Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 60. Missed: 13. Coverage: 82.2%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (47.30% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1003 – Steals private information from local Internet browsers
• T1003 – Accessed credential storage registry keys
• T1555 – Steals private information from local Internet browsers
• T1552 – Steals private information from local Internet browsers
• T1555.003 – Steals private information from local Internet browsers
• T1552.001 – Steals private information from local Internet browsers
• T1564 – A process created a hidden window
• T1562 – Tries to unhook or modify Windows functions monitored by CAPE
• T1055 – Writes to the memory another process
• T1055 – Writes an executable to the memory of another process
• T1112 – Installs itself for autorun at Windows startup
• T1070 – Deletes executed files from disk
• T1064 – A scripting utility was executed
• T1497 – Detects VirtualBox through the presence of a registry key
• T1497 – Checks for mouse movement
• T1497 – Checks the version of Bios, possibly for anti-virtualization
• T1562.001 – Tries to unhook or modify Windows functions monitored by CAPE
• T1027 – The binary likely contains encrypted or compressed data
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1564.003 – A process created a hidden window
• T1027.002 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1547 – Installs itself for autorun at Windows startup
• T1547.001 – Installs itself for autorun at Windows startup
• T1082 – Checks the version of Bios, possibly for anti-virtualization
• T1082 – Collects information about installed applications
• T1082 – Checks available memory
• T1082 – Collects information to fingerprint the system
• T1010 – Checks for the presence of known windows from debuggers and forensic tools
• T1083 – Attempts to identify installed AV products by installation directory
• T1083 – Checks for the presence of known devices from debuggers and forensic tools
• T1057 – Expresses interest in specific running processes
• T1057 – Enumerates the modules from a process (may be used to locate base addresses in process injection)
• T1057 – Checks for the presence of known devices from debuggers and forensic tools
• T1057 – Checks the version of Bios, possibly for anti-virtualization
• T1057 – Enumerates running processes
• T1057 – Detects the presence of Wine emulator via registry key
• T1057 – Checks for the presence of known windows from debuggers and forensic tools
• T1057 – Detects VirtualBox through the presence of a registry key
• T1012 – Checks the version of Bios, possibly for anti-virtualization
• T1012 – Detects the presence of Wine emulator via registry key
• T1012 – Collects information about installed applications
• T1012 – Collects information to fingerprint the system
• T1012 – Detects VirtualBox through the presence of a registry key
• T1518.001 – Attempts to identify installed AV products by installation directory
• T1518 – Attempts to identify installed AV products by installation directory
• T1518 – Detects the presence of Wine emulator via registry key
• T1518 – Collects information about installed applications
• T1071 – HTTP traffic contains suspicious features which may be indicative of malware related traffic
• T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
• T1071 – Executable is attempted to be downloaded from an IP
• T1071 – A process attempted to delay the analysis task.
• T1071 – Reads from the memory of another process
• T1071 – Performs HTTP requests potentially not found in PCAP.
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – Reads data out of its own binary image
• T1071 – Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext
• T1071 – Network activity contains more than one unique useragent.
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Terminates another process
• T1071 – Resolves a suspicious Top Level Domain (TLD)
• T1071 – Suspicious communication with abused trusted site
• T1573 – Establishes an encrypted HTTPS connection containing a suspicious or fake User Agent
• T1573 – Establishes an encrypted HTTPS connection
• T1573 – Fake User-Agent detected
• T1106 – Created a process from a suspicious location
• T1059 – A scripting utility was executed
• T1005 – Steals private information from local Internet browsers
• T1185 – CAPE detected injection into a browser process, likely for Man-In-Browser (MITB) infostealing
• T1485 – Anomalous file deletion behavior detected (10+)
• T1005 – Searches for sensitive browser data
• T1010 – Tries to detect debugger
• T1012 – Tries to detect virtual machine
• T1016 – Queries a host’s domain name
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Obfuscates control flow
• T1027.002 – Resolves API functions dynamically
• T1036.001 – Signed executable failed signature validation
• T1047 – Collects BIOS properties
• T1047 – Queries OS version via WMI
• T1047 – Collects hardware properties
• T1047 – Tries to detect the presence of antivirus software
• T1055 – Writes into the memory of another process
• T1055 – Modifies control flow of a process started from a created or modified executable
• T1055.012 – Process Hollowing
• T1057 – Enumerates running processes
• T1071.001 – Downloads executable
• T1071.001 – Downloads file
• T1082 – Collects BIOS properties
• T1082 – Enumerates running processes
• T1082 – Queries OS version via WMI
• T1082 – Collects hardware properties
• T1083 – Searches for sensitive browser data
• T1083 – Possibly does reconnaissance
• T1105 – Downloads executable
• T1105 – Downloads file
• T1106 – Tries to evade debugger
• T1112 – Installs system startup script or application
• T1113 – Takes screenshot
• T1119 – Searches for sensitive browser data
• T1124 – Tries to detect virtual machine
• T1129 – Loads a dropped DLL
• T1480 – Known malicious mutex name is created
• T1497.001 – Tries to detect virtual machine
• T1497.003 – Delays execution
• T1497.003 – Tries to detect virtual machine
• T1518.001 – Tries to detect the presence of antivirus software
• T1547.001 – Installs system startup script or application
• T1552.001 – Searches for sensitive browser data
• T1553 – Allows invalid SSL certificates
• T1562.001 – Modifies native system functions
• T1564.003 – Creates process with hidden window
• T1622 – Tries to detect debugger
• T1622 – Tries to evade debugger
• T1057 – The process may have looked for a particular process running on the system
• T1045 – Manalize Local SandBox Packer Harvesting
• T1057 – The process attempted to detect a running debugger using common APIs
• T1063 – The process tried to detect the presence of common debug and forensic utilities
• T1119 – The process tried to detect the presence of common debug and forensic utilities
• T1063 – The process attempted to detect debuggers and common forensic/analysis tools looking for known devices
• T1119 – The process attempted to detect debuggers and common forensic/analysis tools looking for known devices
• T1082 – The process has tried to retrieve the BIOS version (maybe for checking the virtualization presence)
• T1012 – The process has tried to retrieve the BIOS version (maybe for checking the virtualization presence)
• T1047 – Queries BIOS Information (via WMI, Win32_Bios)
• T1055 – May try to detect the Windows Explorer process (often used for injection)
• T1036 – Creates files inside the system directory
• T1497 – May sleep (evasive loops) to hinder dynamic analysis
• T1497 – Hides threads from debuggers
• T1497 – Contains capabilities to detect virtual machines
• T1497 – Checks for debuggers (devices)
• T1497 – Checks for debuggers (window names)
• T1497 – Checks if the current process is being debugged
• T1027 – Binary may include packed or crypted data
• T1027.002 – PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)
• T1027.002 – Binary may include packed or crypted data
• T1070.004 – Deletes files inside the Windows folder
• T1518.001 – Tries to detect sandboxes / dynamic malware analysis system (registry check)
• T1518.001 – Hides threads from debuggers
• T1518.001 – Tries to detect virtualization through RDTSC time measurements
• T1518.001 – Contains capabilities to detect virtual machines
• T1518.001 – Tries to evade debugger and weak emulator (self modifying code)
• T1518.001 – Checks for debuggers (devices)
• T1518.001 – Checks for debuggers (window names)
• T1518.001 – Checks if the current process is being debugged
• T1057 – Queries a list of all running processes
• T1057 – May try to detect the Windows Explorer process (often used for injection)
• T1082 – Queries the cryptographic machine GUID
• T1082 – Queries BIOS Information (via WMI, Win32_Bios)
• T1082 – Queries a list of all running drivers
• T1082 – Queries the volume information (name, serial number etc) of a device
• T1082 – Tries to detect virtualization through RDTSC time measurements
• T1082 – Tries to evade debugger and weak emulator (self modifying code)
• T1005 – Found many strings related to Crypto-Wallets (likely being stolen)
• T1005 – Tries to steal Crypto Currency Wallets
• T1573 – Uses HTTPS
• T1105 – Downloads files from webservers via HTTP
• T1095 – Downloads files from webservers via HTTP
• T1071 – Downloads files from webservers via HTTP
• T1071 – Uses HTTPS

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.