More detail on this here: http://research.zscaler.com/2016/01/yet-another-signed-malware-spymel.html It's a signed .Net program delivered via e-mail attachment.
Whomever wrote this malware, also knows their OS internals. The question for anti-exec uses is "Does it monitor executables run at boot time by task manager?" Spymel drops itself as “svchost.exe” and “Startup32.1.exe” in the following location: %AppData%\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\Startup32.1.exe. The malware for persistence uses a infrequently used registry startup location that I am sure most AVs and AMs don't monitor: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run Sidebar(32.1) More on this: Startup Tasks can be disabled using Task Manager in Windows 8.1 or msconfig in Windows 7. For example, I have disabled Box Sync from running at startup on my machine: Enabling/Disabling though task manager sets a registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run or HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run If the value starts with 02 00 00 then it is enabled. If it starts with another value (like 03 00 in my example) then it is disabled: Ref: http://stackoverflow.com/questions/29994315/c-sharp-application-not-running-on-startup
