win.icexloader (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS
win.icexloader (Back to overview)
win.icexloader

VTCollection
IceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The latest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably by the NimzaLoader variant of BazarLoader used by the TrickBot group.
The v1 was written in AutoIT.
References

2022-06-15 ⋅ Joie Salvio, Roy Tay
New IceXLoader 3.0 – Developers Warm Up to Nim
win.icexloader
Yara Rules

[TLP:WHITE] win_icexloader_auto (20230808 | Detects win.icexloader.)
rule win_icexloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.icexloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icexloader"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 750c 83caff 85c9 7405 8b01 8d50ff 8b4508 }
            // n = 7, score = 200
            //   750c                 | jne                 0xe
            //   83caff               | or                  edx, 0xffffffff
            //   85c9                 | test                ecx, ecx
            //   7405                 | je                  7
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   8d50ff               | lea                 edx, [eax - 1]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_1 = { 8985acfeffff 8b85c4feffff 8b10 894c2408 8b8db4feffff 890424 894c2404 }
            // n = 7, score = 200
            //   8985acfeffff         | mov                 dword ptr [ebp - 0x154], eax
            //   8b85c4feffff         | mov                 eax, dword ptr [ebp - 0x13c]
            //   8b10                 | mov                 edx, dword ptr [eax]
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   8b8db4feffff         | mov                 ecx, dword ptr [ebp - 0x14c]
            //   890424               | mov                 dword ptr [esp], eax
            //   894c2404             | mov                 dword ptr [esp + 4], ecx

        $sequence_2 = { 8b4520 8910 c745e001000000 eb0a 90 eb07 90 }
            // n = 7, score = 200
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]
            //   8910                 | mov                 dword ptr [eax], edx
            //   c745e001000000       | mov                 dword ptr [ebp - 0x20], 1
            //   eb0a                 | jmp                 0xc
            //   90                   | nop                 
            //   eb07                 | jmp                 9
            //   90                   | nop                 

        $sequence_3 = { e8???????? ba04000000 0fb7c0 40 8985d0e6ffff 8b85e4e6ffff e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   ba04000000           | mov                 edx, 4
            //   0fb7c0               | movzx               eax, ax
            //   40                   | inc                 eax
            //   8985d0e6ffff         | mov                 dword ptr [ebp - 0x1930], eax
            //   8b85e4e6ffff         | mov                 eax, dword ptr [ebp - 0x191c]
            //   e8????????           |                     

        $sequence_4 = { c705????????04000000 66c705????????1903 c605????????01 c705????????14000000 c705????????e0d74300 c705????????aa914200 }
            // n = 6, score = 200
            //   c705????????04000000     |     
            //   66c705????????1903     |     
            //   c605????????01       |                     
            //   c705????????14000000     |     
            //   c705????????e0d74300     |     
            //   c705????????aa914200     |     

        $sequence_5 = { 55 ba7c000000 89e5 56 53 83ec30 894de4 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   ba7c000000           | mov                 edx, 0x7c
            //   89e5                 | mov                 ebp, esp
            //   56                   | push                esi
            //   53                   | push                ebx
            //   83ec30               | sub                 esp, 0x30
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx

        $sequence_6 = { c705????????00d44300 c705????????95904200 c705????????18e44300 c605????????01 c705????????00000000 c705????????80d44300 c705????????9d904200 }
            // n = 7, score = 200
            //   c705????????00d44300     |     
            //   c705????????95904200     |     
            //   c705????????18e44300     |     
            //   c605????????01       |                     
            //   c705????????00000000     |     
            //   c705????????80d44300     |     
            //   c705????????9d904200     |     

        $sequence_7 = { 83bd14ffffff00 7405 e8???????? e8???????? 8b8d64feffff e8???????? e8???????? }
            // n = 7, score = 200
            //   83bd14ffffff00       | cmp                 dword ptr [ebp - 0xec], 0
            //   7405                 | je                  7
            //   e8????????           |                     
            //   e8????????           |                     
            //   8b8d64feffff         | mov                 ecx, dword ptr [ebp - 0x19c]
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_8 = { 57 56 89d6 ba01000000 53 89cb 83ec2c }
            // n = 7, score = 200
            //   57                   | push                edi
            //   56                   | push                esi
            //   89d6                 | mov                 esi, edx
            //   ba01000000           | mov                 edx, 1
            //   53                   | push                ebx
            //   89cb                 | mov                 ebx, ecx
            //   83ec2c               | sub                 esp, 0x2c

        $sequence_9 = { b8???????? e8???????? ba0c000000 8d45a4 e8???????? ba???????? b9???????? }
            // n = 7, score = 200
            //   b8????????           |                     
            //   e8????????           |                     
            //   ba0c000000           | mov                 edx, 0xc
            //   8d45a4               | lea                 eax, [ebp - 0x5c]
            //   e8????????           |                     
            //   ba????????           |                     
            //   b9????????           |                     

    condition:
        7 of them and filesize < 656384
}
Download all Yara Rules
win.icexloader Propose Change

References

Yara Rules

win.icexloader
