Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    testiescals.exe

  • Size

    3.9MB

  • Sample

    240309-d5m2eacc73

  • MD5

    9b85b99c34bdf0099216fefe404321be

  • SHA1

    77af318afcbec23723b850478fecf8abe278a39a

  • SHA256

    b35787b524c38dc8470f490e07785e3d79529f30ea703e3eb998b95b53747f0b

  • SHA512

    2d3b351cc96c3cbcff25d9683fa2fe1ad324d77d4ef7949362d5c04ab298f30b83ec1ffa03c5afb142bf419680f351fd881b90d0e00757be3ae5816bcae2d223

  • SSDEEP

    49152:g61aa2cRAHlIYiCZFj+F81TdLJDdZoD+VYvsFtvRxZsUBW9Hn14Y6Qhgj3sxxURq:aVcqCYZW81TjNHM9s7j3sxxBuuD

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Targets

    • Target

      testiescals.exe

    • Size

      3.9MB

    • MD5

      9b85b99c34bdf0099216fefe404321be

    • SHA1

      77af318afcbec23723b850478fecf8abe278a39a

    • SHA256

      b35787b524c38dc8470f490e07785e3d79529f30ea703e3eb998b95b53747f0b

    • SHA512

      2d3b351cc96c3cbcff25d9683fa2fe1ad324d77d4ef7949362d5c04ab298f30b83ec1ffa03c5afb142bf419680f351fd881b90d0e00757be3ae5816bcae2d223

    • SSDEEP

      49152:g61aa2cRAHlIYiCZFj+F81TdLJDdZoD+VYvsFtvRxZsUBW9Hn14Y6Qhgj3sxxURq:aVcqCYZW81TjNHM9s7j3sxxBuuD

    • IcarusStealer

      Icarus is a modular stealer written in C# First adverts in July 2022.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks