SYMBOLCOMMON_NAMEaka. SYNONYMS
win.photoloader (Back to overview)

PhotoLoader

A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.

References
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-05-04Twitter (@felixw3000)Felix
@online{felix:20220504:twitter:0fb7e35, author = {Felix}, title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}}, date = {2022-05-04}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1521816045769662468}, language = {English}, urldate = {2022-05-09} } Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-28IntezerJoakim Kennedy, Ryan Robinson
@online{kennedy:20220328:new:cede4da, author = {Joakim Kennedy and Ryan Robinson}, title = {{New Conversation Hijacking Campaign Delivering IcedID}}, date = {2022-03-28}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/}, language = {English}, urldate = {2022-04-05} } New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader
2022-02-22eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220222:icedid:67f870d, author = {eSentire Threat Response Unit (TRU)}, title = {{IcedID to Cobalt Strike In Under 20 Minutes}}, date = {2022-02-22}, organization = {eSentire}, url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes}, language = {English}, urldate = {2022-05-23} } IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2020-04-28Random REJason Reaves
@online{reaves:20200428:icedid:9b7de2f, author = {Jason Reaves}, title = {{IcedID PhotoLoader evolution}}, date = {2020-04-28}, organization = {Random RE}, url = {https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html}, language = {English}, urldate = {2022-03-23} } IcedID PhotoLoader evolution
PhotoLoader
Yara Rules
[TLP:WHITE] win_photoloader_auto (20220411 | Detects win.photoloader.)
rule win_photoloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.photoloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8d9c2440010000 4898 498b7318 4803c3 }
            // n = 4, score = 300
            //   4c8d9c2440010000     | dec                 eax
            //   4898                 | lea                 edx, dword ptr [ebp + 0x60]
            //   498b7318             | inc                 esp
            //   4803c3               | mov                 dword ptr [ebp + 0x60], esi

        $sequence_1 = { e8???????? 488d5560 44897560 488d4c2440 488bd8 ff15???????? }
            // n = 6, score = 300
            //   e8????????           |                     
            //   488d5560             | dec                 eax
            //   44897560             | inc                 edx
            //   488d4c2440           | dec                 ecx
            //   488bd8               | sub                 eax, 1
            //   ff15????????         |                     

        $sequence_2 = { 488d542448 33c9 ffd5 83f86f }
            // n = 4, score = 300
            //   488d542448           | dec                 eax
            //   33c9                 | sub                 esi, edx
            //   ffd5                 | mov                 cl, byte ptr [edx]
            //   83f86f               | mov                 byte ptr [esi + edx], cl

        $sequence_3 = { 488bc8 ff15???????? 4885f6 0f8463ffffff }
            // n = 4, score = 300
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   4885f6               | lea                 ecx, dword ptr [esp + 0x40]
            //   0f8463ffffff         | dec                 eax

        $sequence_4 = { 488bc8 ff15???????? 488bf8 4885c0 0f84b8000000 448bcb }
            // n = 6, score = 300
            //   488bc8               | dec                 eax
            //   ff15????????         |                     
            //   488bf8               | lea                 edx, dword ptr [esp + 0x48]
            //   4885c0               | xor                 ecx, ecx
            //   0f84b8000000         | call                ebp
            //   448bcb               | cmp                 eax, 0x6f

        $sequence_5 = { 4d85c0 7411 482bf2 8a0a 880c16 48ffc2 4983e801 }
            // n = 7, score = 300
            //   4d85c0               | jne                 0xb
            //   7411                 | cmp                 byte ptr [ebx + 0x1c1], 0x2e
            //   482bf2               | je                  0x39
            //   8a0a                 | mov                 ecx, dword ptr [ebx + 0x194]
            //   880c16               | dec                 ebp
            //   48ffc2               | test                eax, eax
            //   4983e801             | je                  0x13

        $sequence_6 = { 03c6 894758 b801000000 488b5c2430 488b742438 4883c420 }
            // n = 6, score = 300
            //   03c6                 | add                 eax, esi
            //   894758               | mov                 dword ptr [edi + 0x58], eax
            //   b801000000           | mov                 eax, 1
            //   488b5c2430           | dec                 eax
            //   488b742438           | mov                 ebx, dword ptr [esp + 0x30]
            //   4883c420             | dec                 eax

        $sequence_7 = { 488bdf 80bbc001000030 7509 80bbc10100002e 742e 8b8b94010000 }
            // n = 6, score = 300
            //   488bdf               | mov                 esi, dword ptr [esp + 0x38]
            //   80bbc001000030       | dec                 eax
            //   7509                 | add                 esp, 0x20
            //   80bbc10100002e       | dec                 eax
            //   742e                 | mov                 ebx, edi
            //   8b8b94010000         | cmp                 byte ptr [ebx + 0x1c0], 0x30

        $sequence_8 = { 8a441c14 02c2 0fb6c0 8a440414 }
            // n = 4, score = 200
            //   8a441c14             | mov                 al, byte ptr [esp + ebx + 0x14]
            //   02c2                 | add                 al, dl
            //   0fb6c0               | movzx               eax, al
            //   8a440414             | mov                 al, byte ptr [esp + eax + 0x14]

        $sequence_9 = { 7466 03f7 803e2f 7506 807e012f 74e5 807e043a }
            // n = 7, score = 200
            //   7466                 | je                  0x68
            //   03f7                 | add                 esi, edi
            //   803e2f               | cmp                 byte ptr [esi], 0x2f
            //   7506                 | jne                 8
            //   807e012f             | cmp                 byte ptr [esi + 1], 0x2f
            //   74e5                 | je                  0xffffffe7
            //   807e043a             | cmp                 byte ptr [esi + 4], 0x3a

        $sequence_10 = { 0fb6d1 02c2 0fb6c0 89442410 }
            // n = 4, score = 200
            //   0fb6d1               | movzx               edx, cl
            //   02c2                 | add                 al, dl
            //   0fb6c0               | movzx               eax, al
            //   89442410             | mov                 dword ptr [esp + 0x10], eax

        $sequence_11 = { 8d5202 0fb702 8be8 6685c0 }
            // n = 4, score = 200
            //   8d5202               | lea                 edx, dword ptr [edx + 2]
            //   0fb702               | movzx               eax, word ptr [edx]
            //   8be8                 | mov                 ebp, eax
            //   6685c0               | test                ax, ax

        $sequence_12 = { 8b35???????? 6801200000 6a08 ff15???????? 50 ff15???????? }
            // n = 6, score = 200
            //   8b35????????         |                     
            //   6801200000           | push                0x2001
            //   6a08                 | push                8
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_13 = { 81c420010000 c3 33c0 40 ebf0 }
            // n = 5, score = 200
            //   81c420010000         | add                 esp, 0x120
            //   c3                   | ret                 
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   ebf0                 | jmp                 0xfffffff2

        $sequence_14 = { b8bb010000 895de4 668945e8 83c40c 8b4508 c745ec01000000 }
            // n = 6, score = 200
            //   b8bb010000           | mov                 eax, 0x1bb
            //   895de4               | mov                 dword ptr [ebp - 0x1c], ebx
            //   668945e8             | mov                 word ptr [ebp - 0x18], ax
            //   83c40c               | add                 esp, 0xc
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   c745ec01000000       | mov                 dword ptr [ebp - 0x14], 1

        $sequence_15 = { 5d eb02 33c0 5e 5b 81c404010000 }
            // n = 6, score = 200
            //   5d                   | pop                 ebp
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   81c404010000         | add                 esp, 0x104

    condition:
        7 of them and filesize < 81920
}
Download all Yara Rules