MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5f46421a484bc7823996d330658a7e86ecb594ff258a157051997917c907e0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcarusStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5f46421a484bc7823996d330658a7e86ecb594ff258a157051997917c907e0e
SHA3-384 hash: 6036a645bff9331720c77660f8d4090f5b7991460e311a050923baf35406bcf7915329ba64a4e35706a4205fea69659d
SHA1 hash: 4a7552714eecb7c8ec08020244591776ca47dc17
MD5 hash: 33cb07486f40380ae48501454de48afc
humanhash: nuts-william-violet-massachusetts
File name:33cb07486f40380ae48501454de48afc
Download: download sample
Signature IcarusStealer
Create hunting rule
File size:880'128 bytes
First seen:2023-01-24 06:14:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:P84x52iNV66BbP766BJ0xj3Vqh/M8+0ZGZoDlV0VS1BqTrDXNtyti5xK:P84x51nVdjVn0fEIZofNsi6K
Threatray 6'964 similar samples on MalwareBazaar
TLSH T1B615F1024A62CD15E3F9097DCAFD162897F58E9913F3E37A27D400E08E53BD7E01A666
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe IcarusStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
33cb07486f40380ae48501454de48afc
Verdict:
Malicious activity
Analysis date:
2023-01-24 06:17:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/482080bd-a289-4b8a-ae3d-345b8162f0d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent10 Downloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356227/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker packed
Link:
https://www.filescan.io/uploads/63cf776696add6d1cf484c1b/reports/247ee7c1-11e5-4e69-88ec-a74b72e51e18/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Icarus Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/750faa25-baef-4ec6-868a-724899a382a6
Result
Threat name:
Icarus
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157638
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Icarus stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 790375 Sample: 8NGlsgh2C8.exe Startdate: 24/01/2023 Architecture: WINDOWS Score: 100 91 Malicious sample detected (through community Yara rule) 2->91 93 Sigma detected: Scheduled temp file as task from temp location 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 9 other signatures 2->97 9 8NGlsgh2C8.exe 7 2->9         started        13 aRksiFs.exe 5 2->13         started        15 explorer.exe 5 4 2->15         started        process3 file4 73 C:\Users\user\AppData\Roaming\aRksiFs.exe, PE32 9->73 dropped 75 C:\Users\user\...\aRksiFs.exe:Zone.Identifier, ASCII 9->75 dropped 77 C:\Users\user\AppData\Local\...\tmp6BF7.tmp, XML 9->77 dropped 79 C:\Users\user\AppData\...\8NGlsgh2C8.exe.log, ASCII 9->79 dropped 99 Uses schtasks.exe or at.exe to add and modify task schedules 9->99 101 Adds a directory exclusion to Windows Defender 9->101 17 RegSvcs.exe 2 9->17         started        20 powershell.exe 21 9->20         started        22 schtasks.exe 1 9->22         started        103 Multi AV Scanner detection for dropped file 13->103 105 Machine Learning detection for dropped file 13->105 24 RegSvcs.exe 13->24         started        26 schtasks.exe 13->26         started        signatures5 process6 signatures7 85 Writes to foreign memory regions 17->85 87 Allocates memory in foreign processes 17->87 89 Injects a PE file into a foreign processes 17->89 28 cvtres.exe 4 17->28         started        32 conhost.exe 17->32         started        34 explorer.exe 17->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 cvtres.exe 24->40         started        42 conhost.exe 24->42         started        46 2 other processes 24->46 44 conhost.exe 26->44         started        process8 dnsIp9 81 10.98.61.26, 5225 unknown unknown 28->81 107 Adds a directory exclusion to Windows Defender 28->107 48 cmd.exe 28->48         started        51 cmd.exe 28->51         started        53 cmd.exe 40->53         started        55 cmd.exe 40->55         started        signatures10 process11 signatures12 83 Adds a directory exclusion to Windows Defender 48->83 57 conhost.exe 48->57         started        59 powershell.exe 48->59         started        61 conhost.exe 51->61         started        63 powershell.exe 51->63         started        65 conhost.exe 53->65         started        67 powershell.exe 53->67         started        69 conhost.exe 55->69         started        71 powershell.exe 55->71         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5f46421a484bc7823996d330658a7e86ecb594ff258a157051997917c907e0e/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6x2giineqs6hqi4znuzqmwfh5bxmwwkp6jmkcvyfdglzc7eqpyha._file
Verdict:
malicious
Similar samples:
490f282d4fd00248b4f2c3ee4b5586d7af9b8cef6702f035abfee65482289d99
IcarusStealer
5251517c9a5cc925e00988f3d9aa30706271cfd0bd6d33d3794e03a92b13b946
IcarusStealer
5f1d6d9c49024913322423dbd249144d93feab55663e1cc26fb0cdf9eb16c610
IcarusStealer
62826246ed171e21b93e198d3ed59a8087d8e03b039fc566b34f54a0502cae01
IcarusStealer
7001538a3316bf0f86e9730d0a38992357f4669d3a4a85e77f1ec42293499ff5
IcarusStealer
9114bf73c9c9b71333f6ec637982cb82d17d233b0126c47e4f6ea583a3d86a07
IcarusStealer
a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570
IcarusStealer
bfa71d8dce5ab5e1891ccf16cb8f4d909560f0da154e4900be6663a4313c3f07
IcarusStealer
de389cc5045366de69ef81862f6b5cf74b129af9681d064cd18522d30793f9a4
IcarusStealer
+ 6'954 additional samples on MalwareBazaar
Result
Malware family:
icarusstealer
Create hunting rule
Score:
  10/10
Tags:
family:icarusstealer persistence stealer
Link:
https://tria.ge/reports/230124-gzwm5sae6w/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Enumerates connected drives
Checks computer location settings
Modifies Installed Components in the registry
IcarusStealer
Unpacked files
SH256 hash:
3fa8c686a343d0b7b5d8d91dfee71ccea8082d9cbb5ec0a364b000e90fdd7582
MD5 hash:
67ca316c885eb2e43c2a5738ecda9b8e
SHA1 hash:
c696420f9627447333872eff8bd2b0d2f52d7d67
Link:
https://www.unpac.me/results/6b3aba3a-863a-4fad-8ce6-42f368176de0/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/6b3aba3a-863a-4fad-8ce6-42f368176de0/
SH256 hash:
20eda0a9b642a495ee216f13d2c37603ef860ff1aa1b8c89b2aa630a17574f71
MD5 hash:
d2dcd2d712c1f3c871e39fc27f889546
SHA1 hash:
167502f0388eb8c9525a048282600fa83d7254ad
Link:
https://www.unpac.me/results/6b3aba3a-863a-4fad-8ce6-42f368176de0/
SH256 hash:
f5f46421a484bc7823996d330658a7e86ecb594ff258a157051997917c907e0e
MD5 hash:
33cb07486f40380ae48501454de48afc
SHA1 hash:
4a7552714eecb7c8ec08020244591776ca47dc17
Link:
https://www.unpac.me/results/6b3aba3a-863a-4fad-8ce6-42f368176de0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f5f46421a484/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5f46421a484bc7823996d330658a7e86ecb594ff258a157051997917c907e0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

IcarusStealer

Executable exe f5f46421a484bc7823996d330658a7e86ecb594ff258a157051997917c907e0e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2516885/
Cape
Cape
https://www.capesandbox.com/analysis/356227/

Comments


Avatar
zbet commented on 2023-01-24 06:14:36 UTC

url : hxxp://104.223.76.152/125/vbc.exe