Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 22+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 59. Missed: 14. Coverage: 80.8%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (49.25% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1083 – get file size
• T1083 – enumerate files on Windows
• T1129 – link function at runtime on Windows
• T1614 – get geographical location
• T1082 – query environment variable
• T1129 – parse PE header
• T1027 – encrypt data using Curve25519
• T1129 – access PEB ldr_data
• T1082 – get number of processors
• T1071 – Attempts to connect to a dead IP:Port
• T1071 – Performs HTTP requests potentially not found in PCAP.
• T1071 – Terminates another process
• T1071 – HTTP traffic contains suspicious features which may be indicative of malware related traffic
• T1071 – Reads data out of its own binary image
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Reads from the memory of another process
• T1055 – Writes an executable to the memory of another process
• T1055 – Contains .tls (Thread Local Storage) section
• T1055 – Writes to the memory another process
• T1027 – The binary likely contains encrypted or compressed data
• T1027 – The binary contains an unknown PE section name indicative of packing
• T1027.002 – The binary likely contains encrypted or compressed data
• T1027.002 – The binary contains an unknown PE section name indicative of packing
• T1129 – The process tried to load dynamically one or more functions.
• T1140 – Detected an attempt to pull out some data from the binary image
• T1045 – Manalize Local SandBox Packer Harvesting
• T1063 – It Tries to detect injection methods
• T1055 – Injects a PE file into a foreign processes
• T1055 – Writes to foreign memory regions
• T1055 – Allocates memory in foreign processes
• T1027.002 – PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)
• T1573 – Uses HTTPS
• T1095 – Downloads files from webservers via HTTP
• T1095 – Posts data to webserver
• T1071 – Downloads files from webservers via HTTP
• T1071 – Posts data to webserver
• T1071 – Uses HTTPS
• T1071 – C2 URLs / IPs found in malware configuration
• T1105 – Downloads files from webservers via HTTP

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.