Trojan.Win64.CoinMiner Variant Built with Visual Studio 2019 LTCG/C++


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-11-11 23:38:12 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
77j230en4.exe
Type
PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
SHA‑1
de25e1d73c30379e35ba2aa52736c530cb0101f5
MD5
ea618088c379aeb51413de7b1b18a700
First Seen
2025-10-05 13:25:30.437146
Last Analysis
2025-10-06 12:55:24.203082
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 23+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-21 16:05:28 UTC First VirusTotal submission
2025-10-08 14:13:16 UTC Latest analysis snapshot 16 days, 22 hours, 7 minutes
2025-11-11 23:38:12 UTC Report generation time 44 days, 15 hours, 9 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 65. Missed: 8. Coverage: 89.0%.

Detected Vendors

  • Xcitium
  • +64 additional vendors (names not provided)

List includes Xcitium plus an additional 64 vendors per the provided summary.

Missed Vendors

  • Baidu
  • CMC
  • google_safebrowsing
  • SUPERAntiSpyware
  • TACHYON
  • ViRobot
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (67.18% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 18818 67.18%
File System 3709 13.24%
Registry 2851 10.18%
Process 1715 6.12%
Synchronization 259 0.92%
Hooking 253 0.90%
Network 144 0.51%
Crypto 95 0.34%
Misc 87 0.31%
Device 29 0.10%
Threading 26 0.09%
Com 22 0.08%
Services 2 0.01%
Windows 1 0.00%

MITRE ATT&CK Mapping

  • T1496 – reference cryptocurrency strings
  • T1027 – reference Base64 string
  • T1497.001 – reference anti-VM strings targeting VirtualBox
  • T1027 – encrypt data using AES via x86 extensions
  • T1497.001 – reference anti-VM strings targeting Qemu
  • T1027.002 – packed with UPX

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC
3.120.98.217 Germany Amazon Technologies Inc.

DNS Queries

Request Type
5isohu.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC
3.120.98.217 Germany Amazon Technologies Inc.

Port Distribution

Port Count Protocols
137 1 udp
5355 4 udp
53 48 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.14 192.168.56.255 137 137 7.686327934265137 udp
192.168.56.14 224.0.0.252 51209 5355 7.618434906005859 udp
192.168.56.14 224.0.0.252 53401 5355 10.17241096496582 udp
192.168.56.14 224.0.0.252 55094 5355 10.68825888633728 udp
192.168.56.14 224.0.0.252 55848 5355 7.618669033050537 udp
192.168.56.14 8.8.4.4 49916 53 109.99880790710449 udp
192.168.56.14 8.8.4.4 50180 53 167.12338995933533 udp
192.168.56.14 8.8.4.4 50710 53 72.96692204475403 udp
192.168.56.14 8.8.4.4 50870 53 418.248486995697 udp
192.168.56.14 8.8.4.4 50914 53 329.23258090019226 udp
192.168.56.14 8.8.4.4 51262 53 403.88920497894287 udp
192.168.56.14 8.8.4.4 52815 53 13.264334917068481 udp
192.168.56.14 8.8.4.4 53449 53 457.32647609710693 udp
192.168.56.14 8.8.4.4 54579 53 58.21706199645996 udp
192.168.56.14 8.8.4.4 54683 53 267.35799503326416 udp
192.168.56.14 8.8.4.4 55827 53 351.5139191150665 udp
192.168.56.14 8.8.4.4 55914 53 143.45153999328613 udp
192.168.56.14 8.8.4.4 56399 53 245.1705620288849 udp
192.168.56.14 8.8.4.4 57742 53 471.702064037323 udp
192.168.56.14 8.8.4.4 59068 53 440.0767979621887 udp
192.168.56.14 8.8.4.4 60117 53 88.01404905319214 udp
192.168.56.14 8.8.4.4 60713 53 369.54557704925537 udp
192.168.56.14 8.8.4.4 62022 53 224.87359499931335 udp
192.168.56.14 8.8.4.4 62112 53 43.233306884765625 udp
192.168.56.14 8.8.4.4 62548 53 302.9047200679779 udp
192.168.56.14 8.8.4.4 62800 53 389.5298480987549 udp
192.168.56.14 8.8.4.4 63205 53 284.8115439414978 udp
192.168.56.14 8.8.4.4 64753 53 128.82681703567505 udp
192.168.56.14 8.8.4.4 65148 53 28.779510974884033 udp
192.168.56.14 8.8.8.8 49916 53 109.00939106941223 udp
192.168.56.14 8.8.8.8 50180 53 166.1347999572754 udp
192.168.56.14 8.8.8.8 50710 53 71.97311305999756 udp
192.168.56.14 8.8.8.8 50870 53 417.24911093711853 udp
192.168.56.14 8.8.8.8 50914 53 328.24230098724365 udp
192.168.56.14 8.8.8.8 51262 53 402.8969268798828 udp
192.168.56.14 8.8.8.8 52815 53 14.26406192779541 udp
192.168.56.14 8.8.8.8 53449 53 456.3379969596863 udp
192.168.56.14 8.8.8.8 54579 53 57.23144793510437 udp
192.168.56.14 8.8.8.8 54683 53 266.3618071079254 udp
192.168.56.14 8.8.8.8 55827 53 350.5152840614319 udp
192.168.56.14 8.8.8.8 55914 53 142.45192408561707 udp
192.168.56.14 8.8.8.8 56399 53 244.17673301696777 udp
192.168.56.14 8.8.8.8 57742 53 470.7055289745331 udp
192.168.56.14 8.8.8.8 59068 53 439.08382391929626 udp
192.168.56.14 8.8.8.8 60117 53 87.02630996704102 udp
192.168.56.14 8.8.8.8 60713 53 368.55089497566223 udp
192.168.56.14 8.8.8.8 62022 53 223.87913298606873 udp
192.168.56.14 8.8.8.8 62112 53 42.23477101325989 udp
192.168.56.14 8.8.8.8 62548 53 301.90575909614563 udp
192.168.56.14 8.8.8.8 62800 53 388.54029989242554 udp
192.168.56.14 8.8.8.8 63205 53 283.82241106033325 udp
192.168.56.14 8.8.8.8 64753 53 127.83551907539368 udp
192.168.56.14 8.8.8.8 65148 53 27.780388116836548 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top