Trojanized Qilin Loader With Packed Win32 Console Payload and Qilin-Class Ransom Traits

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

r191ffa.exe

Type

Win64 Executable (generic)

SHA‑1

b14850a1d30ed06f475392ddce023986e5d964a5

MD5

170e211a2d101ebc98d6ada523793592

First Seen

2025-11-14 19:53:16.954313

Last Analysis

2025-11-15 20:48:20.164851

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ days, this malware remained undetected — a brief but concerning window that permitted the adversary to establish initial foothold, perform basic system enumeration, and potentially access immediate system resources.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case is significantly below that median, suggesting relatively quick detection.

Timeline

Time (UTC)	Event	Elapsed
2025-11-06 17:21:12 UTC	First VirusTotal submission	—
2025-11-19 12:49:27 UTC	Latest analysis snapshot	12 days, 19 hours, 28 minutes
2025-11-20 08:38:50 UTC	Report generation time	13 days, 15 hours, 17 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 71. Detected as malicious: 50. Missed: 21. Coverage: 70.4%.

Detected Vendors

Xcitium
+49 additional vendors (names not provided)

List includes Xcitium plus an additional 49 vendors per the provided summary.

Missed Vendors

Acronis
Antiy-AVL
Baidu
ClamAV
CMC
DrWeb
Fortinet
Gridinsoft
huorong
Jiangmin
NANO-Antivirus
SUPERAntiSpyware
TACHYON
tehtris
VirIT
ViRobot
Webroot
Yandex
Zillya
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (92.58% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
System	424	92.58%
Process	19	4.15%
Device	6	1.31%
File System	4	0.87%
Hooking	2	0.44%
Registry	2	0.44%
Misc	1	0.22%

MITRE ATT&CK Mapping

T1083 – get file size
T1082 – query environment variable
T1129 – link function at runtime on Windows
T1027.005 – contain obfuscated stackstrings
T1083 – enumerate files on Windows
T1129 – parse PE header

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.msftncsi.com	23.200.3.33	United States	Akamai Technologies, Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
www.msftncsi.com	A
5isohu.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	5	udp
53	4	udp
3702	1	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.11	192.168.56.255	137	137	3.2579410076141357	udp
192.168.56.11	224.0.0.252	49563	5355	3.2084338665008545	udp
192.168.56.11	224.0.0.252	54650	5355	3.2092580795288086	udp
192.168.56.11	224.0.0.252	55601	5355	4.970875024795532	udp
192.168.56.11	224.0.0.252	60205	5355	3.258575916290283	udp
192.168.56.11	224.0.0.252	62798	5355	5.766730070114136	udp
192.168.56.11	239.255.255.250	62184	3702	3.224766969680786	udp
192.168.56.11	8.8.4.4	51690	53	7.803706884384155	udp
192.168.56.11	8.8.4.4	51899	53	5.842586040496826	udp
192.168.56.11	8.8.8.8	51690	53	8.803874969482422	udp
192.168.56.11	8.8.8.8	51899	53	6.834810018539429	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Volatile-KeyRoam-EXCLUSIVE

Show all (1 total)

Registry Set (Top 25)

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report