Xcitium Logo

High-Confidence Buggie Detection: 64-bit DLL Leverages libcef Masquerading and Sandbox Evasion

  • June 8, 2026
Share with your community:


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-06-08 08:11:10 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
ai4t81.exe
Type
Win64 Executable (generic)
SHA‑1
1ae8a59b1fa5fe0fac04b5f8b3d7ff84aced2d71
MD5
c0738cfa4f1488956ef4aef054c3144a
First Seen
2026-06-05 11:41:37.527438
Last Analysis
2026-06-05 17:27:52.813573
Dwell Time
5 hours 46 minutes

Extended Dwell Time Impact

For 5+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2026-03-09 10:44:42 UTC First VirusTotal submission
2026-06-05 19:01:46 UTC Latest analysis snapshot 88 days, 8 hours, 17 minutes
2026-06-08 08:11:10 UTC Report generation time 90 days, 21 hours, 26 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 71. Detected as malicious: 47. Missed: 24. Coverage: 66.2%.

Detected Vendors

  • Xcitium
  • +46 additional vendors (names not provided)

List includes Xcitium plus an additional 18 vendors per the provided summary.

Missed Vendors

  • Acronis
  • APEX
  • Bkav
  • CAT-QuickHeal
  • ClamAV
  • CMC
  • Cylance
  • DeepInstinct
  • DrWeb
  • Gridinsoft
  • huorong
  • Jiangmin
  • NANO-Antivirus
  • SentinelOne
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • VBA32
  • VirIT
  • Webroot
  • Xcitium
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

MITRE ATT&CK Mapping

  • T1129 – access PEB ldr_data
  • T1497.001 – check for Windows sandbox via process name
  • T1033 – get session user name
  • T1087 – get session user name
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1129 – link function at runtime on Windows
  • T1547.001 – persist via Run registry key
  • T1129 – get ntdll base address
  • T1082 – query environment variable
  • T1497.001 – check for Windows sandbox via registry
  • T1012 – query or enumerate registry value
  • T1497.001 – check for Windows sandbox via genuine state
  • T1497 – check for sandbox username or hostname
  • T1497.001 – check for Windows sandbox via dns suffix
  • T1027 – encode data using XOR
  • T1016 – get local IPv4 addresses
  • T1083 – enumerate files on Windows
  • T1129 – Drops a binary and executes it
  • T1071 – Yara detections observed in process dumps, payloads or dropped files
  • T1027 – The binary contains an unknown PE section name indicative of packing
  • T1027.002 – The binary contains an unknown PE section name indicative of packing
  • T1045 – Software Packing
  • T1045 – Manalize Local SandBox Packer Harvesting
  • T1063 – It Tries to detect injection methods
  • T1620 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1620 – Manalize Local SandBox Strings
  • T1036 – Creates files inside the user directory
  • T1218.011 – Runs a DLL by calling functions
  • T1070.006 – Binary contains a suspicious time stamp

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

29

Registry Set

0

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86\xtajit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates\ManifestedMergeStubSdbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll64.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
Show all (29 total)

Registry Set (Top 25)

Services Started (Top 15)

Services Opened (Top 15)

Like what you see? Share with a friend.