SYMBOLCOMMON_NAMEaka. SYNONYMS
win.iconic_stealer (Back to overview)

IconicStealer

Actor(s): Lazarus Group

VTCollection    

Follow-up payload in 3CX supply chain incident, which according to Volexity is an infostealer collecting information about the system and browser using an embedded copy of the SQLite3 library.

References
2023-04-20MandiantADRIAN SANCHEZ, DANIEL SCOTT, Dimiter Andonov, Fred Plan, Jake Nicastro, JEFF JOHNSON, Marius Fodoreanu, RENATO FONTANA
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
POOLRAT IconicStealer UNC4736
2023-04-20ESET ResearchMarc-Etienne M.Léveillé, Peter Kálnai
Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
BADCALL SimpleTea POOLRAT 3CX Backdoor BADCALL IconicStealer
2023-03-30VolexityAnkur Saini, Callum Roxan, Charlie Gardner, Paul Rascagnères, Steven Adair, Thomas Lancaster
3CX Supply Chain Compromise Leads to ICONIC Incident
3CX Backdoor IconicStealer
2023-03-30Trend MicroTrend Micro Research
Developing Story: Information on Attacks Involving 3CX Desktop App
3CX Backdoor IconicStealer
2023-03-30SymantecThreat Hunter Team
3CX: Supply Chain Attack Affects Thousands of Users Worldwide
3CX Backdoor IconicStealer
Yara Rules
[TLP:WHITE] win_iconic_stealer_auto (20260504 | Detects win.iconic_stealer.)
rule win_iconic_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.iconic_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb19 453b7e28 7ef3 45896e2c 448b6c2430 45897e28 eb04 }
            // n = 7, score = 100
            //   eb19                 | inc                 ecx
            //   453b7e28             | mov                 esi, 7
            //   7ef3                 | dec                 esp
            //   45896e2c             | mov                 edi, dword ptr [ebp - 0x20]
            //   448b6c2430           | mov                 esi, dword ptr [ebp - 0x28]
            //   45897e28             | inc                 esp
            //   eb04                 | mov                 esp, dword ptr [ebp - 0x2c]

        $sequence_1 = { e8???????? e9???????? 80be2c01000002 0f83b3000000 498b4c2460 bb0080ffff 4885c9 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   e9????????           |                     
            //   80be2c01000002       | dec                 eax
            //   0f83b3000000         | mov                 ecx, dword ptr [eax + 0x38]
            //   498b4c2460           | dec                 eax
            //   bb0080ffff           | cmp                 dword ptr [ebx + 0x60], ecx
            //   4885c9               | je                  0x1060

        $sequence_2 = { 4c8d7f10 488b5708 488bce e8???????? 418b07 c6043000 4885f6 }
            // n = 7, score = 100
            //   4c8d7f10             | mov                 edx, 0x93
            //   488b5708             | dec                 eax
            //   488bce               | mov                 ecx, ebx
            //   e8????????           |                     
            //   418b07               | inc                 ebp
            //   c6043000             | xor                 eax, eax
            //   4885f6               | jmp                 0x228

        $sequence_3 = { 8d506c 448d4001 e8???????? eb33 8d4101 ba03000000 41894500 }
            // n = 7, score = 100
            //   8d506c               | cmp                 al, 1
            //   448d4001             | dec                 ecx
            //   e8????????           |                     
            //   eb33                 | mov                 ecx, edi
            //   8d4101               | dec                 esp
            //   ba03000000           | cmovne              edx, edi
            //   41894500             | dec                 ecx

        $sequence_4 = { 458bc2 418bd3 488bcb e8???????? eb39 4183fa01 743b }
            // n = 7, score = 100
            //   458bc2               | mov                 ecx, esi
            //   418bd3               | jmp                 0x1899
            //   488bcb               | mov                 ecx, 0x38
            //   e8????????           |                     
            //   eb39                 | dec                 eax
            //   4183fa01             | test                eax, eax
            //   743b                 | dec                 ecx

        $sequence_5 = { 4c63c7 4c03c0 4c89ac2410010000 488b842498000000 4533ed 4883c0e0 4c89442458 }
            // n = 7, score = 100
            //   4c63c7               | mov                 dword ptr [esp + 0x40], ebp
            //   4c03c0               | dec                 eax
            //   4c89ac2410010000     | mov                 ecx, dword ptr [esp + 0x48]
            //   488b842498000000     | mov                 eax, dword ptr [ebx + 0x38]
            //   4533ed               | inc                 esp
            //   4883c0e0             | lea                 ebp, [eax + 1]
            //   4c89442458           | inc                 ecx

        $sequence_6 = { 8b4c2460 85c9 7412 0fb6461f 3c08 730a 898c86e0000000 }
            // n = 7, score = 100
            //   8b4c2460             | dec                 eax
            //   85c9                 | inc                 ebx
            //   7412                 | jmp                 0x1105
            //   0fb6461f             | test                edx, edx
            //   3c08                 | jne                 0x1433
            //   730a                 | xor                 esi, esi
            //   898c86e0000000       | sub                 edx, ecx

        $sequence_7 = { f30f7f45cf 4885ff 740c 488bd7 488d4db7 e8???????? 4488b32c010000 }
            // n = 7, score = 100
            //   f30f7f45cf           | or                  ebp, eax
            //   4885ff               | jmp                 0x1052
            //   740c                 | bts                 ebp, 7
            //   488bd7               | mov                 ecx, ebp
            //   488d4db7             | and                 ecx, 0x21
            //   e8????????           |                     
            //   4488b32c010000       | inc                 edx

        $sequence_8 = { e8???????? 488945b7 4c8be8 4885c0 0f8439030000 498b542430 4533c9 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488945b7             | inc                 ecx
            //   4c8be8               | pop                 ebp
            //   4885c0               | inc                 ecx
            //   0f8439030000         | pop                 esp
            //   498b542430           | pop                 edi
            //   4533c9               | ret                 

        $sequence_9 = { f6406008 7504 c6452301 488bcd e8???????? 4c8b942488000000 488bd8 }
            // n = 7, score = 100
            //   f6406008             | movzx               edx, byte ptr [edx + ebp + 0x100930]
            //   7504                 | sub                 edx, ecx
            //   c6452301             | jne                 0x1b3a
            //   488bcd               | dec                 ecx
            //   e8????????           |                     
            //   4c8b942488000000     | inc                 eax
            //   488bd8               | jmp                 0x1b09

    condition:
        7 of them and filesize < 2401280
}
[TLP:WHITE] win_iconicstealer_w0    (20230331 | Detect the ICONICSTEALER malware family.)
rule win_iconicstealer_w0 {
    meta:
        author = "threatintel@volexity.com"
        date = "2023-03-30"
        description = "Detect the ICONICSTEALER malware family."
        hash1 = "8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423"
        reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
        memory_suitable = 1
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        $str1 = "\\3CXDesktopApp\\config.json" wide
        $str2 = "url, title FROM urls" wide
        $str3 = "url, title FROM moz_places" wide

    condition:
        all of them
}
Download all Yara Rules