Qilin Disguised as Decryptor Shows Enterprise Enumeration and Hardened Payload Behavior


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-11-20 08:37:34 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
gh95meye1.exe
Type
Win32 Executable MS Visual C++ (generic)
SHA‑1
a95123e4c13f6b369fd01c913d7fc0e9d1b6bfdf
MD5
6431c8512b3221ec180478cb260da419
First Seen
2025-11-14 19:52:04.174148
Last Analysis
2025-11-15 20:48:19.279898
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ days, this malware remained undetected — a brief but concerning window that permitted the adversary to establish initial foothold, perform basic system enumeration, and potentially access immediate system resources.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case is significantly below that median, suggesting relatively quick detection.

Timeline

Time (UTC) Event Elapsed
2025-10-08 15:07:42 UTC First VirusTotal submission
2025-11-19 12:48:05 UTC Latest analysis snapshot 41 days, 21 hours, 40 minutes
2025-11-20 08:37:34 UTC Report generation time 42 days, 17 hours, 29 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 56. Missed: 17. Coverage: 76.7%.

Detected Vendors

  • Xcitium
  • +55 additional vendors (names not provided)

List includes Xcitium plus an additional 55 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Alibaba
  • Antiy-AVL
  • Baidu
  • ClamAV
  • CMC
  • Gridinsoft
  • Jiangmin
  • SentinelOne
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • VBA32
  • VirIT
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (49.99% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 347688 49.99%
System 347661 49.99%
Device 66 0.01%
Misc 27 0.00%
Process 25 0.00%
Threading 22 0.00%
Registry 5 0.00%
Hooking 2 0.00%

MITRE ATT&CK Mapping

  • T1129 – link many functions at runtime
  • T1129 – parse PE header
  • T1059 – accept command line arguments
  • T1083 – check if file exists
  • T1497.001 – reference anti-VM strings
  • T1135 – enumerate network shares
  • T1027 – encode data using Base64
  • T1543.003 – stop service
  • T1489 – stop service
  • T1007 – query service status
  • T1222 – set file attributes
  • T1543.003 – modify service
  • T1569.002 – modify service
  • T1082 – enumerate disk volumes
  • T1033 – get session user name
  • T1087 – get session user name
  • T1083 – get common file path
  • T1027.005 – contain obfuscated stackstrings
  • T1007 – enumerate services
  • T1027 – encrypt data using RC4 PRGA
  • T1027 – encode data using XOR
  • T1057 – enumerate process modules
  • T1082 – query environment variable
  • T1027 – encrypt data using Salsa20 or ChaCha
  • T1082 – get disk information
  • T1082 – get system information on Windows
  • T1129 – link function at runtime on Windows
  • T1027 – encrypt data using AES via x86 extensions
  • T1027 – encrypt data using speck
  • T1036 – A file was accessed within the Public folder.
  • T1055 – Contains .tls (Thread Local Storage) section
  • T1548 – A file was accessed within the Public folder.
  • T1071 – Binary file triggered YARA rule
  • T1106 – Guard pages use detected – possible anti-debugging.
  • T1096 – NTFS File Attributes
  • T1497 – Queries disk information (often used to detect virtual machines)
  • T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
  • T1518.001 – Queries disk information (often used to detect virtual machines)
  • T1082 – Queries disk information (often used to detect virtual machines)
  • T1082 – Queries the volume information (name, serial number etc) of a device
  • T1090 – Found Tor onion address

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 4 udp
53 27 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.14 192.168.56.255 137 137 3.080199956893921 udp
192.168.56.14 224.0.0.252 51209 5355 3.0125720500946045 udp
192.168.56.14 224.0.0.252 53401 5355 4.2546000480651855 udp
192.168.56.14 224.0.0.252 55094 5355 5.565927028656006 udp
192.168.56.14 224.0.0.252 55848 5355 3.012928009033203 udp
192.168.56.14 8.8.4.4 49916 53 98.5478789806366 udp
192.168.56.14 8.8.4.4 50180 53 145.51605701446533 udp
192.168.56.14 8.8.4.4 50710 53 65.93786191940308 udp
192.168.56.14 8.8.4.4 52815 53 7.289300918579102 udp
192.168.56.14 8.8.4.4 54579 53 51.57962203025818 udp
192.168.56.14 8.8.4.4 54683 53 192.48466801643372 udp
192.168.56.14 8.8.4.4 55914 53 127.26559901237488 udp
192.168.56.14 8.8.4.4 56399 53 174.2342450618744 udp
192.168.56.14 8.8.4.4 60117 53 80.29802799224854 udp
192.168.56.14 8.8.4.4 62022 53 159.87532711029053 udp
192.168.56.14 8.8.4.4 62112 53 37.00071692466736 udp
192.168.56.14 8.8.4.4 64753 53 112.90686202049255 udp
192.168.56.14 8.8.4.4 65148 53 22.64248299598694 udp
192.168.56.14 8.8.8.8 49916 53 97.55694699287415 udp
192.168.56.14 8.8.8.8 50180 53 144.51946210861206 udp
192.168.56.14 8.8.8.8 50710 53 64.93957495689392 udp
192.168.56.14 8.8.8.8 52815 53 8.281695127487183 udp
192.168.56.14 8.8.8.8 54579 53 50.59286308288574 udp
192.168.56.14 8.8.8.8 54683 53 191.48890209197998 udp
192.168.56.14 8.8.8.8 55914 53 126.2710349559784 udp
192.168.56.14 8.8.8.8 56399 53 173.23923301696777 udp
192.168.56.14 8.8.8.8 60117 53 79.30078792572021 udp
192.168.56.14 8.8.8.8 62022 53 158.87811493873596 udp
192.168.56.14 8.8.8.8 62112 53 36.004065990448 udp
192.168.56.14 8.8.8.8 63205 53 205.8597650527954 udp
192.168.56.14 8.8.8.8 64753 53 111.90764307975769 udp
192.168.56.14 8.8.8.8 65148 53 21.64660406112671 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

35

Registry Set

0

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\SYSTEM\Setup\PnpSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates\ManifestedMergeStubSdbs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\decryptor.exe
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\RestartManager
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
Show all (35 total)

Registry Set (Top 25)

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top