Huorong's HVM engine incorporates special handling for common stalling techniques. However, its primary limitation is the inability to simulate a sample's network communication and external file reading operations, which makes it highly vulnerable to being bypassed by samples that employ a separation-of-tactics approach.
Typically a good emulator will use fake files inside (including some that look like browser credentials) as well as it could potentially fake network communications. There are several limitations all emulators experience, mainly with malware detecting that it’s been emulated and using rubbish instructions (long sleep, needless loops and so on), till the emulator times out. Another limitation is malware may not necessarily read files with credentials directly, but can rather load full folders in memory and then extract just the credentials files.
