Qt5Network Imposter Executes Trojan Downloader and Beaconing

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

Qt5Network.dll

Type

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

SHA‑1

322cb6b39bbf67ea87665e6ee809b9d696a97609

MD5

c17b26446e25678b1da9dd093aa64f6b

First Seen

2025-09-14 13:51:32.238283

Last Analysis

2025-09-15 07:15:17.775409

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC)	Event	Elapsed
2025-09-12 18:09:53 UTC	First VirusTotal submission	—
2025-09-19 07:14:16 UTC	Latest analysis snapshot	6 days, 13 hours, 4 minutes
2025-11-06 07:06:21 UTC	Report generation time	53 days, 12 hours, 56 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 31. Missed: 42. Coverage: 42.5%.

Detected Vendors

Xcitium
+30 additional vendors (names not provided)

List includes Xcitium plus an additional 30 vendors per the provided summary.

Missed Vendors

Acronis
ALYac
Antiy-AVL
APEX
Arcabit
Avast
AVG
Avira
Baidu
BitDefender
ClamAV
CMC
Cylance
Cynet
DrWeb
Emsisoft
F-Secure
Fortinet
google_safebrowsing
Gridinsoft
Jiangmin
K7AntiVirus
K7GW
Kingsoft
MicroWorld-eScan
NANO-Antivirus
Sangfor
SentinelOne
Skyhigh
SUPERAntiSpyware
TACHYON
tehtris
Trapmine
TrendMicro
TrendMicro-HouseCall
VIPRE
ViRobot
Webroot
Yandex
Zillya
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

This threat shows heavy registry manipulation (37.73% of total behavior), indicating persistent backdoor installation, configuration tampering, or system policy modification attempts. The malware likely establishes persistence mechanisms and modifies security settings to maintain long-term access.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
Registry	103	37.73%
System	102	37.36%
File System	35	12.82%
Process	23	8.42%
Synchronization	4	1.47%
Misc	2	0.73%
Windows	2	0.73%
Device	2	0.73%

MITRE ATT&CK Mapping

T1027.005 – contain obfuscated stackstrings
T1614 – get geographical location
T1016 – get local IPv4 addresses
T1016 – get socket status
T1016 – get socket information
T1027 – encode data using XOR
T1016 – get networking parameters
T1129 – link many functions at runtime
T1082 – get MAC address on Windows
T1129 – link function at runtime on Windows
T1071 – The PE file contains an overlay
T1071 – The PE file contains a suspicious PDB path
T1497 – Checks if the current process is being debugged
T1218.011 – Runs a DLL by calling functions
T1518.001 – Checks if the current process is being debugged
T1560 – Public key (encryption) found

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
5isohu.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
138	1	udp
5355	4	udp
53	2	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.14	192.168.56.255	137	137	3.087563991546631	udp
192.168.56.14	192.168.56.255	138	138	9.078583002090454	udp
192.168.56.14	224.0.0.252	51209	5355	3.0191490650177	udp
192.168.56.14	224.0.0.252	53401	5355	4.144967079162598	udp
192.168.56.14	224.0.0.252	55094	5355	5.579322099685669	udp
192.168.56.14	224.0.0.252	55848	5355	3.019585132598877	udp
192.168.56.14	8.8.4.4	52815	53	6.718734979629517	udp
192.168.56.14	8.8.8.8	52815	53	7.7033281326293945	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates\ManifestedMergeStubSdbs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\Display
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\Compatibility\rundll32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\System\Setup
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86\xtajit
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink

Show all (48 total)

Registry Set (Top 25)

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report