Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 51. Missed: 22. Coverage: 69.9%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (68.42% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1027 – encrypt data using RC4 PRGA
• T1027 – encode data using XOR
• T1027 – encrypt data using Salsa20 or ChaCha
• T1129 – access PEB ldr_data
• T1129 – get kernel32 base address
• T1027 – encrypt data using AES via x86 extensions
• T1129 – parse PE header
• T1027 – encode data using Base64
• T1071 – The PE file contains an overlay
• T1071 – Resolves a suspicious Top Level Domain (TLD)
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1005 – Searches for sensitive FTP data
• T1005 – Searches for sensitive browser data
• T1005 – Reads sensitive browser data
• T1005 – Searches for sensitive mail data
• T1012 – Reads system data
• T1012 – Reads installed applications
• T1012 – Possibly does reconnaissance
• T1012 – Searches for sensitive mail data
• T1027.002 – Creates a page with write and execute permissions
• T1027.002 – Resolves API functions dynamically
• T1036.001 – Signed executable failed signature validation
• T1047 – Collects hardware properties
• T1055 – Entry point injection
• T1055 – Writes into the memory of another process
• T1057 – Enumerates running processes
• T1071.004 – Performs DNS request
• T1082 – Enumerates running processes
• T1082 – Collects hardware properties
• T1082 – Reads system data
• T1082 – Query CPU Properties
• T1082 – Reads installed applications
• T1083 – Searches for sensitive FTP data
• T1083 – Searches for sensitive browser data
• T1083 – Possibly does reconnaissance
• T1083 – Reads sensitive browser data
• T1095 – Connects to remote host
• T1095 – Sets up server that accepts incoming connections
• T1113 – Takes screenshot
• T1119 – Searches for sensitive FTP data
• T1119 – Searches for sensitive browser data
• T1119 – Reads sensitive browser data
• T1119 – Searches for sensitive mail data
• T1497.001 – Tries to detect application sandbox
• T1497.003 – Delays execution
• T1552.001 – Searches for sensitive FTP data
• T1552.001 – Searches for sensitive browser data
• T1552.001 – Reads sensitive browser data
• T1552.002 – Searches for sensitive mail data
• T1562.001 – Modifies native system functions
• T1571 – Tries to connect using an uncommon port
• T1047 – Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
• T1047 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
• T1047 – Queries process information (via WMI, Win32_Process)
• T1497 – Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
• T1497 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
• T1003 – Tries to harvest and steal browser information (history, passwords, etc)
• T1056 – Creates a DirectInput object (often for capturing keystrokes)
• T1056 – Installs a raw input device (often for capturing keystrokes)
• T1056 – Sample has functionality to log and monitor keystrokes, analyze it with the keystroke simulation cookbook
• T1518.001 – Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
• T1518.001 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
• T1057 – Queries a list of all running processes
• T1083 – Enumerates the file system
• T1082 – Queries the cryptographic machine GUID
• T1082 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
• T1082 – Queries the volume information (name, serial number etc) of a device
• T1082 – Queries process information (via WMI, Win32_Process)
• T1560 – Public key (encryption) found
• T1005 – Tries to harvest and steal browser information (history, passwords, etc)
• T1005 – Found many strings related to Crypto-Wallets (likely being stolen)
• T1573 – Uses HTTPS
• T1071 – Uses HTTPS
• T1071 – C2 URLs / IPs found in malware configuration

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.