Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 56. Missed: 17. Coverage: 76.7%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (48.84% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

MITRE ATT&CK Mapping

• T1033 – get session user name
• T1087 – get session user name
• T1113 – capture screenshot
• T1115 – read clipboard data
• T1105 – download and write a file
• T1082 – get disk information
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1115 – check clipboard data
• T1115 – open clipboard
• T1083 – check if file exists
• T1083 – enumerate files in .NET
• T1083 – get file size
• T1115 – monitor clipboard content
• T1083 – get common file path
• T1222 – set file attributes
• T1070.004 – self delete
• T1047 – access WMI data in .NET
• T1033 – get session integrity level
• T1614.001 – identify system language via API
• T1070.006 – Binary compilation timestomping detected
• T1070 – Binary compilation timestomping detected
• T1082 – Checks available memory
• T1057 – Enumerates the modules from a process (may be used to locate base addresses in process injection)
• T1071 – Reads from the memory of another process
• T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
• T1071 – Reads data out of its own binary image
• T1106 – Guard pages use detected – possible anti-debugging.
• T1005 – Searches for sensitive FTP data
• T1012 – Query OS Information
• T1016 – Checks external IP address
• T1027.002 – Resolves API functions dynamically
• T1047 – Collects hardware properties
• T1053.005 – Schedules task
• T1053.005 – Schedules task via schtasks
• T1056 – Combination of other detections shows multiple input capture behaviors
• T1071.004 – Performs DNS request
• T1082 – Query OS Information
• T1082 – Collects hardware properties
• T1083 – Searches for sensitive FTP data
• T1095 – Connects to remote host
• T1095 – Sets up server that accepts incoming connections
• T1113 – Takes screenshot
• T1119 – Searches for sensitive FTP data
• T1119 – Combination of other detections shows multiple input capture behaviors
• T1134 – Enables process privileges
• T1552.001 – Searches for sensitive FTP data
• T1564.003 – Creates process with hidden window
• T1567 – Sends data via a Telegram bot
• T1115 – monitor clipboard content
• T1222 – set file attributes
• T1115 – check clipboard data
• T1083 – get common file path
• T1082 – get disk information
• T1083 – check if file exists
• T1614.001 – identify system language via API
• T1113 – capture screenshot
• T1033 – get session integrity level
• T1083 – get file size
• T1083 – enumerate files on Windows
• T1115 – open clipboard
• T1115 – read clipboard data
• T1047 – access WMI data in .NET
• T1105 – download and write a file
• T1033 – get session user name
• T1087 – get session user name
• T1057 – enumerate processes
• T1518 – enumerate processes

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.