71c569c4334688864ed80f6c1c6851b6596876b1 - threatlabsnews.xcitium.com

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

Windows0MailAgent.exe

Type

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

SHA‑1

71c569c4334688864ed80f6c1c6851b6596876b1

MD5

ecc4421c124b3fb476c6dfb55eb5fb0b

First Seen

2025-09-05 15:53:46.771176

Last Analysis

2025-09-05 18:47:59.692853

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC)	Event	Elapsed
2022-09-06 13:35:16 UTC	First VirusTotal submission	—
2025-09-09 07:33:07 UTC	Latest analysis snapshot	1098 days, 17 hours, 57 minutes
2025-09-18 06:39:39 UTC	Report generation time	1107 days, 17 hours, 4 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 49. Missed: 24. Coverage: 67.1%.

Detected Vendors

Xcitium
+48 additional vendors (names not provided)

List includes Xcitium plus an additional 48 vendors per the provided summary.

Missed Vendors

Acronis
AhnLab-V3
Antiy-AVL
Baidu
ClamAV
CMC
DrWeb
Gridinsoft
Jiangmin
Kingsoft
MaxSecure
NANO-Antivirus
Panda
SUPERAntiSpyware
TACHYON
tehtris
Trapmine
Varist
VBA32
VirIT
Webroot
Yandex
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (40.00% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
System	302	40.00%
Registry	190	25.17%
File System	114	15.10%
Process	96	12.72%
Misc	35	4.64%
Synchronization	8	1.06%
Threading	6	0.79%
Hooking	2	0.26%
Device	2	0.26%

MITRE ATT&CK Mapping

T1620 – invoke .NET assembly method
T1027.004 – compile .NET assembly
T1129 – The process attempted to dynamically load a malicious function
T1129 – The process tried to load dynamically one or more functions.
T1057 – The process has tried to detect the debugger probing the use of page guards.
T1057 – The process attempted to detect a running debugger using common APIs
T1036 – Creates files inside the user directory
T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
T1497 – May sleep (evasive loops) to hinder dynamic analysis
T1497 – Contains long sleeps (>= 3 min)
T1070.006 – Binary contains a suspicious time stamp
T1082 – Queries the volume information (name, serial number etc) of a device
T1082 – Reads software policies
T1036 – Creates files inside the user directory
T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
T1497 – May sleep (evasive loops) to hinder dynamic analysis
T1497 – Contains long sleeps (>= 3 min)
T1070.006 – Binary contains a suspicious time stamp
T1082 – Queries the volume information (name, serial number etc) of a device
T1082 – Reads software policies
T1497 – Contains medium sleeps (>= 30s)

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.msftncsi.com	23.200.3.27	United States	Akamai Technologies, Inc.
www.aieov.com	13.248.169.48	United States	Amazon Technologies Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
www.msftncsi.com	A
5isohu.com	A
www.aieov.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	5	udp
53	6	udp
3702	1	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.11	192.168.56.255	137	137	3.2516820430755615	udp
192.168.56.11	224.0.0.252	49563	5355	3.1739048957824707	udp
192.168.56.11	224.0.0.252	54650	5355	3.1767899990081787	udp
192.168.56.11	224.0.0.252	55601	5355	4.30010199546814	udp
192.168.56.11	224.0.0.252	60205	5355	3.1884210109710693	udp
192.168.56.11	224.0.0.252	62798	5355	5.758066892623901	udp
192.168.56.11	239.255.255.250	62184	3702	3.1847379207611084	udp
192.168.56.11	8.8.4.4	51690	53	7.166597127914429	udp
192.168.56.11	8.8.4.4	51899	53	5.766035079956055	udp
192.168.56.11	8.8.4.4	63439	53	22.588654041290283	udp
192.168.56.11	8.8.8.8	51690	53	8.166244983673096	udp
192.168.56.11	8.8.8.8	51899	53	6.7616870403289795	udp
192.168.56.11	8.8.8.8	63439	53	21.589123010635376	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

145

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
\REGISTRY\MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0
\REGISTRY\MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
\REGISTRY\MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKLM\Software\Microsoft\.NETFramework\Policy
HKLM\Software\Microsoft\.NETFramework\Policy\v4.0
HKLM\Software\Microsoft\.NETFramework
HKLM\Software\Microsoft\.NETFramework\InstallRoot
HKLM\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKLM\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKLM\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKCU\Software\Microsoft\.NETFramework\Policy\Standards
HKLM\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKLM\SOFTWARE\Microsoft\Fusion
HKLM\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKLM\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKLM\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKLM\Software\Microsoft\.NETFramework\DisableConfigCache
HKLM\Software\Microsoft\Fusion
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\b3bb2131d7f2bfe9243462330662c17001644298bcba42f59ee3fd305af02b80.exe
HKLM\Software\Microsoft\Fusion\CacheLocation
HKLM\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKLM\Software\Microsoft\Fusion\EnableLog
HKLM\Software\Microsoft\Fusion\LoggingLevel
HKLM\Software\Microsoft\Fusion\ForceLog
HKLM\Software\Microsoft\Fusion\LogFailures
HKLM\Software\Microsoft\Fusion\LogResourceBinds
HKLM\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKLM\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKLM\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKLM\Software\Microsoft\Fusion\DisableMSIPeek
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKLM\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKLM\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKLM\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKLM\Software\Microsoft\StrongName
HKLM\Software\Microsoft\.NETFramework\UseRyuJIT
HKLM\Software\Microsoft\.NETFramework\FeatureSIMD
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\index9
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089

Show all (145 total)

Key
HKEY_CURRENT_USER\Software\Classes\Local Settings
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Ole
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\Packages
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WindowsMailAgent.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WindowsMailAgent.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Versions
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\GP\DLL
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\program.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\program.exe

Registry Set (Top 25)

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report