elysiumstealer

Sharing

Copy URL

Twitter E-mail

General

Target

Icarus.rar
Size

9.6MB
Sample

240228-e4q74sbb43
MD5

cf7c00d278e768d37e222b471afe6fa7
SHA1

7aa8db85b79ac4bbad2fed48280b5ee37a96bb57
SHA256

199265301b5d37b1fdf25ab4ffbd5be15ba3a305803d536885be0fbd6aca3c3e
SHA512

895cb139da711fb727d44ca168da8ae2f9357d277afed10f47cefe1b9d47225b84d6ea99fb476bb5e8e79d5acd142e27cbd1542a7c3f201122589904217d56d3
SSDEEP

196608:oPWeUedsYnK7Q7CE2Zi45lO4nftv0cuaPdvrqt8l1ra8WcnqhbWf1FD6xzPHUFT:redlK7emHtnuarlpnqhbWfD6F/U5

Score

10^/10

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Targets

- Target
  
  Icarus/ICARUS.exe
- Size
  
  9.0MB
- MD5
  
  9cc1ab88f9d504b9b7ba86060536591f
- SHA1
  
  8ca6f1b2d9b495dbdee0d7439b1e8febbfd708a9
- SHA256
  
  5eec574e6fb9257cc3d7cceb3d1feae2b96355ccbd0c5b5357458a905e7aea75
- SHA512
  
  2a26448d267b4b5611658fee597076c899a5845d00581c27d7742b0a110d5bbdc2bfd4d62702cc1a1b12cbca631e8b5b34107320061282fc239e760a00525a89
- SSDEEP
  
  196608:yeUedsYnK7Q7CE2Zi45lO4nftv0cuaPdvrqt8l1ra8WcnqhbWf1FD6xz:gedlK7emHtnuarlpnqhbWfD6F
Score

10^/10

elysiumstealer icarusstealer persistence stealer
- ElysiumStealer
  ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
  stealer elysiumstealer
- ElysiumStealer Support DLL
- IcarusStealer
  Icarus is a modular stealer written in C# First adverts in July 2022.
  stealer icarusstealer
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Icarus/IconExtractor.dll
- Size
  
  10KB
- MD5
  
  7bcf61e29e5cbcd1b81d9ab72cbfed93
- SHA1
  
  d082613177dd1711c18426d4f83921dd932bc7b1
- SHA256
  
  2c359ce857982f45b09af49dbccfb2ae302839acf1956e8325e7f854b339a8c9
- SHA512
  
  ce84af38dc63374d304d4e3b6c098892588df5ca5e921505c410b2a24ec0137dbc3120bc713cc0e4bf7836c57b7db224dd3264ea454cbfdb1ef78c9ffb19b6d9
- SSDEEP
  
  192:vyB0L3vIFktNlrgyLY5ZJeU5cs7hnvR952:vyeL3/gyLYPJR5RJG
Score

1^/10
behavioral3 behavioral4
- Target
  
  Icarus/PeNet.Asn1.dll
- Size
  
  25KB
- MD5
  
  87734056aba5bde565f0d8d6769db8e7
- SHA1
  
  19c09604526c5d8281363f2177b4d40d641e6335
- SHA256
  
  116fdc6d9bdfebed7ec330fb5690eba246131eb6bf05fd7d440bd47a2f7e840a
- SHA512
  
  830ed318f0cc9aa58b73887c5eada9749f93992c0574a51751d50e50a186c3a3a7af347dd61bb7f83026163696f03ab5346cdd6af9e4b76d9c3ae242efea2c4a
- SSDEEP
  
  768:Msb2f19J2EuAGGJ0GXJp8koIS4uvA6HrgLcWX/mPZM:MY29yAGGJ0GXJp8koIYvA6LgLRmPe
Score

1^/10
behavioral5 behavioral6
- Target
  
  Icarus/PeNet.dll
- Size
  
  149KB
- MD5
  
  9769536ffe8c9a321ba0a33d588f79be
- SHA1
  
  95012d6b431bbce58ca15a4d978cf2d3bc470045
- SHA256
  
  b1edded485addd233bd1d611768bec19590e7e18a111e2308e0c780143405b9d
- SHA512
  
  5fb7a57cc7b59a84cc33e4b2029903e4e78c779c48958c070602447b6eb6553f5f1e0ada4cf958df977df1309c4dc1f5a4baac5bcff79803a8de132a7248672a
- SSDEEP
  
  3072:1M9D2vLbACkvDxtrU23F9o4F444OZZcGyqujRwrHgO76zV+AcRWRs:1M9DYLcHU23FpyCgOcn
Score

1^/10
behavioral7 behavioral8
- Target
  
  Icarus/dnlib.dll
- Size
  
  1.1MB
- MD5
  
  508ccde8bc7003696f32af7054ca3d97
- SHA1
  
  1f6a0303c5ae5dc95853ec92fd8b979683c3f356
- SHA256
  
  4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a
- SHA512
  
  92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d
- SSDEEP
  
  24576:WHjoaczZfdE55hHl0WQ/OO4yb99MANKtv7f2dcME:tm/BQWgww
Score

1^/10
behavioral10 behavioral9
- Target
  
  Icarus/newtonsoft.json.dll
- Size
  
  685KB
- MD5
  
  081d9558bbb7adce142da153b2d5577a
- SHA1
  
  7d0ad03fbda1c24f883116b940717e596073ae96
- SHA256
  
  b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
- SHA512
  
  2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
- SSDEEP
  
  12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
Score

1^/10
behavioral11 behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

ElysiumStealer Support DLL

IcarusStealer

Modifies Installed Components in the registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12