Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 57. Missed: 16. Coverage: 78.1%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (49.10% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

MITRE ATT&CK Mapping

• T1082 – get memory capacity
• T1082 – query environment variable
• T1222 – set file attributes
• T1012 – query or enumerate registry key
• T1010 – find graphical window
• T1027 – encode data using Base64
• T1134.001 – impersonate user
• T1016 – get socket status
• T1083 – check if file exists
• T1056.001 – log keystrokes
• T1083 – get common file path
• T1027 – encode data using XOR
• T1083 – enumerate files on Windows
• T1129 – link function at runtime on Windows
• T1113 – capture screenshot
• T1033 – get token membership
• T1564.003 – hide graphical window
• T1115 – read clipboard data
• T1614.001 – get keyboard layout
• T1105 – download and write a file
• T1033 – get session user name
• T1087 – get session user name
• T1112 – delete registry value
• T1010 – enumerate gui resources
• T1012 – query or enumerate registry value
• T1134 – acquire debug privileges
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1083 – get file version info
• T1112 – delete registry key
• T1497.002 – check for unmoving mouse cursor
• T1129 – parse PE header
• T1529 – shutdown system
• T1083 – get file size
• T1082 – get COMSPEC environment variable
• T1082 – get hostname
• T1082 – get disk information
• T1083 – enumerate files recursively
• T1115 – open clipboard
• T1547.009 – create shortcut via IShellLink
• T1082 – get system information on Windows
• T1056.001 – log keystrokes via polling
• T1059 – compiled with AutoIt
• T1134 – modify access privileges
• T1082 – get disk size
• T1115 – list drag and drop files
• T1003 – Steals private information from local Internet browsers
• T1003 – Harvests information related to installed mail clients
• T1003 – Harvests credentials from local FTP client softwares
• T1555 – Steals private information from local Internet browsers
• T1552 – Steals private information from local Internet browsers
• T1552 – Harvests information related to installed mail clients
• T1552 – Harvests credentials from local FTP client softwares
• T1555.003 – Steals private information from local Internet browsers
• T1552.001 – Steals private information from local Internet browsers
• T1552.001 – Harvests information related to installed mail clients
• T1552.001 – Harvests credentials from local FTP client softwares
• T1562 – Tries to unhook or modify Windows functions monitored by CAPE
• T1112 – Installs itself for autorun at Windows startup
• T1562.001 – Tries to unhook or modify Windows functions monitored by CAPE
• T1027 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary likely contains encrypted or compressed data
• T1114 – Harvests information related to installed mail clients
• T1005 – Steals private information from local Internet browsers
• T1005 – Harvests information related to installed mail clients
• T1005 – Harvests credentials from local FTP client softwares
• T1547 – Installs itself for autorun at Windows startup
• T1547.001 – Installs itself for autorun at Windows startup
• T1082 – Checks available memory
• T1071 – Network activity contains more than one unique useragent.
• T1071 – Looks up the external IP address
• T1071 – Reads from the memory of another process
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Reads data out of its own binary image
• T1071 – Performs HTTP requests potentially not found in PCAP.
• T1071 – Terminates another process
• T1071 – Binary file triggered YARA rule
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – Suspicious communication with abused trusted site
• T1573 – Establishes an encrypted HTTPS connection
• T1573 – Establishes an encrypted HTTPS connection to a social media API
• T1005 – Searches for sensitive mail data
• T1005 – Reads sensitive mail data
• T1005 – Searches for sensitive FTP data
• T1005 – Searches for sensitive application data
• T1010 – Monitors user input
• T1012 – Searches for sensitive mail data
• T1012 – Reads sensitive mail data
• T1012 – Searches for sensitive FTP data
• T1012 – Possibly does reconnaissance
• T1012 – Searches for sensitive application data
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Resolves API functions dynamically
• T1047 – Executes WMI query
• T1055 – Writes into the memory of another process
• T1055 – Modifies control flow of another process
• T1056 – Combination of other detections shows multiple input capture behaviors
• T1056.001 – Monitors keyboard input
• T1056.002 – Monitors user input
• T1083 – Searches for sensitive mail data
• T1106 – Makes direct system call to possibly evade hooking based monitoring
• T1119 – Searches for sensitive mail data
• T1119 – Reads sensitive mail data
• T1119 – Searches for sensitive FTP data
• T1119 – Searches for sensitive application data
• T1119 – Combination of other detections shows multiple input capture behaviors
• T1485 – Modifies operating system directory
• T1552.001 – Searches for sensitive mail data
• T1552.002 – Searches for sensitive mail data
• T1552.002 – Reads sensitive mail data
• T1552.002 – Searches for sensitive FTP data
• T1552.002 – Searches for sensitive application data
• T1564.003 – Creates process with hidden window
• T1567 – Sends data via a Telegram bot
• T1622 – Tries to detect debugger
• T1129 – The process attempted to dynamically load a malicious function
• T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
• T1129 – The process tried to load dynamically one or more functions.
• T1140 – Detected an attempt to pull out some data from the binary image
• T1016 – The process has tried to get the host’s public IP address
• T1564.003 – hide graphical window
• T1027 – encode data using XOR
• T1222 – set file attributes
• T1134 – acquire debug privileges
• T1056.001 – log keystrokes via polling
• T1056.001 – log keystrokes
• T1083 – get common file path
• T1012 – query or enumerate registry value
• T1082 – get system information on Windows
• T1129 – link function at runtime on Windows
• T1129 – parse PE header
• T1027 – encode data using Base64
• T1082 – get hostname
• T1082 – query environment variable
• T1082 – get COMSPEC environment variable
• T1614.001 – get keyboard layout
• T1010 – find graphical window
• T1082 – get memory capacity
• T1134 – modify access privileges
• T1134.001 – impersonate user
• T1033 – get token membership
• T1010 – enumerate gui resources
• T1055 – write process memory
• T1083 – enumerate files on Windows
• T1083 – check if file exists
• T1569.002 – interact with driver via control codes
• T1083 – get file version info
• T1529 – shutdown system
• T1082 – get disk information
• T1082 – get disk size
• T1547.009 – create shortcut via IShellLink
• T1083 – enumerate files recursively
• T1105 – download and write a file
• T1115 – list drag and drop files
• T1115 – open clipboard
• T1115 – read clipboard data
• T1113 – capture screenshot
• T1083 – get file size
• T1112 – delete registry key
• T1112 – delete registry value
• T1012 – query or enumerate registry key
• T1059 – compiled with AutoIt
• T1071 – Detected one or more anomalous HTTP requests
• T1071 – Detected HTTP requests to some non white-listed domains
• T1057 – The process attempted to detect a running debugger using common APIs
• T1056 – The process behaves as a keylogger (keyboard capturing detected)
• T1179 – The process behaves as a keylogger (keyboard capturing detected)
• T1071 – Detected more than one User Agent in network traffic
• T1033 – get session user name
• T1087 – get session user name
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1497.002 – check for unmoving mouse cursor
• T1105 – Dropping suspicious files
• T1071 – Dropping suspicious files
• T1112 – The process has tried to set its autorun on the system startup
• T1060 – The process has tried to set its autorun on the system startup
• T1050 – The process has tried to set its autorun on the system startup
• T1027.009 – Drops interesting files and uses them
• T1063 – It Tries to detect injection methods
• T1547.001 – Creates an autostart registry key
• T1055 – May try to detect the Windows Explorer process (often used for injection)
• T1055 – System process connects to network (likely due to code injection)
• T1055 – Maps a DLL or memory area into another process
• T1055 – Writes to foreign memory regions
• T1003 – Tries to harvest and steal browser information (history, passwords, etc)
• T1552.002 – Tries to harvest and steal Putty information (sessions, passwords, etc)
• T1518.001 – Switches to a customs stack to bypass stack traces
• T1057 – May try to detect the Windows Explorer process (often used for injection)
• T1016 – Checks the online ip address of the machine
• T1082 – Switches to a customs stack to bypass stack traces
• T1082 – Checks if Microsoft Office is installed
• T1114 – Tries to search for mail accounts
• T1005 – Tries to harvest and steal browser information (history, passwords, etc)
• T1105 – Downloads files from webservers via HTTP
• T1095 – Downloads files from webservers via HTTP
• T1071 – Downloads files from webservers via HTTP

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.