0dbd099ca35e5101c86ce9038c7f972fb8dc50aa - threatlabsnews.xcitium.com

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

mozglue.dll

Type

Win32 DLL

SHA‑1

0dbd099ca35e5101c86ce9038c7f972fb8dc50aa

MD5

478d8cdc26a5bcd09aa6054033994557

First Seen

2024-10-27 21:14:24 UTC

Last Analysis

2025-08-29 09:08:26 UTC

Dwell Time

305 days 11 hours

Extended Dwell Time Impact

For 305+ days, this malware remained undetected — an unusually long window that granted the adversary the
ability to persist, recon, and potentially exfiltrate data with zero alerts.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case doubles that benchmark,
highlighting a severe detection gap.

Timeline

Time (UTC)	Event	Elapsed
2024-10-27	First VirusTotal submission	—
2025-08-29	Latest analysis snapshot	305 days
2025-08-27 21:37:22 UTC	Report generation time	—

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day
equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 50. Missed: 22. Coverage: 69.4%.

Detected Vendors

Xcitium
+49 additional vendors (names not provided)

List includes Xcitium plus an additional 49 vendors per the provided summary.

Missed Vendors

Acronis
Baidu
ClamAV
CMC
Cynet
DrWeb
Gridinsoft
Jiangmin
Sangfor Engine Zero
SecureAge
SentinelOne
SUPERAntiSpyware
TACHYON
TEHTRIS
Trapmine
TrendMicro
VBA32
VirIT
ViRobot
Webroot
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

This threat blends evasive checks with data collection and outbound communications. Behavior tags point to sandbox detection, prolonged sleeps, registry reconnaissance, and encrypted egress — a classic quiet‑then‑talk pattern.

Behavior Categories (weighted)

process: 18.18%
file system: 42.52%
misc: 0.59%
system: 36.36%
registry: 2.35%

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN
www.msftncsi.com	23.200.3.20	United States	Akamai Technologies, Inc.

Observed IPs

IP	Country	ASN/Org
No Records Found	—	—

DNS Queries

Hostname	Type
5isohu.com	A	15.91563105583191
www.msftncsi.com	A	18.64970302581787

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Registry Set

Key	Value
\REGISTRY\A\{3391629d-2306-7745-7060-e1345630b369}\Root\InventoryApplicationFile\PermissionsCheckTestKey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord	05 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 CC 76 FA 5D FE 7F 00 00 02 00 00 00 00 00 00 00 00 0
\REGISTRY\A\{72137551-cce1-236a-a7f9-65acc8c63d89}\Root\InventoryApplicationFile\PermissionsCheckTestKey
\REGISTRY\A\{84d2ac07-0fa0-f3a1-82cb-3cab82d7ad49}\Root\InventoryApplicationFile\PermissionsCheckTestKey
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\PermissionsCheckTestKey
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\ProgramId	00065fe1f73225e8c2331b8d373d3f91ac420000ffff
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\FileId	0000f232e0decd548852fa6089e195431b73e94ed0bd
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\LowerCaseLongPath	c:\windows\system32\loaddll64.exe
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\LongPathHash	loaddll64.exe\|f3d72086358f9008
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Name	loaddll64.exe
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\BinaryType	pe64_amd64
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\LinkDate	09/15/2023 08:23:40
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Size	00 88 02 00 00 00 00 00
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\IsPeFile	1
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Usn	20 2F 99 86 00 00 00 00
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Publisher
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Version
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\BinFileVersion
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\ProductName
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\ProductVersion
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\BinProductVersion
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Language	0
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\IsOsComponent	0

Transport & Telemetry — TLS, HTTP, IP, IDS

The sample leans on encrypted transport and benign‑looking hosts, but the patterns still betray it: JA3/JA4 hints, cert chains, and IDS metadata are enough to anchor hunting queries.

IP Traffic

Dest IP	Dest Port	Proto
Contacted IP	224.0.0.252
Contacted IP	239.255.255.250
Contacted IP	8.8.4.4	United States	Google LLC
Contacted IP	8.8.8.8	United States	Google LLC
UDP	192.168.56.11	192.168.56.255	137->137	7.930926084518433
UDP	192.168.56.11	224.0.0.252	49563->5355	7.862659931182861
UDP	192.168.56.11	224.0.0.252	54650->5355	7.866019010543823
UDP	192.168.56.11	224.0.0.252	55601->5355	7.920959949493408
UDP	192.168.56.11	224.0.0.252	62798->5355	10.6043541431427
UDP	192.168.56.11	239.255.255.250	62184->3702	7.875313997268677
UDP	192.168.56.11	8.8.4.4	51899->53	10.651626110076904
UDP	192.168.56.11	8.8.4.4	60205->53	7.919436931610107
UDP	192.168.56.11	8.8.8.8	51899->53	11.649405002593994
UDP	192.168.56.11	8.8.8.8	60205->53	8.91507601737976

IDS Alerts

Signature	Severity	Category	Src IP	Dst IP	Src Port	Dst Port
No Records Found

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Key	Value
\REGISTRY\A\{3391629d-2306-7745-7060-e1345630b369}\Root\InventoryApplicationFile\PermissionsCheckTestKey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord	05 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00 CC 76 FA 5D FE 7F 00 00 02 00 00 00 00 00 00 00 00 0
\REGISTRY\A\{72137551-cce1-236a-a7f9-65acc8c63d89}\Root\InventoryApplicationFile\PermissionsCheckTestKey
\REGISTRY\A\{84d2ac07-0fa0-f3a1-82cb-3cab82d7ad49}\Root\InventoryApplicationFile\PermissionsCheckTestKey
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\PermissionsCheckTestKey
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\ProgramId	00065fe1f73225e8c2331b8d373d3f91ac420000ffff
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\FileId	0000f232e0decd548852fa6089e195431b73e94ed0bd
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\LowerCaseLongPath	c:\windows\system32\loaddll64.exe
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\LongPathHash	loaddll64.exe\|f3d72086358f9008
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Name	loaddll64.exe
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\BinaryType	pe64_amd64
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\LinkDate	09/15/2023 08:23:40
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Size	00 88 02 00 00 00 00 00
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\IsPeFile	1
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Usn	20 2F 99 86 00 00 00 00
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Publisher
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Version
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\BinFileVersion
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\ProductName
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\ProductVersion
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\BinProductVersion
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\Language	0
\REGISTRY\A\{1a1567db-80d8-8efa-0e00-11457551e68a}\Root\InventoryApplicationFile\loaddll64.exe\|f3d72086358f9008\IsOsComponent	0

Zero‑Dwell Threat Intelligence Report