SYMBOLCOMMON_NAMEaka. SYNONYMS
win.photoloader (Back to overview)

PhotoLoader

A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.

References
2022-10-07Team CymruS2 Research Team
@online{team:20221007:visualizza:0ed3fe8, author = {S2 Research Team}, title = {{A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon}}, date = {2022-10-07}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns}, language = {English}, urldate = {2022-10-10} } A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon
IcedID PhotoLoader
2022-09-27Palo Alto Networks Unit 42Mark Lim
@online{lim:20220927:more:5992cc3, author = {Mark Lim}, title = {{More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID}}, date = {2022-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/}, language = {English}, urldate = {2022-09-30} } More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
PhotoLoader
2022-07-07FortinetErin Lin
@online{lin:20220707:notable:71d2df3, author = {Erin Lin}, title = {{Notable Droppers Emerge in Recent Threat Campaigns}}, date = {2022-07-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns}, language = {English}, urldate = {2022-07-15} } Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-04Twitter (@felixw3000)Felix
@online{felix:20220504:twitter:0fb7e35, author = {Felix}, title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}}, date = {2022-05-04}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1521816045769662468}, language = {English}, urldate = {2022-05-09} } Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-28IntezerJoakim Kennedy, Ryan Robinson
@online{kennedy:20220328:new:cede4da, author = {Joakim Kennedy and Ryan Robinson}, title = {{New Conversation Hijacking Campaign Delivering IcedID}}, date = {2022-03-28}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/}, language = {English}, urldate = {2022-04-05} } New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader
2022-02-22eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220222:icedid:67f870d, author = {eSentire Threat Response Unit (TRU)}, title = {{IcedID to Cobalt Strike In Under 20 Minutes}}, date = {2022-02-22}, organization = {eSentire}, url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes}, language = {English}, urldate = {2022-05-23} } IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2021-04-13Silent PushMartijn Grooten
@online{grooten:20210413:malicious:094869a, author = {Martijn Grooten}, title = {{Malicious infrastructure as a service}}, date = {2021-04-13}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/malicious-infrastructure-as-a-service}, language = {English}, urldate = {2022-06-09} } Malicious infrastructure as a service
IcedID PhotoLoader QakBot
2021-03-31Silent PushMartijn Grooten
@online{grooten:20210331:icedid:42c6051, author = {Martijn Grooten}, title = {{IcedID Command and Control Infrastructure}}, date = {2021-03-31}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/icedid-command-and-control-infrastructure}, language = {English}, urldate = {2022-06-09} } IcedID Command and Control Infrastructure
IcedID PhotoLoader
2021AWAKEAwake Security
@online{security:2021:breaking:3bdfe99, author = {Awake Security}, title = {{Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)}}, date = {2021}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/}, language = {English}, urldate = {2022-06-09} } Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader
2020-04-28Random REJason Reaves
@online{reaves:20200428:icedid:9b7de2f, author = {Jason Reaves}, title = {{IcedID PhotoLoader evolution}}, date = {2020-04-28}, organization = {Random RE}, url = {https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html}, language = {English}, urldate = {2022-03-23} } IcedID PhotoLoader evolution
PhotoLoader
Yara Rules
[TLP:WHITE] win_photoloader_auto (20230125 | Detects win.photoloader.)
rule win_photoloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.photoloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c0c003 0fb6c8 8bc1 83e10f }
            // n = 4, score = 1100
            //   c0c003               | rol                 al, 3
            //   0fb6c8               | movzx               ecx, al
            //   8bc1                 | mov                 eax, ecx
            //   83e10f               | and                 ecx, 0xf

        $sequence_1 = { ff15???????? 85c0 744c 0fb64301 }
            // n = 4, score = 900
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   744c                 | je                  0x4e
            //   0fb64301             | movzx               eax, byte ptr [ebx + 1]

        $sequence_2 = { 0fa2 894704 33c9 b800000040 0fa2 895f0c e8???????? }
            // n = 7, score = 900
            //   0fa2                 | cpuid               
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   33c9                 | xor                 ecx, ecx
            //   b800000040           | mov                 eax, 0x40000000
            //   0fa2                 | cpuid               
            //   895f0c               | mov                 dword ptr [edi + 0xc], ebx
            //   e8????????           |                     

        $sequence_3 = { 33c9 b801000000 0fa2 89442420 895c2424 894c2428 8954242c }
            // n = 7, score = 900
            //   33c9                 | xor                 ecx, ecx
            //   b801000000           | mov                 eax, 1
            //   0fa2                 | cpuid               
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   894c2428             | mov                 dword ptr [esp + 0x28], ecx
            //   8954242c             | mov                 dword ptr [esp + 0x2c], edx

        $sequence_4 = { 33ff 8bf7 8d6f10 ff15???????? }
            // n = 4, score = 900
            //   33ff                 | xor                 edi, edi
            //   8bf7                 | mov                 esi, edi
            //   8d6f10               | lea                 ebp, [edi + 0x10]
            //   ff15????????         |                     

        $sequence_5 = { ff15???????? 85c0 0f85d2000000 ff15???????? 83f87a 0f85c3000000 8b457f }
            // n = 7, score = 900
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f85d2000000         | jne                 0xd8
            //   ff15????????         |                     
            //   83f87a               | cmp                 eax, 0x7a
            //   0f85c3000000         | jne                 0xc9
            //   8b457f               | mov                 eax, dword ptr [ebp + 0x7f]

        $sequence_6 = { f7411400000020 7407 8b41f8 3901 7714 }
            // n = 5, score = 900
            //   f7411400000020       | test                dword ptr [ecx + 0x14], 0x20000000
            //   7407                 | je                  9
            //   8b41f8               | mov                 eax, dword ptr [ecx - 8]
            //   3901                 | cmp                 dword ptr [ecx], eax
            //   7714                 | ja                  0x16

        $sequence_7 = { 0f85c3000000 8b457f 85c0 0f84b8000000 8bd8 ff15???????? }
            // n = 6, score = 900
            //   0f85c3000000         | jne                 0xc9
            //   8b457f               | mov                 eax, dword ptr [ebp + 0x7f]
            //   85c0                 | test                eax, eax
            //   0f84b8000000         | je                  0xbe
            //   8bd8                 | mov                 ebx, eax
            //   ff15????????         |                     

        $sequence_8 = { 50 55 8bda ff15???????? }
            // n = 4, score = 200
            //   50                   | pop                 ecx
            //   55                   | cmp                 word ptr [esp + 0x14], cx
            //   8bda                 | push                eax
            //   ff15????????         |                     

        $sequence_9 = { 51 ffd0 33c0 6a09 59 66394c2414 }
            // n = 6, score = 200
            //   51                   | mov                 eax, ecx
            //   ffd0                 | and                 ecx, 0xf
            //   33c0                 | push                ecx
            //   6a09                 | call                eax
            //   59                   | xor                 eax, eax
            //   66394c2414           | push                9

        $sequence_10 = { 8d7c2414 03f0 6a09 58 }
            // n = 4, score = 200
            //   8d7c2414             | test                bl, bl
            //   03f0                 | je                  0x21
            //   6a09                 | lea                 edi, [esp + 0x14]
            //   58                   | add                 esi, eax

        $sequence_11 = { 8bc3 8b7608 2bf7 fec3 0fb6db }
            // n = 5, score = 200
            //   8bc3                 | test                eax, eax
            //   8b7608               | je                  0xd0
            //   2bf7                 | mov                 eax, ebx
            //   fec3                 | mov                 esi, dword ptr [esi + 8]
            //   0fb6db               | sub                 esi, edi

        $sequence_12 = { ffd6 03f8 83c420 8d0c7b e8???????? 03f8 8d0c7b }
            // n = 7, score = 200
            //   ffd6                 | inc                 bl
            //   03f8                 | movzx               ebx, bl
            //   83c420               | call                esi
            //   8d0c7b               | add                 edi, eax
            //   e8????????           |                     
            //   03f8                 | add                 esp, 0x20
            //   8d0c7b               | lea                 ecx, [ebx + edi*2]

        $sequence_13 = { 68???????? ff15???????? 50 ff15???????? 8bf8 85ff 7445 }
            // n = 7, score = 200
            //   68????????           |                     
            //   ff15????????         |                     
            //   50                   | add                 edi, eax
            //   ff15????????         |                     
            //   8bf8                 | lea                 ecx, [ebx + edi*2]
            //   85ff                 | push                eax
            //   7445                 | mov                 edi, eax

        $sequence_14 = { 7423 8b55f4 85d2 741c 84db 741f }
            // n = 6, score = 200
            //   7423                 | test                edi, edi
            //   8b55f4               | je                  0x47
            //   85d2                 | je                  0x25
            //   741c                 | mov                 edx, dword ptr [ebp - 0xc]
            //   84db                 | test                edx, edx
            //   741f                 | je                  0x1e

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules