icarusstealer | ade93fc6c27fa1b57d864ebbcea4cec99bfb8556115496051bc8a10b0efde04d | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

svchost.exe

windows10-2004-x64

Sharing

General

Target

svchost.exe
Size

494KB
Sample

240309-swressbg6z
MD5

65c2533608f1aad7e7780b1b705f6717
SHA1

688bd80975cede811e57d3b1d197eae97ebc4bde
SHA256

ade93fc6c27fa1b57d864ebbcea4cec99bfb8556115496051bc8a10b0efde04d
SHA512

77c409d60f60eb55062175c16b955fe5b71e7eb4f438c781f60dc010f8b88cdd21d068c0295e937bd478ecc2c94179e30479565f6a87f092d16dadcbbdbc785b
SSDEEP

12288:ZoXzSuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+QK:+uZ6N6LqQzJqkt

Score

10^/10

icarusstealer persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

svchost.exe

Resource

win10v2004-20240226-en

icarusstealer persistence stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Targets

- Target
  
  svchost.exe
- Size
  
  494KB
- MD5
  
  65c2533608f1aad7e7780b1b705f6717
- SHA1
  
  688bd80975cede811e57d3b1d197eae97ebc4bde
- SHA256
  
  ade93fc6c27fa1b57d864ebbcea4cec99bfb8556115496051bc8a10b0efde04d
- SHA512
  
  77c409d60f60eb55062175c16b955fe5b71e7eb4f438c781f60dc010f8b88cdd21d068c0295e937bd478ecc2c94179e30479565f6a87f092d16dadcbbdbc785b
- SSDEEP
  
  12288:ZoXzSuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+QK:+uZ6N6LqQzJqkt
Score

10^/10

icarusstealer persistence stealer
- IcarusStealer
  Icarus is a modular stealer written in C# First adverts in July 2022.
  stealer icarusstealer
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

icarusstealerpersistencestealer

© 2018-2025

Terms | Privacy