icarusstealer | 1a18bb8dd805fba37b7afa53ece89b4ceab58f7c75b462d1de9c2ddcea056c67 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

savedblack.exe

windows10-1703-x64

savedblack.exe

windows10-2004-x64

savedblack.exe

windows11-21h2-x64

Sharing

General

Target

savedblack.exe
Size

494KB
Sample

240703-cygelsxbnp
MD5

2089eac1493e5034f266fb8a5a3a2d91
SHA1

35e5341c15062df6c7d4fcfad0ce7ff4cb606629
SHA256

1a18bb8dd805fba37b7afa53ece89b4ceab58f7c75b462d1de9c2ddcea056c67
SHA512

025d238696aabd645fb2ec6c7456ffc18dff7bb59893579ea445c8f10b0c67d56980ee8f0354d399ece2f94ae05b5c72ccbe77e5241fcd559eb1639e4d0cc09e
SSDEEP

12288:Oe+CrtuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Q1:j9Z6N6LqQzJqk2

Score

10^/10

icarusstealer execution persistence stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

savedblack.exe

Resource

win10-20240404-en

icarusstealer execution persistence stealer

windows10-1703-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

savedblack.exe

Resource

win10v2004-20240508-en

icarusstealer execution persistence stealer

windows10-2004-x64

21 signatures

150 seconds

Behavioral task

behavioral3

Sample

savedblack.exe

Resource

win11-20240508-en

icarusstealer execution persistence stealer

windows11-21h2-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Targets

- Target
  
  savedblack.exe
- Size
  
  494KB
- MD5
  
  2089eac1493e5034f266fb8a5a3a2d91
- SHA1
  
  35e5341c15062df6c7d4fcfad0ce7ff4cb606629
- SHA256
  
  1a18bb8dd805fba37b7afa53ece89b4ceab58f7c75b462d1de9c2ddcea056c67
- SHA512
  
  025d238696aabd645fb2ec6c7456ffc18dff7bb59893579ea445c8f10b0c67d56980ee8f0354d399ece2f94ae05b5c72ccbe77e5241fcd559eb1639e4d0cc09e
- SSDEEP
  
  12288:Oe+CrtuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Q1:j9Z6N6LqQzJqk2
Score

10^/10

icarusstealer execution persistence stealer
- IcarusStealer
  Icarus is a modular stealer written in C# First adverts in July 2022.
  stealer icarusstealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

icarusstealerexecutionpersistencestealer

behavioral2

icarusstealerexecutionpersistencestealer

behavioral3

icarusstealerexecutionpersistencestealer

© 2018-2025

Terms | Privacy