Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    svchost.exe

  • Size

    494KB

  • Sample

    240309-swressbg6z

  • MD5

    65c2533608f1aad7e7780b1b705f6717

  • SHA1

    688bd80975cede811e57d3b1d197eae97ebc4bde

  • SHA256

    ade93fc6c27fa1b57d864ebbcea4cec99bfb8556115496051bc8a10b0efde04d

  • SHA512

    77c409d60f60eb55062175c16b955fe5b71e7eb4f438c781f60dc010f8b88cdd21d068c0295e937bd478ecc2c94179e30479565f6a87f092d16dadcbbdbc785b

  • SSDEEP

    12288:ZoXzSuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+QK:+uZ6N6LqQzJqkt

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Targets

    • Target

      svchost.exe

    • Size

      494KB

    • MD5

      65c2533608f1aad7e7780b1b705f6717

    • SHA1

      688bd80975cede811e57d3b1d197eae97ebc4bde

    • SHA256

      ade93fc6c27fa1b57d864ebbcea4cec99bfb8556115496051bc8a10b0efde04d

    • SHA512

      77c409d60f60eb55062175c16b955fe5b71e7eb4f438c781f60dc010f8b88cdd21d068c0295e937bd478ecc2c94179e30479565f6a87f092d16dadcbbdbc785b

    • SSDEEP

      12288:ZoXzSuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+QK:+uZ6N6LqQzJqkt

    • IcarusStealer

      Icarus is a modular stealer written in C# First adverts in July 2022.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks