SYMBOLCOMMON_NAMEaka. SYNONYMS
win.photoloader (Back to overview)

PhotoLoader

A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.

References
2022-09-27Palo Alto Networks Unit 42Mark Lim
@online{lim:20220927:more:5992cc3, author = {Mark Lim}, title = {{More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID}}, date = {2022-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/}, language = {English}, urldate = {2022-09-30} } More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
PhotoLoader
2022-07-07FortinetErin Lin
@online{lin:20220707:notable:71d2df3, author = {Erin Lin}, title = {{Notable Droppers Emerge in Recent Threat Campaigns}}, date = {2022-07-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns}, language = {English}, urldate = {2022-07-15} } Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-04Twitter (@felixw3000)Felix
@online{felix:20220504:twitter:0fb7e35, author = {Felix}, title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}}, date = {2022-05-04}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1521816045769662468}, language = {English}, urldate = {2022-05-09} } Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-28IntezerJoakim Kennedy, Ryan Robinson
@online{kennedy:20220328:new:cede4da, author = {Joakim Kennedy and Ryan Robinson}, title = {{New Conversation Hijacking Campaign Delivering IcedID}}, date = {2022-03-28}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/}, language = {English}, urldate = {2022-04-05} } New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader
2022-02-22eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220222:icedid:67f870d, author = {eSentire Threat Response Unit (TRU)}, title = {{IcedID to Cobalt Strike In Under 20 Minutes}}, date = {2022-02-22}, organization = {eSentire}, url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes}, language = {English}, urldate = {2022-05-23} } IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2021-04-13Silent PushMartijn Grooten
@online{grooten:20210413:malicious:094869a, author = {Martijn Grooten}, title = {{Malicious infrastructure as a service}}, date = {2021-04-13}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/malicious-infrastructure-as-a-service}, language = {English}, urldate = {2022-06-09} } Malicious infrastructure as a service
IcedID PhotoLoader QakBot
2021-03-31Silent PushMartijn Grooten
@online{grooten:20210331:icedid:42c6051, author = {Martijn Grooten}, title = {{IcedID Command and Control Infrastructure}}, date = {2021-03-31}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/icedid-command-and-control-infrastructure}, language = {English}, urldate = {2022-06-09} } IcedID Command and Control Infrastructure
IcedID PhotoLoader
2021AWAKEAwake Security
@online{security:2021:breaking:3bdfe99, author = {Awake Security}, title = {{Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)}}, date = {2021}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/}, language = {English}, urldate = {2022-06-09} } Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader
2020-04-28Random REJason Reaves
@online{reaves:20200428:icedid:9b7de2f, author = {Jason Reaves}, title = {{IcedID PhotoLoader evolution}}, date = {2020-04-28}, organization = {Random RE}, url = {https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html}, language = {English}, urldate = {2022-03-23} } IcedID PhotoLoader evolution
PhotoLoader
Yara Rules
[TLP:WHITE] win_photoloader_auto (20220808 | Detects win.photoloader.)
rule win_photoloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.photoloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c0c003 0fb6c8 8bc1 83e10f }
            // n = 4, score = 1000
            //   c0c003               | rol                 al, 3
            //   0fb6c8               | movzx               ecx, al
            //   8bc1                 | mov                 eax, ecx
            //   83e10f               | and                 ecx, 0xf

        $sequence_1 = { 895c2424 894c2428 8954242c 0f31 }
            // n = 4, score = 800
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   894c2428             | mov                 dword ptr [esp + 0x28], ecx
            //   8954242c             | mov                 dword ptr [esp + 0x2c], edx
            //   0f31                 | rdtsc               

        $sequence_2 = { 0fa2 894704 33c9 b800000040 0fa2 }
            // n = 5, score = 800
            //   0fa2                 | cpuid               
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   33c9                 | xor                 ecx, ecx
            //   b800000040           | mov                 eax, 0x40000000
            //   0fa2                 | cpuid               

        $sequence_3 = { 0f85c3000000 8b457f 85c0 0f84b8000000 8bd8 }
            // n = 5, score = 800
            //   0f85c3000000         | jne                 0xc9
            //   8b457f               | mov                 eax, dword ptr [ebp + 0x7f]
            //   85c0                 | test                eax, eax
            //   0f84b8000000         | je                  0xbe
            //   8bd8                 | mov                 ebx, eax

        $sequence_4 = { 25ffffff00 0d00000005 e9???????? 8bd7 397b1c }
            // n = 5, score = 800
            //   25ffffff00           | and                 eax, 0xffffff
            //   0d00000005           | or                  eax, 0x5000000
            //   e9????????           |                     
            //   8bd7                 | mov                 edx, edi
            //   397b1c               | cmp                 dword ptr [ebx + 0x1c], edi

        $sequence_5 = { 33c9 b801000000 0fa2 89442420 895c2424 894c2428 }
            // n = 6, score = 800
            //   33c9                 | xor                 ecx, ecx
            //   b801000000           | mov                 eax, 1
            //   0fa2                 | cpuid               
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   894c2428             | mov                 dword ptr [esp + 0x28], ecx

        $sequence_6 = { 0f85d2000000 ff15???????? 83f87a 0f85c3000000 8b457f }
            // n = 5, score = 800
            //   0f85d2000000         | jne                 0xd8
            //   ff15????????         |                     
            //   83f87a               | cmp                 eax, 0x7a
            //   0f85c3000000         | jne                 0xc9
            //   8b457f               | mov                 eax, dword ptr [ebp + 0x7f]

        $sequence_7 = { ffd0 ff15???????? 25ffffff00 0fbae81b }
            // n = 4, score = 800
            //   ffd0                 | call                eax
            //   ff15????????         |                     
            //   25ffffff00           | and                 eax, 0xffffff
            //   0fbae81b             | bts                 eax, 0x1b

        $sequence_8 = { 7709 5f 8bce 5e e9???????? }
            // n = 5, score = 200
            //   7709                 | ja                  0xb
            //   5f                   | pop                 edi
            //   8bce                 | mov                 ecx, esi
            //   5e                   | pop                 esi
            //   e9????????           |                     

        $sequence_9 = { 8bc6 5e 5b c3 0fb702 53 }
            // n = 6, score = 200
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   0fb702               | movzx               eax, word ptr [edx]
            //   53                   | push                ebx

        $sequence_10 = { 33c9 0fa2 894500 33c0 895d04 40 894d08 }
            // n = 7, score = 200
            //   33c9                 | xor                 ecx, ecx
            //   0fa2                 | cpuid               
            //   894500               | mov                 dword ptr [ebp], eax
            //   33c0                 | xor                 eax, eax
            //   895d04               | mov                 dword ptr [ebp + 4], ebx
            //   40                   | inc                 eax
            //   894d08               | mov                 dword ptr [ebp + 8], ecx

        $sequence_11 = { 0f31 2bc6 1b542424 03e8 13da 895c2410 ff542420 }
            // n = 7, score = 200
            //   0f31                 | rdtsc               
            //   2bc6                 | sub                 eax, esi
            //   1b542424             | sbb                 edx, dword ptr [esp + 0x24]
            //   03e8                 | add                 ebp, eax
            //   13da                 | adc                 ebx, edx
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   ff542420             | call                dword ptr [esp + 0x20]

        $sequence_12 = { 56 57 8d442410 bf00010000 }
            // n = 4, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   bf00010000           | mov                 edi, 0x100

        $sequence_13 = { 55 68???????? 8d047b 50 ffd6 ff742448 03f8 }
            // n = 7, score = 200
            //   55                   | push                ebp
            //   68????????           |                     
            //   8d047b               | lea                 eax, [ebx + edi*2]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   ff742448             | push                dword ptr [esp + 0x48]
            //   03f8                 | add                 edi, eax

        $sequence_14 = { 833b00 0f8580000000 8364242000 8d4c2410 }
            // n = 4, score = 200
            //   833b00               | cmp                 dword ptr [ebx], 0
            //   0f8580000000         | jne                 0x86
            //   8364242000           | and                 dword ptr [esp + 0x20], 0
            //   8d4c2410             | lea                 ecx, [esp + 0x10]

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules