Executive summary

Yesterday we handed Embusa /analyst a single file and nothing else: a 32-bit Windows DLL, 351 KB, no filename hints, and no reputation data. Six minutes and forty-five seconds later it returned a complete teardown.

The sample is LotusLite, a remote access trojan that poses as Microsoft WPS Office. The agent saw through the masquerade, recovered a command and control address hidden behind two layers of encoding, reconstructed the implant's command set, documented its installation and persistence, and finished with ready-to-deploy detection rules. It did all of this autonomously, with no internet access, no external threat intelligence feeds, and no human in the loop.

This is the job Embusa /analyst was built for. When a suspicious attachment or script turns up, most teams face a bad trade: quarantine it, delete it, and quietly accept the risk of never knowing what it was. Instead of leaving the question open, you get a quick answer built on deep malware analysis: what it is, what it does, and what to do about it. Uncertainty is replaced with confidence and understanding, and every file analyzed comes back with the detection rules and hunting insights to leave your defenses stronger than it found them.

One file, no context

Embusa /analyst is an autonomous agent for malware analysis and reverse engineering. You give it a suspicious file. It gives you back what the file is, what it does, and what your team should do next, in a report responders can verify function by function.

For this run we kept the environment deliberately bare. The analysis workspace had no network connection, so the agent could not look up the hash or lean on anyone else's verdict. Everything in the report had to come from the binary itself: decompiled code, PE structure, and the agent's own reasoning.

What it found

The DLL carries forged version metadata claiming to be "Microsoft WPS Office" and exports thirty functions, most of them decoys that pop a message box and exit. The agent traced the real entry point through an export named Bankofchinaunionpaycard, a thunk that jumps straight to the main orchestration routine.

The strings that matter are XOR encoded with the five-byte key Credt and then reversed. The agent recovered the scheme from the decompiled decoder, verified it against the raw bytes of the binary, and used it to unmask the C2 server:

key      "Credt"   43 72 65 64 74
array_1  51 a5 11 c0 4d 89 22 9d c7 25 68 b9 ef 7f 28 51
array_2  60 95 22 ee 7a b0 0c aa f0 0b 59 81 de

array_1[i % 16] ^ array_2[i]  ->  103[.]79[.]77[.]181
C2 address recovery, verified byte for byte (FUN_10002620)

From there it mapped the command loop. The implant talks to that address over HTTPS on port 443 using a custom binary protocol, and the agent enumerated what each command does:

magic     B2 EB CF DF
command   int32
length    uint32
payload   byte[length]

0x01  write to cmd.exe stdin
0x03  list directory contents
0x0A  spawn shell (CreatePipe + CreateProcessA)
0x0B  terminate shell process
0x0D  create file on disk
0x0E  append file data
0x0F  report file status
The implant's C2 protocol and recovered command set (FUN_100045E0)

The report also walks through the installation flow: the DLL copies itself to C:\ProgramData\WKwpsOffice2\, shows a fake "PDF corrupted" error as a decoy, and persists through an HKCU Run key that relaunches it with an undocumented --DMLA flag. Every claim comes with the function address to check the work, and the findings feed directly into the detection rules at the end.

Why this matters

A teardown like this normally costs a senior reverse engineer the better part of a day, and most security teams do not have one on call. Embusa turns it into something you can run against every suspicious file in your queue. And because it has no outside dependencies, it works in the places that need it most: air-gapped networks, regulated environments, and incident response at three in the morning.

Where Embusa fits

The use case is the situation this post started with: a suspicious file lands in your queue and nobody on shift can safely pull it apart. An alert from your EDR, an attachment your email gateway flagged, a script or binary found on a compromised host mid-incident. The usual outcome is to play it safe: quarantine the file, close the ticket, and accept the risk without ever learning what it was. Embusa /analyst removes that trade-off. You get a quick answer built on deep malware analysis, so your team can replace uncertainty with confidence and understanding and move from investigation to informed action in minutes. It is expert malware analysis with no experts required: nobody on shift has to master deep file inspection or reverse engineering.

That speed matters most while an incident is still young. When every minute counts, you need to understand what happened, assess the impact, and pick the right containment and response actions before things escalate. Embusa plugs into the tools you already run: files come in from your SIEM, EDR, or email sandbox through API-first integrations, and verdicts, IOCs, and detection rules flow back into your SOAR and ticketing systems.

Each analysis also turns into a defensive advantage. Investigations that took hours now take minutes, and every report ships with detection rules and threat-hunting insights that connect the sample to the actors, campaigns, and techniques behind it, so every file analyzed strengthens your defenses. Reports come in two registers from the same evidence, one your responders can verify function by function and one leadership can act on, and the whole pipeline can run in isolated infrastructure for environments where samples are not allowed to leave the building.

Read the full technical analysis

Want to go deeper? Read the complete technical analysis of LotusLite.