AsyncRAT Backdoor With hVNC And Encrypted C2 Channel


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-12-16 07:09:51 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
230oxi.exe
Type
Generic CIL Executable (.NET, Mono, etc.)
SHA‑1
d9608ed15cba3644143627094b54d8f7362d3ef5
MD5
b10010ae60bd547250e4e9ce9b98ca57
First Seen
2025-12-10 17:58:04.909134
Last Analysis
2025-12-10 20:05:14.362309
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-11-17 20:40:58 UTC First VirusTotal submission
2025-12-14 19:57:31 UTC Latest analysis snapshot 26 days, 23 hours, 16 minutes
2025-12-16 07:09:51 UTC Report generation time 28 days, 10 hours, 28 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 56. Missed: 16. Coverage: 77.8%.

Detected Vendors

  • Xcitium
  • +55 additional vendors (names not provided)

List includes Xcitium plus an additional 55 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • APEX
  • Baidu
  • CMC
  • Cynet
  • Jiangmin
  • NANO-Antivirus
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • ViRobot
  • Webroot
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (32.73% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 122903 32.73%
Crypto 122803 32.70%
Synchronization 122264 32.56%
Registry 3775 1.01%
System 3055 0.81%
Process 281 0.07%
Com 270 0.07%
Misc 91 0.02%
Threading 60 0.02%
Device 16 0.00%
Services 6 0.00%
Hooking 2 0.00%
Windows 2 0.00%

MITRE ATT&CK Mapping

  • T1070.004 – self delete
  • T1497.001 – reference anti-VM strings targeting VMWare
  • T1027 – encrypt or decrypt data via BCrypt
  • T1082 – get OS version in .NET
  • T1056.001 – log keystrokes
  • T1555.003 – gather firefox profile information
  • T1115 – monitor clipboard content
  • T1010 – enumerate gui resources
  • T1010 – find graphical window
  • T1082 – get CPU information
  • T1053.005 – schedule task via schtasks
  • T1543.003 – persist via Windows service
  • T1569.002 – persist via Windows service
  • T1614.001 – get keyboard layout
  • T1082 – query environment variable
  • T1497.001 – reference anti-VM strings targeting VirtualBox
  • T1083 – enumerate files in .NET
  • T1548.002 – bypass UAC via scheduled task environment variable
  • T1083 – get file version info
  • T1134.001 – impersonate user
  • T1620 – load .NET assembly
  • T1620 – invoke .NET assembly method
  • T1027 – decrypt data using AES via .NET
  • T1213 – reference WMI statements
  • T1125 – capture webcam image
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1497.001 – reference anti-VM strings
  • T1056.001 – log keystrokes via polling
  • T1071.001 – set HTTP cookie
  • T1140 – decode data using Base64 in .NET
  • T1082 – get disk information
  • T1497.001 – reference anti-VM strings targeting Xen
  • T1027.004 – compile CSharp in .NET
  • T1082 – get hostname
  • T1012 – query or enumerate registry value
  • T1564.003 – hide graphical window
  • T1115 – clear clipboard data
  • T1560.002 – compress data using GZip in .NET
  • T1496 – reference cryptocurrency strings
  • T1016.001 – list domain servers
  • T1213 – reference SQL statements
  • T1546.001 – persist via default file association registry key
  • T1113 – capture screenshot
  • T1083 – check if directory exists
  • T1027 – encrypt data using DPAPI
  • T1083 – check if file exists
  • T1112 – delete registry value
  • T1027 – encode data using Base64
  • T1047 – access WMI data in .NET
  • T1083 – get common file path
  • T1057 – find process by PID
  • T1115 – read clipboard data
  • T1547.001 – persist via Run registry key
  • T1027 – encrypt data using AES via .NET
  • T1016 – get networking interfaces
  • T1222 – set file attributes
  • T1057 – find process by name
  • T1112 – delete registry key
  • T1082 – get number of processors
  • T1027.004 – compile .NET assembly
  • T1082 – get kernel version
  • T1564 – hide the Windows taskbar
  • T1082 – get system information on Windows
  • T1083 – get file size
  • T1082 – get disk size
  • T1123 – capture microphone audio
  • T1012 – query or enumerate registry key
  • T1033 – get session integrity level
  • T1129 – link function at runtime on Windows
  • T1033 – get session user name
  • T1087 – get session user name
  • T1055.003 – inject thread
  • T1620 – inject thread
  • T1056.001 – log keystrokes via application hook

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.200.3.71 United States Akamai Technologies, Inc.
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 16 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 3.2447309494018555 udp
192.168.56.13 224.0.0.252 49311 5355 5.730604887008667 udp
192.168.56.13 224.0.0.252 55150 5355 3.1730079650878906 udp
192.168.56.13 224.0.0.252 60010 5355 5.182973861694336 udp
192.168.56.13 224.0.0.252 62406 5355 3.175539970397949 udp
192.168.56.13 224.0.0.252 63527 5355 3.749030828475952 udp
192.168.56.13 239.255.255.250 52252 3702 3.1815710067749023 udp
192.168.56.13 8.8.4.4 54879 53 7.744472980499268 udp
192.168.56.13 8.8.4.4 54881 53 6.344213962554932 udp
192.168.56.13 8.8.4.4 57310 53 65.58792996406555 udp
192.168.56.13 8.8.4.4 57415 53 79.94733691215515 udp
192.168.56.13 8.8.4.4 58697 53 21.869248867034912 udp
192.168.56.13 8.8.4.4 58920 53 98.19712591171265 udp
192.168.56.13 8.8.4.4 62493 53 51.22856092453003 udp
192.168.56.13 8.8.4.4 62849 53 36.26005697250366 udp
192.168.56.13 8.8.8.8 54879 53 8.743783950805664 udp
192.168.56.13 8.8.8.8 54881 53 7.337977886199951 udp
192.168.56.13 8.8.8.8 57310 53 64.58815503120422 udp
192.168.56.13 8.8.8.8 57415 53 78.94741487503052 udp
192.168.56.13 8.8.8.8 58697 53 20.838406801223755 udp
192.168.56.13 8.8.8.8 58920 53 97.19763398170471 udp
192.168.56.13 8.8.8.8 62493 53 50.2441987991333 udp
192.168.56.13 8.8.8.8 62849 53 35.26857590675354 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

0

Registry Set

2

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Show all (297 total)

Registry Set (Top 25)

Key Value
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\SystemCertificates\Root\Certificates\0174E68C97DDF1E0EEEA415EA336A163D2B61AFD\Blob 5C 00 00 00 01 00 00 00 04 00 00 00 00 10 00 00 04 00 00 00 01 00 00 00 10 00 00 00 0D BE 92 DE FF 7D 36 BB 48 C4 A6 B1 15 24 95 38 0F 00 00 00 01 00 00 00 20 00 00 00 53 FE B9 19 2E D4 80 F2 09 12 4A 2C 57 D7 E8 97 7A 2E 9F 39 46 1D BF 21 4D F1 12 CB 16 02 4F A2 14 00 00 00 01 00 00 00 14 00 00 00 78 B8 30 FD 63 AC 7B 89 4A 07 3B ED F6 8A 83 9C C3 52 02 65 19 00 00 00 01 00 00 00 10 00 00 00 B5 74 AF 30 C5 C1 BA 3A 69 A7 10 02 00 82 4D D0 03 00 00 00 01 00 00 00 14 00 00 00 01 74 E6 8C 97 DD F1 E0 EE EA 41 5E A3 36 A1 63 D2 B6 1A FD 20 00 00 00 01 00 00 00 F8 05 00 00 30 82 05 F4 30 82 03 DC A0 03 02 01 02 02 09 00 E0 EA 61 4C 28 56 32 64 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 81 8E 31 0B 30 09 06 03 55 04 06 13 02 49 4C 31 0F 30 0D 06 03 55 04 08 0C 06 43 65 6E 74 65 72 31 0C 30 0A 06 03 55 04 07 0C 03 4C 6F 64 31 10 30 0E 06 03 55 04 0A 0C 07 47 6F 50 72 6F 78 79 31 10 30 0E 06 03 55 04 0B 0C 07 47 6F 50 72 6F 78 79 31 1A 30 18 06 03 55 04 03 0C 11 67 6F 70 72 6F 78 79 2E 67 69 74 68 75 62 2E 69 6
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\Windows Error Reporting\Debug\StoreLocation %LOCALAPPDATA%\Microsoft\Windows\WER\ReportArchive\AppCrash_5Z8AFIREUQC80AI1_e18d114defd6ab36dc339c366f969c47bbd2135_0aa13e56

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top