If this is a known malware, targeting a large country, how come the majority of AVs still cannot detect it? The malcoders must be modding it all the time.
Problem between static and dynamic.
Some vendors might have a good memory scanner, others might not. A memory scanner could allow normal generic signatures to detect malicious code based on patterns even if the sample was packed, after it had decrypted (unpacked) itself in memory. Although, some vendors might just refer to "memory scanning" as detecting process start-up and applying normal scanning to the image on disk for that newly starting process.
Another example would be general dynamic analysis. One vendor might intercept behavior and use this to flag as suspicious/malicious or not, whereas another vendor might not.
So when you have a well-made malware sample in the wild, especially something sensitive like targeting bank credential theft, the detection results will vary. If checksum hash detection flags a sample, one update to the sample will eradicate the detection's. If generic signatures are applied to flag the sample, packing will eradicate the detection's for the vendors that don't have a good memory scanner. Even if a product has a good memory scanner, a malware author might re-update the malware to exploit a vulnerability in the memory scanner (e.g. put the scanner off-guard in the wrong direction, find a way to trap the scanning, etc.).
And then you have metamorphism... Which is "re-programming". So every-time the malware becomes active, code execution is slightly different each time. This can be used to evade detection sometimes very well, as long as it is implemented and handled very well. However metamorphism can be extremely sophisticated when being done correctly, something that 99% malware authors cannot do properly under a general scenario. Used to be quite popular with virus infections though, where the injected code into the affected documents would differ for each/each set of documents targeted.
Oh, and then you also have instruction virtualisation when dealing with Assembly. Heavens Gate to execute 64-bit code from an 32-bit compiled process running on a 64-bit environment may also evade Anti-Virus software depending on the capabilities of the currently tested product, and so on.
So there are just so many of different reasons that a product may flag or not under different circumstances. It depends on the malware authors skill-set, the sample itself (what it is for, how it works) and how the security product being tested against the product works (e.g. capabilities it has, measures it takes to do this and that, etc.).
