Trojan Proxy Qukart Loader with Overlay Payload and Encrypted Channel


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-11-11 23:45:18 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
l6titc9.exe
Type
PE32 executable (GUI) Intel 80386, for MS Windows
SHA‑1
e2c7434abbaa07863d9e2ef9bf5f0fb4ff5da620
MD5
9cf73f5fec5249333c71c1821895c9df
First Seen
2025-10-06 07:13:13.936547
Last Analysis
2025-10-06 13:37:18.102531
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 6+ hours, this malware remained undetected — a several-hour window that allowed the adversary to complete initial compromise and begin early-stage persistence establishment.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-01 18:14:58 UTC First VirusTotal submission
2025-10-08 14:09:29 UTC Latest analysis snapshot 36 days, 19 hours, 54 minutes
2025-11-11 23:45:18 UTC Report generation time 64 days, 13 hours, 0 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 67. Missed: 6. Coverage: 91.8%.

Detected Vendors

  • Xcitium
  • +66 additional vendors (names not provided)

List includes Xcitium plus an additional 66 vendors per the provided summary.

Missed Vendors

  • CMC
  • google_safebrowsing
  • SUPERAntiSpyware
  • ViRobot
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (54.67% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 60992 54.67%
System 39415 35.33%
Registry 5122 4.59%
Process 4303 3.86%
Misc 507 0.45%
Device 288 0.26%
Network 240 0.22%
Synchronization 177 0.16%
Threading 175 0.16%
Hooking 154 0.14%
Com 135 0.12%
Services 42 0.04%
__Notification__ 7 0.01%

MITRE ATT&CK Mapping

  • T1027 – encode data using XOR
  • T1027.002 – packed with generic packer
  • T1027.009 – The process has executed a dropped binary
  • T1045 – Manalize Local SandBox Packer Harvesting
  • T1057 – The process attempted to detect a running debugger using common APIs
  • T1050 – The process has tried to set its autorun on the system startup
  • T1060 – The process has tried to set its autorun on the system startup
  • T1112 – The process has tried to set its autorun on the system startup
  • T1027.009 – Drops interesting files and uses them

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.
www.msftncsi.com 23.55.176.231 United States Akamai Technologies, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 19 udp
53 100 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 8.007066011428833 udp
192.168.56.13 224.0.0.252 50554 5355 13.300668001174927 udp
192.168.56.13 224.0.0.252 54879 5355 11.564229011535645 udp
192.168.56.13 224.0.0.252 54881 5355 11.50855302810669 udp
192.168.56.13 224.0.0.252 55150 5355 7.9354870319366455 udp
192.168.56.13 224.0.0.252 55551 5355 13.64148497581482 udp
192.168.56.13 224.0.0.252 56197 5355 13.352154016494751 udp
192.168.56.13 224.0.0.252 57310 5355 12.881783962249756 udp
192.168.56.13 224.0.0.252 57415 5355 12.954977035522461 udp
192.168.56.13 224.0.0.252 58697 5355 11.664622068405151 udp
192.168.56.13 224.0.0.252 58920 5355 13.077485084533691 udp
192.168.56.13 224.0.0.252 60010 5355 10.51698613166809 udp
192.168.56.13 224.0.0.252 60543 5355 13.993902921676636 udp
192.168.56.13 224.0.0.252 60910 5355 13.225749015808105 udp
192.168.56.13 224.0.0.252 61004 5355 13.783554077148438 udp
192.168.56.13 224.0.0.252 62406 5355 7.94375205039978 udp
192.168.56.13 224.0.0.252 62849 5355 11.766948938369751 udp
192.168.56.13 224.0.0.252 63527 5355 9.972284078598022 udp
192.168.56.13 224.0.0.252 64533 5355 13.912616968154907 udp
192.168.56.13 224.0.0.252 64801 5355 13.291768074035645 udp
192.168.56.13 239.255.255.250 52252 3702 7.966639995574951 udp
192.168.56.13 8.8.4.4 49311 53 11.389398097991943 udp
192.168.56.13 8.8.4.4 50091 53 31.8785240650177 udp
192.168.56.13 8.8.4.4 50335 53 31.127814054489136 udp
192.168.56.13 8.8.4.4 51546 53 115.50365400314331 udp
192.168.56.13 8.8.4.4 52284 53 16.599456071853638 udp
192.168.56.13 8.8.4.4 52955 53 29.65917205810547 udp
192.168.56.13 8.8.4.4 53136 53 31.0035719871521 udp
192.168.56.13 8.8.4.4 53518 53 14.091650009155273 udp
192.168.56.13 8.8.4.4 53616 53 29.45692801475525 udp
192.168.56.13 8.8.4.4 53657 53 31.878533124923706 udp
192.168.56.13 8.8.4.4 53825 53 16.001131057739258 udp
192.168.56.13 8.8.4.4 53985 53 15.234856128692627 udp
192.168.56.13 8.8.4.4 55460 53 29.721879959106445 udp
192.168.56.13 8.8.4.4 55555 53 32.06564211845398 udp
192.168.56.13 8.8.4.4 55743 53 15.000265121459961 udp
192.168.56.13 8.8.4.4 56086 53 14.376145124435425 udp
192.168.56.13 8.8.4.4 56174 53 31.12781810760498 udp
192.168.56.13 8.8.4.4 56202 53 15.952292919158936 udp
192.168.56.13 8.8.4.4 56615 53 32.06562113761902 udp
192.168.56.13 8.8.4.4 56770 53 16.411691904067993 udp
192.168.56.13 8.8.4.4 56908 53 15.24432110786438 udp
192.168.56.13 8.8.4.4 57065 53 14.17377495765686 udp
192.168.56.13 8.8.4.4 57637 53 75.44152593612671 udp
192.168.56.13 8.8.4.4 57885 53 29.6591579914093 udp
192.168.56.13 8.8.4.4 58070 53 15.50661301612854 udp
192.168.56.13 8.8.4.4 58383 53 31.127795934677124 udp
192.168.56.13 8.8.4.4 58554 53 29.65925407409668 udp
192.168.56.13 8.8.4.4 59610 53 14.26156210899353 udp
192.168.56.13 8.8.4.4 60389 53 16.262407064437866 udp
192.168.56.13 8.8.4.4 60605 53 31.878417015075684 udp
192.168.56.13 8.8.4.4 60780 53 14.36825704574585 udp
192.168.56.13 8.8.4.4 61279 53 30.67553210258484 udp
192.168.56.13 8.8.4.4 61800 53 14.539324045181274 udp
192.168.56.13 8.8.4.4 61897 53 15.701957941055298 udp
192.168.56.13 8.8.4.4 62182 53 60.893747091293335 udp
192.168.56.13 8.8.4.4 62324 53 41.42549800872803 udp
192.168.56.13 8.8.4.4 62422 53 15.545335054397583 udp
192.168.56.13 8.8.4.4 62491 53 16.539000988006592 udp
192.168.56.13 8.8.4.4 62493 53 12.54054594039917 udp
192.168.56.13 8.8.4.4 62639 53 31.86240291595459 udp
192.168.56.13 8.8.4.4 62729 53 29.721864938735962 udp
192.168.56.13 8.8.4.4 62980 53 15.976560115814209 udp
192.168.56.13 8.8.4.4 63240 53 29.893851041793823 udp
192.168.56.13 8.8.4.4 63478 53 31.8784339427948 udp
192.168.56.13 8.8.4.4 63617 53 31.00359606742859 udp
192.168.56.13 8.8.4.4 64642 53 26.785282135009766 udp
192.168.56.13 8.8.4.4 64700 53 16.003690004348755 udp
192.168.56.13 8.8.4.4 64886 53 14.25804591178894 udp
192.168.56.13 8.8.4.4 64944 53 90.09736204147339 udp
192.168.56.13 8.8.4.4 65371 53 31.878430128097534 udp
192.168.56.13 8.8.8.8 49311 53 12.37827205657959 udp
192.168.56.13 8.8.8.8 50091 53 30.881640911102295 udp
192.168.56.13 8.8.8.8 50335 53 30.13845992088318 udp
192.168.56.13 8.8.8.8 51546 53 114.51359510421753 udp
192.168.56.13 8.8.8.8 52284 53 17.601932048797607 udp
192.168.56.13 8.8.8.8 52955 53 28.661345958709717 udp
192.168.56.13 8.8.8.8 53136 53 30.003803968429565 udp
192.168.56.13 8.8.8.8 53518 53 15.087789058685303 udp
192.168.56.13 8.8.8.8 53616 53 28.463935136795044 udp
192.168.56.13 8.8.8.8 53657 53 30.881537914276123 udp
192.168.56.13 8.8.8.8 53825 53 16.996505975723267 udp
192.168.56.13 8.8.8.8 53985 53 16.22222900390625 udp
192.168.56.13 8.8.8.8 55460 53 28.733500957489014 udp
192.168.56.13 8.8.8.8 55555 53 31.072643995285034 udp
192.168.56.13 8.8.8.8 55743 53 15.995122909545898 udp
192.168.56.13 8.8.8.8 56086 53 15.363125085830688 udp
192.168.56.13 8.8.8.8 56174 53 30.13836908340454 udp
192.168.56.13 8.8.8.8 56202 53 16.941704988479614 udp
192.168.56.13 8.8.8.8 56615 53 31.072755098342896 udp
192.168.56.13 8.8.8.8 56770 53 17.41161799430847 udp
192.168.56.13 8.8.8.8 56908 53 16.241719007492065 udp
192.168.56.13 8.8.8.8 57065 53 15.159809112548828 udp
192.168.56.13 8.8.8.8 57637 53 74.45414590835571 udp
192.168.56.13 8.8.8.8 57885 53 28.66146206855774 udp
192.168.56.13 8.8.8.8 58070 53 16.511357069015503 udp
192.168.56.13 8.8.8.8 58383 53 30.138545989990234 udp
192.168.56.13 8.8.8.8 58554 53 28.660856008529663 udp
192.168.56.13 8.8.8.8 59610 53 15.258495092391968 udp
192.168.56.13 8.8.8.8 60389 53 17.253910064697266 udp
192.168.56.13 8.8.8.8 60605 53 30.88210391998291 udp
192.168.56.13 8.8.8.8 60780 53 15.363138914108276 udp
192.168.56.13 8.8.8.8 61279 53 29.676285982131958 udp
192.168.56.13 8.8.8.8 61800 53 15.534421920776367 udp
192.168.56.13 8.8.8.8 61897 53 16.691498041152954 udp
192.168.56.13 8.8.8.8 62182 53 59.907105922698975 udp
192.168.56.13 8.8.8.8 62324 53 40.43047595024109 udp
192.168.56.13 8.8.8.8 62422 53 16.534503936767578 udp
192.168.56.13 8.8.8.8 62491 53 17.53503108024597 udp
192.168.56.13 8.8.8.8 62493 53 13.538093090057373 udp
192.168.56.13 8.8.8.8 62639 53 30.87804412841797 udp
192.168.56.13 8.8.8.8 62729 53 28.733890056610107 udp
192.168.56.13 8.8.8.8 62980 53 16.97222399711609 udp
192.168.56.13 8.8.8.8 63240 53 28.894819021224976 udp
192.168.56.13 8.8.8.8 63478 53 30.88175106048584 udp
192.168.56.13 8.8.8.8 63617 53 30.00371503829956 udp
192.168.56.13 8.8.8.8 64642 53 25.797879934310913 udp
192.168.56.13 8.8.8.8 64700 53 17.003938913345337 udp
192.168.56.13 8.8.8.8 64886 53 15.258515119552612 udp
192.168.56.13 8.8.8.8 64944 53 89.10196208953857 udp
192.168.56.13 8.8.8.8 65371 53 30.881946086883545 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top