Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 1+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 49. Missed: 24. Coverage: 67.1%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (72.22% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1497.001 – reference anti-VM strings targeting Qemu
• T1027 – encode data using Base64
• T1027 – encrypt data using AES via x86 extensions
• T1027 – reference Base64 string
• T1027 – encrypt data using Salsa20 or ChaCha
• T1129 – access PEB ldr_data
• T1129 – get kernel32 base address
• T1140 – decrypt data using AES via x86 extensions
• T1027 – encrypt data using RC4 PRGA
• T1027 – encode data using XOR
• T1027 – encrypt data using AES
• T1027 – reference AES constants
• T1055 – Creates a process in a suspended state, likely for injection
• T1064 – A scripting utility was executed
• T1064 – Attempts to execute suspicious powershell command arguments
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1027 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1027.002 – The binary likely contains encrypted or compressed data
• T1082 – Checks available memory
• T1071 – Binary file triggered YARA rule
• T1071 – Reads from the memory of another process
• T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
• T1106 – Guard pages use detected – possible anti-debugging.
• T1059 – A scripting utility was executed
• T1059 – Attempts to execute suspicious powershell command arguments
• T1059.001 – Attempts to execute suspicious powershell command arguments
• T1569.002 – Found PSEXEC tool (often used for remote process execution)
• T1036 – Creates files inside the user directory
• T1497 – May sleep (evasive loops) to hinder dynamic analysis
• T1057 – Queries a list of all running processes
• T1082 – Queries the volume information (name, serial number etc) of a device
• T1090 – Found Tor onion address

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.