on Windows
• T1027 – encode data using XOR
• T1082 – query environment variable
• T1129 – link function at runtime on Windows
• T1129 – parse PE header
• T1083 – get file size
• T1564.003 – hide graphical window
• T1129 – link many functions at runtime
• T1033 – Collects and encrypts information about the computer likely to send to C2 server
• T1082 – Checks available memory
• T1547 – Installs itself for autorun at Windows startup
• T1547.001 – Installs itself for autorun at Windows startup
• T1112 – Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
• T1112 – Installs itself for autorun at Windows startup
• T1027 – The binary likely contains encrypted or compressed data
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1027.002 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – Resolves a suspicious Top Level Domain (TLD)
• T1573 – Establishes an encrypted HTTPS connection
• T1106 – Guard pages use detected – possible anti-debugging.
• T1005 – Attempts to access Bitcoin/ALTCoin wallets
• T1560 – Collects and encrypts information about the computer likely to send to C2 server
• T1005 – Searches for sensitive browser data
• T1012 – Query OS Information
• T1012 – Possibly does reconnaissance
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Resolves API functions dynamically
• T1047 – Tries to detect the presence of antivirus software
• T1047 – Collects hardware properties
• T1047 – Queries OS version via WMI
• T1056 – Combination of other detections shows multiple input capture behaviors
• T1056.001 – Monitors keyboard input
• T1056.004 – Monitors keyboard input
• T1082 – Query OS Information
• T1082 – Collects hardware properties
• T1082 – Queries OS version via WMI
• T1083 – Searches for sensitive browser data
• T1095 – Connects to remote host
• T1112 – Installs system startup script or application
• T1112 – Writes an unusually large amount of data to the registry
• T1113 – Takes screenshot
• T1119 – Searches for sensitive browser data
• T1119 – Combination of other detections shows multiple input capture behaviors
• T1134 – Enables process privileges
• T1518.001 – Tries to detect the presence of antivirus software
• T1547.001 – Installs system startup script or application
• T1552.001 – Searches for sensitive browser data
• T1571 – Tries to connect using an uncommon port
• T1129 – The process attempted to dynamically load a malicious function
• T1059 – Detected command line output monitoring
• T1129 – The process tried to load dynamically one or more functions.
• T1045 – Manalize Local SandBox Packer Harvesting
• T1063 – It Tries to detect injection methods

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.