icarusstealer | 65409873f2564f68f5f8cdc465f395de884ad276168881c03163dc409c7239b3 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

icarusokay.exe

windows10-2004-x64

Sharing

General

Target

icarusokay.exe
Size

494KB
Sample

240908-crpgmsyhql
MD5

a960b054b2d055d60ad7d93d2ede01f8
SHA1

f19fce2fc2e2e52db169e1ece0845ff162e844cd
SHA256

65409873f2564f68f5f8cdc465f395de884ad276168881c03163dc409c7239b3
SHA512

dabd847829c4bdc8639c6171c819e53e5dddc2d1903a322e803633ffc8e6c1eba7ed21f9490c07454fd8c240e0d075a313516835be119023ea9488b3b29fb914
SSDEEP

12288:KxMFSuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Q0:G9Z6N6LqQzJqkb

Score

10^/10

icarusstealer discovery evasion execution persistence stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

icarusokay.exe

Resource

win10v2004-20240802-en

icarusstealer discovery evasion execution persistence stealer trojan

windows10-2004-x64

29 signatures

600 seconds

Malware Config

Extracted

Family

icarusstealer

Attributes

payload_url
https://blackhatsec.org/add.jpg

https://blackhatsec.org/remove.jpg

Targets

- Target
  
  icarusokay.exe
- Size
  
  494KB
- MD5
  
  a960b054b2d055d60ad7d93d2ede01f8
- SHA1
  
  f19fce2fc2e2e52db169e1ece0845ff162e844cd
- SHA256
  
  65409873f2564f68f5f8cdc465f395de884ad276168881c03163dc409c7239b3
- SHA512
  
  dabd847829c4bdc8639c6171c819e53e5dddc2d1903a322e803633ffc8e6c1eba7ed21f9490c07454fd8c240e0d075a313516835be119023ea9488b3b29fb914
- SSDEEP
  
  12288:KxMFSuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Q0:G9Z6N6LqQzJqkb
Score

10^/10

icarusstealer discovery evasion execution persistence stealer trojan
- IcarusStealer
  Icarus is a modular stealer written in C# First adverts in July 2022.
  stealer icarusstealer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

icarusstealerdiscoveryevasionexecutionpersistencestealertrojan

© 2018-2025

Terms | Privacy