Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    savedblack.exe

  • Size

    494KB

  • Sample

    240703-cygelsxbnp

  • MD5

    2089eac1493e5034f266fb8a5a3a2d91

  • SHA1

    35e5341c15062df6c7d4fcfad0ce7ff4cb606629

  • SHA256

    1a18bb8dd805fba37b7afa53ece89b4ceab58f7c75b462d1de9c2ddcea056c67

  • SHA512

    025d238696aabd645fb2ec6c7456ffc18dff7bb59893579ea445c8f10b0c67d56980ee8f0354d399ece2f94ae05b5c72ccbe77e5241fcd559eb1639e4d0cc09e

  • SSDEEP

    12288:Oe+CrtuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Q1:j9Z6N6LqQzJqk2

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Targets

    • Target

      savedblack.exe

    • Size

      494KB

    • MD5

      2089eac1493e5034f266fb8a5a3a2d91

    • SHA1

      35e5341c15062df6c7d4fcfad0ce7ff4cb606629

    • SHA256

      1a18bb8dd805fba37b7afa53ece89b4ceab58f7c75b462d1de9c2ddcea056c67

    • SHA512

      025d238696aabd645fb2ec6c7456ffc18dff7bb59893579ea445c8f10b0c67d56980ee8f0354d399ece2f94ae05b5c72ccbe77e5241fcd559eb1639e4d0cc09e

    • SSDEEP

      12288:Oe+CrtuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Q1:j9Z6N6LqQzJqk2

    • IcarusStealer

      Icarus is a modular stealer written in C# First adverts in July 2022.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks