Extracted

• • Target

    78c31a1a4649c4fb7267fcadc7ab04612e2620f62a8c8b1b3064f9661d49ce96

  • Size

    2.5MB

  • MD5

    f3c821a1fbb4bcf479eeb1caac946127

  • SHA1

    e0f7d21c82a9b497df1cdab3313fb48b4f8d6cec

  • SHA256

    78c31a1a4649c4fb7267fcadc7ab04612e2620f62a8c8b1b3064f9661d49ce96

  • SHA512

    43f7fb7b8c81c968b789a6622ee1c7a84ee3425dca104be70408848464cdc329f5e94f5a3c4a7df21c59f168f50d656c8e0d59a95d62e84c5d7bb1d8a2c97b6a

  • SSDEEP

    24576:SE7fM8hdrNcPt9fSQyE32Ij6ztDUbuJ2SIB8fjPs+7px3st259FJb1neATEQyJGJ:SE3kPqQ7NgCSpNV18S/VeoEPQ6AJL

  Score

  10^/10

  icarusstealerpurecrypterdownloaderloaderpersistencestealer

  • Detect PureCrypter injector

    loader

  • IcarusStealer

    Icarus is a modular stealer written in C# First adverts in July 2022.

    stealericarusstealer

  • Modifies WinLogon for persistence

    persistence

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter

  • Modifies Installed Components in the registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2