icarusstealer | a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

switched_1.exe

windows10-1703-x64

switched_1.exe

windows10-2004-x64

switched_1.exe

windows11-21h2-x64

Sharing

General

Target

switched_1.exe
Size

3.7MB
Sample

240308-b5tsvach4w
MD5

b9bbe31d276de5c3d05352d070ae4244
SHA1

5e1bb67b01c579b4e0ad5a7475ceb657201c27ec
SHA256

a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d
SHA512

0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17
SSDEEP

49152:tYDJ4w53qs7fg442ZvkOlVdP8iFoh/dYINv7sq8:e4u3cV/gHP8X1hNv7

Score

10^/10

icarusstealer persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

switched_1.exe

Resource

win10-20240221-en

icarusstealer persistence stealer

windows10-1703-x64

20 signatures

300 seconds

Behavioral task

behavioral2

Sample

switched_1.exe

Resource

win10v2004-20240226-en

icarusstealer persistence stealer

windows10-2004-x64

22 signatures

300 seconds

Behavioral task

behavioral3

Sample

switched_1.exe

Resource

win11-20240221-en

icarusstealer persistence stealer

windows11-21h2-x64

20 signatures

300 seconds

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Targets

- Target
  
  switched_1.exe
- Size
  
  3.7MB
- MD5
  
  b9bbe31d276de5c3d05352d070ae4244
- SHA1
  
  5e1bb67b01c579b4e0ad5a7475ceb657201c27ec
- SHA256
  
  a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d
- SHA512
  
  0a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17
- SSDEEP
  
  49152:tYDJ4w53qs7fg442ZvkOlVdP8iFoh/dYINv7sq8:e4u3cV/gHP8X1hNv7
Score

10^/10

icarusstealer persistence stealer
- IcarusStealer
  Icarus is a modular stealer written in C# First adverts in July 2022.
  stealer icarusstealer
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

icarusstealerpersistencestealer

behavioral2

icarusstealerpersistencestealer

behavioral3

icarusstealerpersistencestealer

© 2018-2025

Terms | Privacy