SYMBOLCOMMON_NAMEaka. SYNONYMS
win.photolite (Back to overview)

PHOTOLITE

VTCollection    

PHOTOLITE is the lite version of the GZIPLOADER with limited capabilities i.e. for example it does not have any functionality to exfiltrate the host information. This new variant is observed as a follow-on payload in a TA542 Emotet campaign back in November'22. contains a static URL to download a "Bot Pack" file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud.

References
2023-03-27ProofpointJoe Wise, Kelsey Merriman, Pim Trouerbach
Fork in the Ice: The New Era of IcedID
IcedID PHOTOFORK PHOTOLITE PhotoLoader
2023-01-09IntrinsecCTI Intrinsec, Intrinsec
Emotet returns and deploys loaders
BumbleBee Emotet IcedID PHOTOLITE
2022-11-16ProofpointAxel F, Pim Trouerbach
A Comprehensive Look at Emotet Virus’ Fall 2022 Return
BumbleBee Emotet PHOTOLITE
Yara Rules
[TLP:WHITE] win_photolite_auto (20260504 | Detects win.photolite.)
rule win_photolite_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.photolite."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photolite"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c785d80300009afbb270 c785dc030000d1f3ed2e 8995e0030000 8b85d4030000 }
            // n = 4, score = 400
            //   c785d80300009afbb270     | mov    eax, dword ptr [ebp + 0xf0]
            //   c785dc030000d1f3ed2e     | mov    al, byte ptr [ebp + 0xec]
            //   8995e0030000         | inc                 ecx
            //   8b85d4030000         | push                esi

        $sequence_1 = { 8b8554010000 8a8550010000 84c0 751e 488bcb 8b848d54010000 }
            // n = 6, score = 400
            //   8b8554010000         | mov                 dword ptr [ebp + 0x2e8], 0x7c463e81
            //   8a8550010000         | mov                 dword ptr [ebp + 0x2ec], 0x58573597
            //   84c0                 | mov                 dword ptr [ebp + 0x2f0], 0x3d252280
            //   751e                 | mov                 eax, dword ptr [ebp + 0x154]
            //   488bcb               | mov                 al, byte ptr [ebp + 0x150]
            //   8b848d54010000       | test                al, al

        $sequence_2 = { 889de0020000 c785e4020000b434516d c785e8020000813e467c c785ec02000097355758 c785f00200008022253d }
            // n = 5, score = 400
            //   889de0020000         | dec                 ecx
            //   c785e4020000b434516d     | mov    ecx, esp
            //   c785e8020000813e467c     | call    eax
            //   c785ec02000097355758     | mov    byte ptr [ebp + 0x2e0], bl
            //   c785f00200008022253d     | mov    dword ptr [ebp + 0x2e4], 0x6d5134b4

        $sequence_3 = { 4156 4157 4883ec20 448b7902 }
            // n = 4, score = 400
            //   4156                 | mov                 byte ptr [ebp + 0xec], bl
            //   4157                 | mov                 dword ptr [ebp + 0xf0], 0x542845b7
            //   4883ec20             | mov                 dword ptr [ebp + 0xf4], 0x412c52b9
            //   448b7902             | mov                 dword ptr [ebp + 0xf8], edx

        $sequence_4 = { 889d18020000 c7851c0200005488472c c785200200007a8e583b c785240200007c985d0c c7852802000025d93378 8b851c020000 8a8518020000 }
            // n = 7, score = 400
            //   889d18020000         | mov                 byte ptr [ebp + 0x218], bl
            //   c7851c0200005488472c     | mov    dword ptr [ebp + 0x21c], 0x2c478854
            //   c785200200007a8e583b     | mov    dword ptr [ebp + 0x220], 0x3b588e7a
            //   c785240200007c985d0c     | mov    dword ptr [ebp + 0x224], 0xc5d987c
            //   c7852802000025d93378     | mov    dword ptr [ebp + 0x228], 0x7833d925
            //   8b851c020000         | mov                 eax, dword ptr [ebp + 0x21c]
            //   8a8518020000         | mov                 al, byte ptr [ebp + 0x218]

        $sequence_5 = { c1c203 4c3bc3 72ee 443bca }
            // n = 4, score = 400
            //   c1c203               | jne                 0x22
            //   4c3bc3               | dec                 eax
            //   72ee                 | mov                 ecx, ebx
            //   443bca               | mov                 eax, dword ptr [ebp + ecx*4 + 0x154]

        $sequence_6 = { eb07 498d5602 4803d1 498bcc ffd0 }
            // n = 5, score = 400
            //   eb07                 | jmp                 9
            //   498d5602             | dec                 ecx
            //   4803d1               | lea                 edx, [esi + 2]
            //   498bcc               | dec                 eax
            //   ffd0                 | add                 edx, ecx

        $sequence_7 = { baff204924 889dec000000 c785f0000000b7452854 c785f4000000b9522c41 8995f8000000 8b85f0000000 8a85ec000000 }
            // n = 7, score = 400
            //   baff204924           | rol                 edx, 3
            //   889dec000000         | dec                 esp
            //   c785f0000000b7452854     | cmp    eax, ebx
            //   c785f4000000b9522c41     | jb    0xfffffff3
            //   8995f8000000         | inc                 esp
            //   8b85f0000000         | cmp                 ecx, edx
            //   8a85ec000000         | mov                 edx, 0x244920ff

        $sequence_8 = { 8d5101 41b82c819712 e8???????? 488bc8 eb2b 488b8928060000 4885c9 }
            // n = 7, score = 100
            //   8d5101               | mov                 ecx, esi
            //   41b82c819712         | mov                 byte ptr [esp + 0x30], bl
            //   e8????????           |                     
            //   488bc8               | mov                 dword ptr [esp + 0x34], 0x601d6b7d
            //   eb2b                 | dec                 eax
            //   488b8928060000       | mov                 dword ptr [ebp - 0x68], eax
            //   4885c9               | jmp                 0xa

        $sequence_9 = { 885c2420 c744242493f7332b c7442428d5b6783d c744242c8ae85659 }
            // n = 4, score = 100
            //   885c2420             | mov                 dword ptr [ebp + 0xf0], 0x542845b7
            //   c744242493f7332b     | mov                 dword ptr [ebp + 0xf4], 0x412c52b9
            //   c7442428d5b6783d     | mov                 dword ptr [ebp + 0xf8], edx
            //   c744242c8ae85659     | mov                 eax, dword ptr [ebp + 0xf0]

        $sequence_10 = { 4d8b06 488bd0 488bcd e8???????? }
            // n = 4, score = 100
            //   4d8b06               | cmp                 word ptr [esi], ax
            //   488bd0               | jne                 0x158
            //   488bcd               | dec                 ebp
            //   e8????????           |                     

        $sequence_11 = { 41ffd2 4889442428 488bd8 4885c0 0f8407010000 }
            // n = 5, score = 100
            //   41ffd2               | dec                 eax
            //   4889442428           | mov                 dword ptr [ebp - 0x68], edi
            //   488bd8               | dec                 eax
            //   4885c0               | lea                 eax, [ebp + 0xc0]
            //   0f8407010000         | inc                 ecx

        $sequence_12 = { 75ed 8bce e8???????? 488905???????? 885c2430 c74424347d6b1d60 }
            // n = 6, score = 100
            //   75ed                 | mov                 al, byte ptr [ebp + 0xec]
            //   8bce                 | inc                 ecx
            //   e8????????           |                     
            //   488905????????       |                     
            //   885c2430             | push                esi
            //   c74424347d6b1d60     | inc                 ecx

        $sequence_13 = { eb2e 4d8b8028010000 4d85c0 7522 418d5001 33c9 }
            // n = 6, score = 100
            //   eb2e                 | arpl                word ptr [edi + 0x302], dx
            //   4d8b8028010000       | mov                 byte ptr [esp + 0x20], bl
            //   4d85c0               | mov                 dword ptr [esp + 0x24], 0x2b33f793
            //   7522                 | mov                 dword ptr [esp + 0x28], 0x3d78b6d5
            //   418d5001             | mov                 dword ptr [esp + 0x2c], 0x5956e88a
            //   33c9                 | jne                 0xffffffef

        $sequence_14 = { 48894598 eb04 48897d98 488d85c0000000 }
            // n = 4, score = 100
            //   48894598             | push                edi
            //   eb04                 | dec                 eax
            //   48897d98             | sub                 esp, 0x20
            //   488d85c0000000       | inc                 esp

        $sequence_15 = { 41b800800000 ffd0 488d9500040000 4489bd00040000 488d0d86abffff e8???????? 4439bd00040000 }
            // n = 7, score = 100
            //   41b800800000         | mov                 edi, dword ptr [ecx + 2]
            //   ffd0                 | mov                 dword ptr [ebp + 0x3d8], 0x70b2fb9a
            //   488d9500040000       | mov                 dword ptr [ebp + 0x3dc], 0x2eedf3d1
            //   4489bd00040000       | mov                 dword ptr [ebp + 0x3e0], edx
            //   488d0d86abffff       | mov                 eax, dword ptr [ebp + 0x3d4]
            //   e8????????           |                     
            //   4439bd00040000       | mov                 eax, 0x5a4d

    condition:
        7 of them and filesize < 99328
}
Download all Yara Rules