Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 51. Missed: 22. Coverage: 69.9%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (89.53% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1059 – accept command line arguments
• T1614 – get geographical location
• T1027 – encrypt data using RC4 PRGA
• T1083 – enumerate files on Windows
• T1082 – query environment variable
• T1129 – link function at runtime on Windows
• T1129 – parse PE header
• T1083 – get common file path
• T1129 – Drops a binary and executes it
• T1053 – Installs itself for autorun at Windows startup
• T1564 – A process created a hidden window
• T1202 – Uses Windows utilities for basic functionality
• T1562 – Tries to unhook or modify Windows functions monitored by CAPE
• T1112 – Installs itself for autorun at Windows startup
• T1112 – Installs itself for autorun at Windows startup
• T1070 – Deletes executed files from disk
• T1562.001 – Tries to unhook or modify Windows functions monitored by CAPE
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1027 – The binary likely contains encrypted or compressed data
• T1564.003 – A process created a hidden window
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1027.002 – The binary likely contains encrypted or compressed data
• T1543 – Created a service that was not started
• T1547 – Installs itself for autorun at Windows startup
• T1543.003 – Created a service that was not started
• T1547.001 – Installs itself for autorun at Windows startup
• T1082 – Checks available memory
• T1057 – Expresses interest in specific running processes
• T1057 – Enumerates running processes
• T1071 – Suspicious communication with abused trusted site
• T1071 – The PE file contains a suspicious PDB path
• T1071 – Resolves a suspicious Top Level Domain (TLD)
• T1071 – Reads data out of its own binary image
• T1071 – A ping command was executed with the -n argument possibly to delay analysis
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1573 – Establishes an encrypted HTTPS connection
• T1485 – Anomalous file deletion behavior detected (10+)
• T1005 – Searches for sensitive browser data
• T1005 – Reads sensitive browser data
• T1016 – Queries a host’s domain name
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Resolves API functions dynamically
• T1047 – Queries OS version via WMI
• T1047 – Collects hardware properties
• T1047 – Tries to detect the presence of antivirus software
• T1056 – Combination of other detections shows multiple input capture behaviors
• T1071.001 – Downloads file
• T1082 – Queries OS version via WMI
• T1082 – Collects hardware properties
• T1083 – Searches for sensitive browser data
• T1083 – Possibly does reconnaissance
• T1083 – Reads sensitive browser data
• T1105 – Downloads file
• T1113 – Takes screenshot
• T1115 – Captures clipboard data
• T1119 – Searches for sensitive browser data
• T1119 – Reads sensitive browser data
• T1119 – Combination of other detections shows multiple input capture behaviors
• T1518.001 – Tries to detect the presence of antivirus software
• T1552.001 – Searches for sensitive browser data
• T1552.001 – Reads sensitive browser data
• T1564.003 – Creates process with hidden window
• T1622 – Tries to detect debugger
• T1129 – The process attempted to dynamically load a malicious function
• T1129 – The process tried to load dynamically one or more functions.
• T1057 – The process attempted to detect a running debugger using common APIs
• T1063 – It Tries to detect injection methods
• T1047 – Queries BIOS Information (via WMI, Win32_Bios)
• T1497 – May sleep (evasive loops) to hinder dynamic analysis
• T1057 – Queries a list of all running processes
• T1082 – Queries the volume information (name, serial number etc) of a device
• T1082 – Queries BIOS Information (via WMI, Win32_Bios)
• T1005 – Tries to steal Crypto Currency Wallets
• T1005 – Found many strings related to Crypto-Wallets (likely being stolen)
• T1573 – Uses HTTPS
• T1071 – Uses HTTPS
• T1071 – C2 URLs / IPs found in malware configuration

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.