SYMBOLCOMMON_NAMEaka. SYNONYMS
win.icexloader (Back to overview)

win.icexloader

VTCollection    

IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group.

The v1 was written in AutoIT.

References
2022-06-15Joie Salvio, Roy Tay
New IceXLoader 3.0 – Developers Warm Up to Nim
win.icexloader
Yara Rules
[TLP:WHITE] win_icexloader_auto (20260504 | Detects win.icexloader.)
rule win_icexloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.icexloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icexloader"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5d c3 55 89e5 53 83ec74 e8???????? }
            // n = 7, score = 200
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   83ec74               | sub                 esp, 0x74
            //   e8????????           |                     

        $sequence_1 = { 89d9 89d0 31db 31d2 01c8 8b4dd4 11da }
            // n = 7, score = 200
            //   89d9                 | mov                 ecx, ebx
            //   89d0                 | mov                 eax, edx
            //   31db                 | xor                 ebx, ebx
            //   31d2                 | xor                 edx, edx
            //   01c8                 | add                 eax, ecx
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   11da                 | adc                 edx, ebx

        $sequence_2 = { 8b4508 83c014 8945f8 8b4508 8b4010 8945f4 8b450c }
            // n = 7, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83c014               | add                 eax, 0x14
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4010               | mov                 eax, dword ptr [eax + 0x10]
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_3 = { 5d e9???????? c705????????18000000 c705????????04000000 c605????????11 c705????????a0c54300 c705????????00000000 }
            // n = 7, score = 200
            //   5d                   | pop                 ebp
            //   e9????????           |                     
            //   c705????????18000000     |     
            //   c705????????04000000     |     
            //   c605????????11       |                     
            //   c705????????a0c54300     |     
            //   c705????????00000000     |     

        $sequence_4 = { 744b 8b5210 897d08 8d65f4 89f1 5b 5e }
            // n = 7, score = 200
            //   744b                 | je                  0x4d
            //   8b5210               | mov                 edx, dword ptr [edx + 0x10]
            //   897d08               | mov                 dword ptr [ebp + 8], edi
            //   8d65f4               | lea                 esp, [ebp - 0xc]
            //   89f1                 | mov                 ecx, esi
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi

        $sequence_5 = { 55 ba7c000000 89e5 56 53 83ec30 894de4 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   ba7c000000           | mov                 edx, 0x7c
            //   89e5                 | mov                 ebp, esp
            //   56                   | push                esi
            //   53                   | push                ebx
            //   83ec30               | sub                 esp, 0x30
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx

        $sequence_6 = { 0f841a010000 8b85ecfeffff 8b95ecfeffff 8b5210 83ea01 83c204 }
            // n = 6, score = 200
            //   0f841a010000         | je                  0x120
            //   8b85ecfeffff         | mov                 eax, dword ptr [ebp - 0x114]
            //   8b95ecfeffff         | mov                 edx, dword ptr [ebp - 0x114]
            //   8b5210               | mov                 edx, dword ptr [edx + 0x10]
            //   83ea01               | sub                 edx, 1
            //   83c204               | add                 edx, 4

        $sequence_7 = { 0fb7444b08 8d7101 8d9000280000 6681faff07 7718 0fb7547308 8d7102 }
            // n = 7, score = 200
            //   0fb7444b08           | movzx               eax, word ptr [ebx + ecx*2 + 8]
            //   8d7101               | lea                 esi, [ecx + 1]
            //   8d9000280000         | lea                 edx, [eax + 0x2800]
            //   6681faff07           | cmp                 dx, 0x7ff
            //   7718                 | ja                  0x1a
            //   0fb7547308           | movzx               edx, word ptr [ebx + esi*2 + 8]
            //   8d7102               | lea                 esi, [ecx + 2]

        $sequence_8 = { 898554ffffff c78510ffffff00000000 c745a000000000 8b45a0 89459c 8b459c 894590 }
            // n = 7, score = 200
            //   898554ffffff         | mov                 dword ptr [ebp - 0xac], eax
            //   c78510ffffff00000000     | mov    dword ptr [ebp - 0xf0], 0
            //   c745a000000000       | mov                 dword ptr [ebp - 0x60], 0
            //   8b45a0               | mov                 eax, dword ptr [ebp - 0x60]
            //   89459c               | mov                 dword ptr [ebp - 0x64], eax
            //   8b459c               | mov                 eax, dword ptr [ebp - 0x64]
            //   894590               | mov                 dword ptr [ebp - 0x70], eax

        $sequence_9 = { f7d8 eb03 42 eb94 83c40c 5b 5e }
            // n = 7, score = 200
            //   f7d8                 | neg                 eax
            //   eb03                 | jmp                 5
            //   42                   | inc                 edx
            //   eb94                 | jmp                 0xffffff96
            //   83c40c               | add                 esp, 0xc
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 656384
}
Download all Yara Rules