Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 56. Missed: 17. Coverage: 76.7%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (48.48% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1129 – link function at runtime on Windows
• T1129 – parse PE header
• T1614 – get geographical location
• T1083 – get file size
• T1082 – get number of processors
• T1082 – query environment variable
• T1083 – enumerate files on Windows
• T1082 – check OS version
• T1129 – access PEB ldr_data
• T1055 – Writes to the memory another process
• T1055 – Contains .tls (Thread Local Storage) section
• T1055 – Writes an executable to the memory of another process
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1027 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1027.002 – The binary likely contains encrypted or compressed data
• T1082 – Checks available memory
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Reads data out of its own binary image
• T1071 – Reads from the memory of another process
• T1071 – Attempts to connect to a dead IP:Port
• T1573 – Establishes an encrypted HTTPS connection
• T1005 – Searches for sensitive browser data
• T1016 – Queries a host’s domain name
• T1027.002 – Creates a page with write and execute permissions
• T1047 – Queries OS version via WMI
• T1047 – Collects hardware properties
• T1047 – Tries to detect the presence of antivirus software
• T1055 – Writes into the memory of another process
• T1055.012 – Process Hollowing
• T1056 – Combination of other detections shows multiple input capture behaviors
• T1057 – Enumerates running processes
• T1071.001 – Downloads file
• T1082 – Enumerates running processes
• T1082 – Queries OS version via WMI
• T1082 – Collects hardware properties
• T1083 – Searches for sensitive browser data
• T1083 – Possibly does reconnaissance
• T1105 – Downloads file
• T1113 – Takes screenshot
• T1115 – Captures clipboard data
• T1119 – Searches for sensitive browser data
• T1119 – Combination of other detections shows multiple input capture behaviors
• T1518.001 – Tries to detect the presence of antivirus software
• T1552.001 – Searches for sensitive browser data
• T1564.003 – Creates process with hidden window
• T1129 – The process tried to load dynamically one or more functions.
• T1140 – Detected an attempt to pull out some data from the binary image
• T1045 – Manalize Local SandBox Packer Harvesting
• T1063 – It Tries to detect injection methods
• T1047 – Queries BIOS Information (via WMI, Win32_Bios)
• T1055 – Allocates memory in foreign processes
• T1055 – Injects a PE file into a foreign processes
• T1055 – Writes to foreign memory regions
• T1497 – May sleep (evasive loops) to hinder dynamic analysis
• T1027.002 – PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)
• T1057 – Queries a list of all running processes
• T1082 – Queries the volume information (name, serial number etc) of a device
• T1082 – Queries the cryptographic machine GUID
• T1082 – Queries BIOS Information (via WMI, Win32_Bios)
• T1005 – Tries to steal Crypto Currency Wallets
• T1573 – Uses HTTPS
• T1105 – Downloads files from webservers via HTTP
• T1095 – Downloads files from webservers via HTTP
• T1071 – Uses HTTPS
• T1071 – Downloads files from webservers via HTTP

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.