Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    icarusokay.exe

  • Size

    494KB

  • Sample

    240908-crpgmsyhql

  • MD5

    a960b054b2d055d60ad7d93d2ede01f8

  • SHA1

    f19fce2fc2e2e52db169e1ece0845ff162e844cd

  • SHA256

    65409873f2564f68f5f8cdc465f395de884ad276168881c03163dc409c7239b3

  • SHA512

    dabd847829c4bdc8639c6171c819e53e5dddc2d1903a322e803633ffc8e6c1eba7ed21f9490c07454fd8c240e0d075a313516835be119023ea9488b3b29fb914

  • SSDEEP

    12288:KxMFSuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Q0:G9Z6N6LqQzJqkb

Malware Config

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://blackhatsec.org/add.jpg

    https://blackhatsec.org/remove.jpg

Targets

    • Target

      icarusokay.exe

    • Size

      494KB

    • MD5

      a960b054b2d055d60ad7d93d2ede01f8

    • SHA1

      f19fce2fc2e2e52db169e1ece0845ff162e844cd

    • SHA256

      65409873f2564f68f5f8cdc465f395de884ad276168881c03163dc409c7239b3

    • SHA512

      dabd847829c4bdc8639c6171c819e53e5dddc2d1903a322e803633ffc8e6c1eba7ed21f9490c07454fd8c240e0d075a313516835be119023ea9488b3b29fb914

    • SSDEEP

      12288:KxMFSuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+Q0:G9Z6N6LqQzJqkb

    • IcarusStealer

      Icarus is a modular stealer written in C# First adverts in July 2022.

    • Modifies Windows Defender Real-time Protection settings

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks