Qukart Proxy Trojan Employing WININET API for C2 Communication

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

i2nzkednd.exe

Type

MS-DOS executable, MZ for MS-DOS

SHA‑1

c6bf0eddb826916f79ce0a65bfd12d8cac9b6f71

MD5

d50202a93ac2ba83ac390567f95bc422

First Seen

2025-10-05 13:20:42.864038

Last Analysis

2025-10-06 12:55:14.078307

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 23+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC)	Event	Elapsed
2025-09-20 05:58:27 UTC	First VirusTotal submission	—
2025-10-08 14:12:21 UTC	Latest analysis snapshot	18 days, 8 hours, 13 minutes
2025-11-13 21:19:42 UTC	Report generation time	46 days, 1 hours, 21 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 66. Missed: 7. Coverage: 90.4%.

Detected Vendors

Xcitium
+65 additional vendors (names not provided)

List includes Xcitium plus an additional 65 vendors per the provided summary.

Missed Vendors

CMC
google_safebrowsing
TACHYON
tehtris
Webroot
Yandex
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (46.94% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
System	23	46.94%
Registry	11	22.45%
File System	8	16.33%
Process	5	10.20%
Synchronization	2	4.08%

MITRE ATT&CK Mapping

T1016 – get socket status
T1083 – enumerate files on Windows
T1083 – get common file path
T1027 – encode data using XOR
T1222 – set file attributes
T1083 – get file size
T1129 – link many functions at runtime
T1564.003 – hide graphical window
T1027 – encrypt data using RC4 PRGA
T1059.003 – execute shell command and capture output
T1082 – query environment variable
T1083 – check if file exists
T1010 – find graphical window
T1105 – download and write a file
T1059 – accept command line arguments
T1082 – get memory capacity
T1012 – query or enumerate registry value
T1129 – link function at runtime on Windows
T1497.001 – reference anti-VM strings

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.aieov.com	13.248.169.48	United States	Amazon Technologies Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
5isohu.com	A
www.aieov.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	4	udp
53	4	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.14	192.168.56.255	137	137	3.0858349800109863	udp
192.168.56.14	224.0.0.252	51209	5355	3.0224599838256836	udp
192.168.56.14	224.0.0.252	53401	5355	4.783488035202026	udp
192.168.56.14	224.0.0.252	55094	5355	5.586416959762573	udp
192.168.56.14	224.0.0.252	55848	5355	3.023144006729126	udp
192.168.56.14	8.8.4.4	52815	53	7.361111879348755	udp
192.168.56.14	8.8.4.4	65148	53	22.859400987625122	udp
192.168.56.14	8.8.8.8	52815	53	8.359570980072021	udp
192.168.56.14	8.8.8.8	65148	53	21.86162495613098	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Show all (297 total)

Registry Set (Top 25)

Key	Value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\(Default)	—
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel	Apartment
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug\StoreLocation	%LOCALAPPDATA%\Microsoft\Windows\WER\ReportArchive\AppCrash_Dmqgkddk.exe_edfb8a1ff17891dd2608fcb6d1f48cbc1a7d5_0a454b61
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger	{79FAA099-1BAE-816E-D711-115290CEE717}
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\SystemCertificates\Root\Certificates\0174E68C97DDF1E0EEEA415EA336A163D2B61AFD\Blob	5C 00 00 00 01 00 00 00 04 00 00 00 00 10 00 00 04 00 00 00 01 00 00 00 10 00 00 00 0D BE 92 DE FF 7D 36 BB 48 C4 A6 B1 15 24 95 38 0F 00 00 00 01 00 00 00 20 00 00 00 53 FE B9 19 2E D4 80 F2 09 12 4A 2C 57 D7 E8 97 7A 2E 9F 39 46 1D BF 21 4D F1 12 CB 16 02 4F A2 14 00 00 00 01 00 00 00 14 00 00 00 78 B8 30 FD 63 AC 7B 89 4A 07 3B ED F6 8A 83 9C C3 52 02 65 19 00 00 00 01 00 00 00 10 00 00 00 B5 74 AF 30 C5 C1 BA 3A 69 A7 10 02 00 82 4D D0 03 00 00 00 01 00 00 00 14 00 00 00 01 74 E6 8C 97 DD F1 E0 EE EA 41 5E A3 36 A1 63 D2 B6 1A FD 20 00 00 00 01 00 00 00 F8 05 00 00 30 82 05 F4 30 82 03 DC A0 03 02 01 02 02 09 00 E0 EA 61 4C 28 56 32 64 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 81 8E 31 0B 30 09 06 03 55 04 06 13 02 49 4C 31 0F 30 0D 06 03 55 04 08 0C 06 43 65 6E 74 65 72 31 0C 30 0A 06 03 55 04 07 0C 03 4C 6F 64 31 10 30 0E 06 03 55 04 0A 0C 07 47 6F 50 72 6F 78 79 31 10 30 0E 06 03 55 04 0B 0C 07 47 6F 50 72 6F 78 79 31 1A 30 18 06 03 55 04 03 0C 11 67 6F 70 72 6F 78 79 2E 67 69 74 68 75 62 2E 69 6 .. truncated
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\Windows Error Reporting\Debug\StoreLocation	%LOCALAPPDATA%\Microsoft\Windows\WER\ReportArchive\AppCrash_Dmqgkddk.exe_edfb8a1ff17891dd2608fcb6d1f48cbc1a7d5_0a454b61

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report