Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 55. Missed: 18. Coverage: 75.3%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (63.11% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1129 – link function at runtime on Windows
• T1083 – enumerate files on Windows
• T1027.005 – contain obfuscated stackstrings
• T1129 – get ntdll base address
• T1082 – query environment variable
• T1129 – access PEB ldr_data
• T1129 – link many functions at runtime
• T1129 – parse PE header
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Reads data out of its own binary image
• T1055 – Contains .tls (Thread Local Storage) section
• T1497 – Checks for mouse movement
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1027 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1027.002 – The binary likely contains encrypted or compressed data
• T1005 – Searches for sensitive FTP data
• T1005 – Searches for sensitive browser data
• T1005 – Searches for sensitive mail data
• T1005 – Reads sensitive mail data
• T1005 – Searches for sensitive application data
• T1006 – Accesses physical drive
• T1010 – Tries to detect virtual machine
• T1012 – Tries to detect virtual machine
• T1012 – Reads system data
• T1012 – Reads installed applications
• T1012 – Possibly does reconnaissance
• T1012 – Searches for sensitive mail data
• T1012 – Reads sensitive mail data
• T1012 – Searches for sensitive application data
• T1016 – Reads network adapter information
• T1016 – Combination of other detections shows configuration discovery
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Resolves API functions dynamically
• T1027.002 – Overwrites code
• T1047 – Collects hardware properties
• T1047 – Collects BIOS properties
• T1047 – Executes WMI query
• T1055 – Entry point injection
• T1055 – Writes into the memory of another process
• T1056 – Combination of other detections shows multiple input capture behaviors
• T1057 – Enumerates running processes
• T1070.004 – Deletes file after execution
• T1071.004 – Performs DNS request
• T1082 – Enumerates running processes
• T1082 – Collects hardware properties
• T1082 – Collects BIOS properties
• T1082 – Reads system data
• T1082 – Query CPU Properties
• T1082 – Reads installed applications
• T1082 – Combination of other detections shows configuration discovery
• T1083 – Searches for sensitive FTP data
• T1083 – Tries to detect virtual machine
• T1083 – Searches for sensitive browser data
• T1083 – Possibly does reconnaissance
• T1095 – Connects to remote host
• T1095 – Sets up server that accepts incoming connections
• T1113 – Takes screenshot
• T1119 – Searches for sensitive FTP data
• T1119 – Searches for sensitive browser data
• T1119 – Searches for sensitive mail data
• T1119 – Reads sensitive mail data
• T1119 – Searches for sensitive application data
• T1119 – Combination of other detections shows multiple input capture behaviors
• T1134 – Enables critical process privileges
• T1497.001 – Tries to detect virtual machine
• T1497.001 – Tries to detect application sandbox
• T1552.001 – Searches for sensitive FTP data
• T1552.001 – Searches for sensitive browser data
• T1552.002 – Searches for sensitive mail data
• T1552.002 – Reads sensitive mail data
• T1552.002 – Searches for sensitive application data
• T1562.001 – Modifies native system functions
• T1571 – Tries to connect using an uncommon port
• T1140 – Detected an attempt to pull out some data from the binary image
• T1129 – The process tried to load dynamically one or more functions.
• T1045 – Manalize Local SandBox Packer Harvesting
• T1063 – It Tries to detect injection methods
• T1497 – Uses Windows timers to delay execution
• T1027.002 – Binary may include packed or crypted data
• T1027.002 – PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)
• T1027 – Binary may include packed or crypted data
• T1070.004 – Deletes itself after installation
• T1056 – Sample has functionality to log and monitor keystrokes, analyze it with the keystroke simulation cookbook
• T1056 – Creates a DirectInput object (often for capturing keystrokes)
• T1056 – Installs a raw input device (often for capturing keystrokes)
• T1518.001 – Switches to a customs stack to bypass stack traces
• T1057 – Queries a list of all running processes
• T1082 – Sample reads itself and does not show any behavior, likely it performs some host environment checks and compares to an embedded key
• T1082 – Switches to a customs stack to bypass stack traces
• T1016 – Uses nslookup.exe to query domains

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.