Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

Extended Dwell Time Impact

For 1+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 55. Missed: 18. Coverage: 75.3%.

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (63.73% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

MITRE ATT&CK Mapping

• T1113 – capture screenshot
• T1134 – acquire debug privileges
• T1547.009 – create shortcut via IShellLink
• T1027 – encode data using XOR
• T1082 – get disk information
• T1010 – find graphical window
• T1614.001 – get keyboard layout
• T1083 – enumerate files recursively
• T1129 – link function at runtime on Windows
• T1564.003 – hide graphical window
• T1222 – set file attributes
• T1115 – open clipboard
• T1134.001 – impersonate user
• T1529 – shutdown system
• T1083 – get common file path
• T1057 – enumerate processes
• T1518 – enumerate processes
• T1033 – get session user name
• T1087 – get session user name
• T1082 – get COMSPEC environment variable
• T1083 – get file size
• T1027 – encode data using Base64
• T1134 – modify access privileges
• T1082 – get system information on Windows
• T1115 – list drag and drop files
• T1082 – get memory capacity
• T1105 – download and write a file
• T1112 – delete registry key
• T1082 – get disk size
• T1497.002 – check for unmoving mouse cursor
• T1056.001 – log keystrokes
• T1115 – read clipboard data
• T1059 – compiled with AutoIt
• T1016 – get socket status
• T1012 – query or enumerate registry key
• T1033 – get token membership
• T1083 – enumerate files on Windows
• T1056.001 – log keystrokes via polling
• T1082 – query environment variable
• T1082 – get hostname
• T1083 – check if file exists
• T1010 – enumerate gui resources
• T1083 – get file version info
• T1129 – parse PE header
• T1112 – delete registry value
• T1012 – query or enumerate registry value
• T1033 – Collects and encrypts information about the computer likely to send to C2 server
• T1082 – Checks available memory
• T1057 – Enumerates the modules from a process (may be used to locate base addresses in process injection)
• T1003 – Accessed credential storage registry keys
• T1003 – Harvests credentials from local FTP client softwares
• T1003 – Harvests information related to installed mail clients
• T1552 – Harvests credentials from local FTP client softwares
• T1552 – Harvests information related to installed mail clients
• T1552.001 – Harvests credentials from local FTP client softwares
• T1552.001 – Harvests information related to installed mail clients
• T1114 – Harvests information related to installed mail clients
• T1005 – Harvests credentials from local FTP client softwares
• T1005 – Harvests information related to installed mail clients
• T1560 – Collects and encrypts information about the computer likely to send to C2 server
• T1547 – Installs itself for autorun at Windows startup
• T1547.001 – Installs itself for autorun at Windows startup
• T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
• T1071 – Resolves a suspicious Top Level Domain (TLD)
• T1071 – Reads from the memory of another process
• T1071 – Yara detections observed in process dumps, payloads or dropped files
• T1071 – Reads data out of its own binary image
• T1071 – Binary file triggered YARA rule
• T1106 – Guard pages use detected – possible anti-debugging.
• T1202 – Uses Windows utilities for basic functionality
• T1202 – Uses suspicious command line tools or Windows utilities
• T1112 – Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
• T1112 – Installs itself for autorun at Windows startup
• T1070 – Deletes executed files from disk
• T1027 – Uses csc.exe C# compiler to build and execute code
• T1027 – The binary likely contains encrypted or compressed data
• T1027.004 – Uses csc.exe C# compiler to build and execute code
• T1027.002 – The binary likely contains encrypted or compressed data
• T1064 – Executes visual basic scripts
• T1064 – Drops VBS files to the startup folder (C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup)
• T1064 – Found WSH timer for Javascript or VBS script (likely evasive script)
• T1547.001 – Creates a start menu entry (Start Menu\\Programs\\Startup)
• T1547.001 – Stores files to the Windows startup directory
• T1055 – Maps a DLL or memory area into another process
• T1055 – Writes to foreign memory regions
• T1055 – May try to detect the Windows Explorer process (often used for injection)
• T1036 – Creates files inside the user directory
• T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
• T1518.001 – Switches to a customs stack to bypass stack traces
• T1057 – May try to detect the Windows Explorer process (often used for injection)
• T1082 – Switches to a customs stack to bypass stack traces
• T1082 – Queries the cryptographic machine GUID
• T1071 – C2 URLs / IPs found in malware configuration

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.