fa90e8004b067523f1b790af87026473ed405bd7 - threatlabsnews.xcitium.com

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

MailAgent1476Microsoft.exe

Type

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

SHA‑1

fa90e8004b067523f1b790af87026473ed405bd7

MD5

aa0e86384f52957852dccbf3efe291b7

First Seen

2025-09-05 15:53:39.904990

Last Analysis

2025-09-05 18:47:59.436683

Dwell Time

0 days, 2 hours, 54 minutes

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC)	Event	Elapsed
2023-01-09 12:25:23 UTC	First VirusTotal submission	—
2025-09-09 07:42:40 UTC	Latest analysis snapshot	973 days, 19 hours, 17 minutes
2025-09-09 10:37:55 UTC	Report generation time	973 days, 22 hours, 12 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 53. Missed: 20. Coverage: 72.6%.

Detected Vendors

Xcitium
+52 additional vendors (names not provided)

List includes Xcitium plus an additional 52 vendors per the provided summary.

Missed Vendors

Acronis
Antiy-AVL
Baidu
ClamAV
CMC
DrWeb
Gridinsoft
Jiangmin
Kingsoft
NANO-Antivirus
Skyhigh
SUPERAntiSpyware
TACHYON
tehtris
Trapmine
VirIT
Webroot
Yandex
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (39.68% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
System	298	39.68%
Registry	190	25.30%
File System	114	15.18%
Process	96	12.78%
Misc	35	4.66%
Synchronization	8	1.07%
Threading	6	0.80%
Hooking	2	0.27%
Device	2	0.27%

MITRE ATT&CK Mapping

T1620 – invoke .NET assembly method
T1027.004 – compile .NET assembly
T1620 – invoke .NET assembly method
T1027.004 – compile .NET assembly
T1027.004 – compile CSharp in .NET
T1036 – Creates files inside the user directory
T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
T1497 – Contains long sleeps (>= 3 min)
T1497 – May sleep (evasive loops) to hinder dynamic analysis
T1070.006 – Binary contains a suspicious time stamp
T1082 – Reads software policies
T1082 – Queries the volume information (name, serial number etc) of a device

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.msftncsi.com	23.200.3.10	United States	Akamai Technologies, Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
www.msftncsi.com	A
5isohu.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
138	1	udp
5355	4	udp
53	4	udp
3702	1	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.11	192.168.56.255	137	137	7.327121019363403	udp
192.168.56.11	192.168.56.255	138	138	13.40306305885315	udp
192.168.56.11	224.0.0.252	49563	5355	7.171663045883179	udp
192.168.56.11	224.0.0.252	54650	5355	7.184643983840942	udp
192.168.56.11	224.0.0.252	55601	5355	9.98189902305603	udp
192.168.56.11	224.0.0.252	60205	5355	7.18713903427124	udp
192.168.56.11	239.255.255.250	62184	3702	7.189342975616455	udp
192.168.56.11	8.8.4.4	51899	53	10.543792009353638	udp
192.168.56.11	8.8.4.4	62798	53	10.029736042022705	udp
192.168.56.11	8.8.8.8	51899	53	11.544044971466064	udp
192.168.56.11	8.8.8.8	62798	53	11.028297185897827	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

138

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKLM\Software\Microsoft\.NETFramework\Policy
HKLM\Software\Microsoft\.NETFramework\Policy\v4.0
HKLM\Software\Microsoft\.NETFramework
HKLM\Software\Microsoft\.NETFramework\InstallRoot
HKLM\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKLM\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKLM\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKCU\Software\Microsoft\.NETFramework\Policy\Standards
HKLM\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKLM\SOFTWARE\Microsoft\Fusion
HKLM\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKLM\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKLM\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKLM\Software\Microsoft\.NETFramework\DisableConfigCache
HKLM\Software\Microsoft\Fusion
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f727e1f4abf0dd039a6bb7951fd8b5595da5f632919c5bfac7975265b02b44cd.exe
HKLM\Software\Microsoft\Fusion\CacheLocation
HKLM\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKLM\Software\Microsoft\Fusion\EnableLog
HKLM\Software\Microsoft\Fusion\LoggingLevel
HKLM\Software\Microsoft\Fusion\ForceLog
HKLM\Software\Microsoft\Fusion\LogFailures
HKLM\Software\Microsoft\Fusion\LogResourceBinds
HKLM\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKLM\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKLM\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKLM\Software\Microsoft\Fusion\DisableMSIPeek
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKLM\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKLM\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKLM\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKLM\Software\Microsoft\StrongName
HKLM\Software\Microsoft\.NETFramework\UseRyuJIT
HKLM\Software\Microsoft\.NETFramework\FeatureSIMD
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\index14
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes

Show all (138 total)

Key
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\Packages
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\file.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\file.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Versions
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\GP\DLL
HKEY_LOCAL_MACHINE\System\Setup
HKEY_CURRENT_USER\Software\Classes\Local Settings
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Ole
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\executable.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\executable.exe

Registry Set (Top 25)

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report