Xcitium Logo

High-Confidence Ibashade Detection: Win32 Executable Leverages MicroPackage Masquerading for Evasion

  • May 8, 2026
Share with your community:


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-05-08 14:17:23 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
9z9x8.exe
Type
Microsoft Visual C++ compiled executable (generic)
SHA‑1
42c8dc44bfa5e65cad647d90ed7b8d246a1becd9
MD5
dac5986650c2cc26e311076c0fa0ccee
First Seen
2026-05-08 13:12:39.204161
Last Analysis
2026-05-08 13:20:53.965003
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 8+ minutes, this malware was rapidly detected — demonstrating excellent security controls that intercepted the threat during initial execution phases, severely limiting adversary capabilities.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents extremely rapid detection within minutes.

Timeline

Time (UTC) Event Elapsed
2026-05-08 06:29:24 UTC First VirusTotal submission
2026-05-08 13:52:21 UTC Latest analysis snapshot 0 days, 7 hours, 22 minutes
2026-05-08 14:17:23 UTC Report generation time 0 days, 7 hours, 47 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 67. Missed: 5. Coverage: 93.1%.

Detected Vendors

  • Xcitium
  • +66 additional vendors (names not provided)

List includes Xcitium plus an additional 66 vendors per the provided summary.

Missed Vendors

  • Acronis
  • ClamAV
  • CMC
  • TACHYON
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (50.32% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 27874 50.32%
File System 25283 45.64%
Registry 1325 2.39%
Process 594 1.07%
Network 174 0.31%
Device 49 0.09%
Threading 26 0.05%
Misc 26 0.05%
Hooking 11 0.02%
Com 10 0.02%
Synchronization 9 0.02%
Services 6 0.01%
Windows 5 0.01%
__Notification__ 2 0.00%

MITRE ATT&CK Mapping

  • T1129 – link function at runtime on Windows
  • T1129 – parse PE header

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.
www.msftncsi.com 23.219.36.101 United States Akamai Technologies, Inc.
2.57.91.93 Hostinger International Ltd.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
www.msftncsi.com A
5isohu.com A
supportbackup.esy.es A
www.aieov.com A
supportservice.netai.net A
backupsupport.esy.es A
backupsupport.comxa.com A
quicks.hol.es A
quick.comuf.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 164 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.11 192.168.56.255 137 137 7.3382039070129395 udp
192.168.56.11 224.0.0.252 49563 5355 7.270427942276001 udp
192.168.56.11 224.0.0.252 54650 5355 7.2708740234375 udp
192.168.56.11 224.0.0.252 55601 5355 7.740410089492798 udp
192.168.56.11 224.0.0.252 60205 5355 7.277147054672241 udp
192.168.56.11 224.0.0.252 62798 5355 9.857739925384521 udp
192.168.56.11 239.255.255.250 62184 3702 7.275104999542236 udp
192.168.56.11 8.8.4.4 49299 53 80.06096196174622 udp
192.168.56.11 8.8.4.4 49696 53 253.99418091773987 udp
192.168.56.11 8.8.4.4 49896 53 186.7286570072174 udp
192.168.56.11 8.8.4.4 50009 53 347.8539218902588 udp
192.168.56.11 8.8.4.4 50586 53 60.55690002441406 udp
192.168.56.11 8.8.4.4 51011 53 282.7598030567169 udp
192.168.56.11 8.8.4.4 51266 53 92.60342001914978 udp
192.168.56.11 8.8.4.4 51569 53 70.74419093132019 udp
192.168.56.11 8.8.4.4 51628 53 25.66590690612793 udp
192.168.56.11 8.8.4.4 51663 53 34.74417495727539 udp
192.168.56.11 8.8.4.4 51690 53 10.317503929138184 udp
192.168.56.11 8.8.4.4 51880 53 40.041019916534424 udp
192.168.56.11 8.8.4.4 51899 53 9.857858896255493 udp
192.168.56.11 8.8.4.4 52129 53 148.8383390903473 udp
192.168.56.11 8.8.4.4 52464 53 57.087631940841675 udp
192.168.56.11 8.8.4.4 52885 53 188.62031888961792 udp
192.168.56.11 8.8.4.4 53480 53 45.43213605880737 udp
192.168.56.11 8.8.4.4 53486 53 159.82201099395752 udp
192.168.56.11 8.8.4.4 53493 53 233.72899889945984 udp
192.168.56.11 8.8.4.4 53608 53 127.10392189025879 udp
192.168.56.11 8.8.4.4 53736 53 130.54136204719543 udp
192.168.56.11 8.8.4.4 53766 53 83.49462604522705 udp
192.168.56.11 8.8.4.4 54179 53 204.97893404960632 udp
192.168.56.11 8.8.4.4 54684 53 48.556583881378174 udp
192.168.56.11 8.8.4.4 54823 53 69.07297587394714 udp
192.168.56.11 8.8.4.4 55183 53 63.74386405944824 udp
192.168.56.11 8.8.4.4 55279 53 172.3543450832367 udp
192.168.56.11 8.8.4.4 55466 53 174.22939610481262 udp
192.168.56.11 8.8.4.4 55573 53 235.71354794502258 udp
192.168.56.11 8.8.4.4 55647 53 157.994323015213 udp
192.168.56.11 8.8.4.4 56007 53 69.08818006515503 udp
192.168.56.11 8.8.4.4 56213 53 15.653189897537231 udp
192.168.56.11 8.8.4.4 56473 53 24.557081937789917 udp
192.168.56.11 8.8.4.4 56666 53 45.08763790130615 udp
192.168.56.11 8.8.4.4 56719 53 177.6039960384369 udp
192.168.56.11 8.8.4.4 56773 53 221.33861589431763 udp
192.168.56.11 8.8.4.4 57197 53 304.60362792015076 udp
192.168.56.11 8.8.4.4 57266 53 224.8069670200348 udp
192.168.56.11 8.8.4.4 57278 53 84.66626310348511 udp
192.168.56.11 8.8.4.4 57921 53 112.7143759727478 udp
192.168.56.11 8.8.4.4 57974 53 257.49472403526306 udp
192.168.56.11 8.8.4.4 58090 53 47.30705904960632 udp
192.168.56.11 8.8.4.4 58269 53 116.15102505683899 udp
192.168.56.11 8.8.4.4 58510 53 252.02604007720947 udp
192.168.56.11 8.8.4.4 58800 53 58.744549036026 udp
192.168.56.11 8.8.4.4 58863 53 318.9789619445801 udp
192.168.56.11 8.8.4.4 58917 53 21.74493908882141 udp
192.168.56.11 8.8.4.4 59115 53 268.3544170856476 udp
192.168.56.11 8.8.4.4 59505 53 101.77572894096375 udp
192.168.56.11 8.8.4.4 59658 53 346.38471508026123 udp
192.168.56.11 8.8.4.4 59765 53 219.33846497535706 udp
192.168.56.11 8.8.4.4 59770 53 17.511940956115723 udp
192.168.56.11 8.8.4.4 59945 53 72.55637192726135 udp
192.168.56.11 8.8.4.4 59971 53 280.74400091171265 udp
192.168.56.11 8.8.4.4 60038 53 206.91596508026123 udp
192.168.56.11 8.8.4.4 60054 53 46.74457097053528 udp
192.168.56.11 8.8.4.4 60141 53 78.11924695968628 udp
192.168.56.11 8.8.4.4 60334 53 31.056637048721313 udp
192.168.56.11 8.8.4.4 60615 53 94.44739389419556 udp
192.168.56.11 8.8.4.4 60657 53 163.22902989387512 udp
192.168.56.11 8.8.4.4 60765 53 361.43167996406555 udp
192.168.56.11 8.8.4.4 60995 53 290.2442190647125 udp
192.168.56.11 8.8.4.4 61332 53 81.22206592559814 udp
192.168.56.11 8.8.4.4 61392 53 125.26016187667847 udp
192.168.56.11 8.8.4.4 61407 53 333.47886300086975 udp
192.168.56.11 8.8.4.4 61467 53 65.55701208114624 udp
192.168.56.11 8.8.4.4 61507 53 32.90050292015076 udp
192.168.56.11 8.8.4.4 62120 53 33.087815046310425 udp
192.168.56.11 8.8.4.4 62164 53 210.2758800983429 udp
192.168.56.11 8.8.4.4 62227 53 362.21292209625244 udp
192.168.56.11 8.8.4.4 62329 53 20.088533878326416 udp
192.168.56.11 8.8.4.4 62837 53 266.3854339122772 udp
192.168.56.11 8.8.4.4 63385 53 110.88600492477417 udp
192.168.56.11 8.8.4.4 63439 53 11.934299945831299 udp
192.168.56.11 8.8.4.4 63550 53 36.556467056274414 udp
192.168.56.11 8.8.4.4 64108 53 141.52602791786194 udp
192.168.56.11 8.8.4.4 64212 53 139.63500094413757 udp
192.168.56.11 8.8.4.4 64331 53 195.8852789402008 udp
192.168.56.11 8.8.4.4 64558 53 243.08847498893738 udp
192.168.56.11 8.8.4.4 64563 53 54.69784998893738 udp
192.168.56.11 8.8.4.4 65307 53 271.947979927063 udp
192.168.56.11 8.8.4.4 65511 53 82.79087805747986 udp
192.168.56.11 8.8.8.8 49299 53 78.96450710296631 udp
192.168.56.11 8.8.8.8 49696 53 252.99769687652588 udp
192.168.56.11 8.8.8.8 49896 53 185.73229694366455 udp
192.168.56.11 8.8.8.8 50009 53 346.8556110858917 udp
192.168.56.11 8.8.8.8 50586 53 59.55738592147827 udp
192.168.56.11 8.8.8.8 51011 53 281.77571201324463 udp
192.168.56.11 8.8.8.8 51266 53 91.61010909080505 udp
192.168.56.11 8.8.8.8 51569 53 69.74479389190674 udp
192.168.56.11 8.8.8.8 51628 53 24.679873943328857 udp
192.168.56.11 8.8.8.8 51663 53 33.74496507644653 udp
192.168.56.11 8.8.8.8 51690 53 11.308440923690796 udp
192.168.56.11 8.8.8.8 51880 53 39.04631209373474 udp
192.168.56.11 8.8.8.8 51899 53 10.85371708869934 udp
192.168.56.11 8.8.8.8 52129 53 147.8396179676056 udp
192.168.56.11 8.8.8.8 52464 53 56.088443994522095 udp
192.168.56.11 8.8.8.8 52885 53 187.62724208831787 udp
192.168.56.11 8.8.8.8 53480 53 44.43601703643799 udp
192.168.56.11 8.8.8.8 53486 53 158.83509802818298 udp
192.168.56.11 8.8.8.8 53493 53 232.74197006225586 udp
192.168.56.11 8.8.8.8 53608 53 126.11406087875366 udp
192.168.56.11 8.8.8.8 53736 53 129.5477318763733 udp
192.168.56.11 8.8.8.8 53766 53 82.50658988952637 udp
192.168.56.11 8.8.8.8 54179 53 203.9930760860443 udp
192.168.56.11 8.8.8.8 54684 53 47.55717492103577 udp
192.168.56.11 8.8.8.8 54823 53 68.07493209838867 udp
192.168.56.11 8.8.8.8 55183 53 62.74614906311035 udp
192.168.56.11 8.8.8.8 55279 53 171.3583950996399 udp
192.168.56.11 8.8.8.8 55466 53 173.24034690856934 udp
192.168.56.11 8.8.8.8 55573 53 234.72627997398376 udp
192.168.56.11 8.8.8.8 55647 53 156.99775099754333 udp
192.168.56.11 8.8.8.8 56007 53 68.08857607841492 udp
192.168.56.11 8.8.8.8 56213 53 16.650625944137573 udp
192.168.56.11 8.8.8.8 56473 53 23.560242891311646 udp
192.168.56.11 8.8.8.8 56666 53 44.088661909103394 udp
192.168.56.11 8.8.8.8 56719 53 176.60880494117737 udp
192.168.56.11 8.8.8.8 56773 53 220.34113001823425 udp
192.168.56.11 8.8.8.8 57197 53 303.6175980567932 udp
192.168.56.11 8.8.8.8 57266 53 223.81582689285278 udp
192.168.56.11 8.8.8.8 57278 53 83.66725087165833 udp
192.168.56.11 8.8.8.8 57921 53 111.7150239944458 udp
192.168.56.11 8.8.8.8 57974 53 256.5048348903656 udp
192.168.56.11 8.8.8.8 58090 53 46.3087420463562 udp
192.168.56.11 8.8.8.8 58269 53 115.15307998657227 udp
192.168.56.11 8.8.8.8 58510 53 251.03238487243652 udp
192.168.56.11 8.8.8.8 58800 53 57.74412989616394 udp
192.168.56.11 8.8.8.8 58863 53 317.99210500717163 udp
192.168.56.11 8.8.8.8 58917 53 22.744431972503662 udp
192.168.56.11 8.8.8.8 59115 53 267.3580939769745 udp
192.168.56.11 8.8.8.8 59505 53 100.77570509910583 udp
192.168.56.11 8.8.8.8 59658 53 345.40039110183716 udp
192.168.56.11 8.8.8.8 59765 53 218.3415150642395 udp
192.168.56.11 8.8.8.8 59770 53 18.509902954101562 udp
192.168.56.11 8.8.8.8 59945 53 71.55750703811646 udp
192.168.56.11 8.8.8.8 59971 53 279.7514228820801 udp
192.168.56.11 8.8.8.8 60038 53 205.93077492713928 udp
192.168.56.11 8.8.8.8 60054 53 45.74475693702698 udp
192.168.56.11 8.8.8.8 60141 53 77.12068510055542 udp
192.168.56.11 8.8.8.8 60334 53 30.060630083084106 udp
192.168.56.11 8.8.8.8 60615 53 93.45136904716492 udp
192.168.56.11 8.8.8.8 60657 53 162.2366509437561 udp
192.168.56.11 8.8.8.8 60765 53 360.44636487960815 udp
192.168.56.11 8.8.8.8 60995 53 289.25803089141846 udp
192.168.56.11 8.8.8.8 61332 53 80.11747193336487 udp
192.168.56.11 8.8.8.8 61392 53 124.27484202384949 udp
192.168.56.11 8.8.8.8 61407 53 332.49178099632263 udp
192.168.56.11 8.8.8.8 61467 53 64.5588710308075 udp
192.168.56.11 8.8.8.8 61507 53 31.908435106277466 udp
192.168.56.11 8.8.8.8 62120 53 32.08821392059326 udp
192.168.56.11 8.8.8.8 62164 53 209.27563500404358 udp
192.168.56.11 8.8.8.8 62227 53 361.21503806114197 udp
192.168.56.11 8.8.8.8 62329 53 21.08794903755188 udp
192.168.56.11 8.8.8.8 62837 53 265.38584303855896 udp
192.168.56.11 8.8.8.8 63385 53 109.90030598640442 udp
192.168.56.11 8.8.8.8 63439 53 12.937465906143188 udp
192.168.56.11 8.8.8.8 63550 53 35.556899070739746 udp
192.168.56.11 8.8.8.8 64108 53 140.53232502937317 udp
192.168.56.11 8.8.8.8 64212 53 138.63832902908325 udp
192.168.56.11 8.8.8.8 64331 53 194.89544200897217 udp
192.168.56.11 8.8.8.8 64558 53 242.0984079837799 udp
192.168.56.11 8.8.8.8 64563 53 53.69879102706909 udp
192.168.56.11 8.8.8.8 65307 53 270.95968198776245 udp
192.168.56.11 8.8.8.8 65511 53 81.79466795921326 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Like what you see? Share with a friend.