SYMBOLCOMMON_NAMEaka. SYNONYMS
win.photoloader (Back to overview)

PhotoLoader

aka: GZIPLOADER
VTCollection    

A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.

References
2024-04-01The DFIR ReportThe DFIR Report
From OneNote to RansomNote: An Ice Cold Intrusion
Cobalt Strike IcedID Nokoyawa Ransomware PhotoLoader
2024-01-090x0d4y0x0d4y
IcedID – Technical Malware Analysis [Second Stage]
IcedID PhotoLoader
2023-07-04Leandro Froes
Reversing a recent IcedID Crypter
PhotoLoader
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-06-22DeepInstinctDeep Instinct Threat Lab, Mark Vaitzman, Shaul Vilkomir-Preisman
PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID
PindOS BumbleBee PhotoLoader
2023-05-30Palo Alto Networks Unit 42Brad Duncan
Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID
IcedID PhotoLoader
2023-05-22The DFIR ReportThe DFIR Report
IcedID Macro Ends in Nokoyawa Ransomware
IcedID Nokoyawa Ransomware PhotoLoader
2023-05-04ElasticCyril François
Unpacking ICEDID
IcedID PhotoLoader
2023-05-03Youtube (Guided Hacking)Guided Hacking
PolyGlot Malware Analysis​ - IcedID Stager
PhotoLoader
2023-05-03unpac.meSean Wilson
UnpacMe Weekly: New Version of IcedId Loader
IcedID PhotoLoader
2023-05-03Palo Alto Networks Unit 42Bob Jung, Daniel Raygoza, Mark Lim
Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale
IcedID PhotoLoader
2023-04-28DISCARDED PodcastJoe Wise, Pim Trouerbach
Beyond Banking: IcedID Gets Forked
IcedID PhotoLoader
2023-04-21SophosColin Cowie, Paul Jaramillo
IcedID: Defrosting a Recent Campaign Illustrating evolving tactics and shared infrastructure
IcedID PhotoLoader
2023-04-12InfoSec Handlers Diary BlogBrad Duncan
Recent IcedID (Bokbot) activity
IcedID PhotoLoader
2023-04-06OALabsSergei Frankoff
PhotoLoader ICEDID
PhotoLoader
2023-03-27ProofpointJoe Wise, Kelsey Merriman, Pim Trouerbach
Fork in the Ice: The New Era of IcedID
IcedID PHOTOFORK PHOTOLITE PhotoLoader
2023-03-17ElasticCyril François, Daniel Stepanic
Thawing the permafrost of ICEDID Summary
IcedID PhotoLoader
2023-02-24Team CymruTeam Cymru
Desde Chile con Malware (From Chile with Malware)
IcedID PhotoLoader
2023-01-19CiscoGuilherme Venere
Following the LNK metadata trail
BumbleBee PhotoLoader QakBot
2022-10-27MicrosoftMicrosoft Security Threat Intelligence
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak
2022-10-07Team CymruS2 Research Team
A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon
IcedID PhotoLoader
2022-09-27Palo Alto Networks Unit 42Mark Lim
More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
PhotoLoader
2022-07-07FortinetErin Lin
Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-04Twitter (@felixw3000)Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-28IntezerJoakim Kennedy, Ryan Robinson
New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader
2022-02-22eSentireeSentire Threat Response Unit (TRU)
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2021-04-13Silent PushMartijn Grooten
Malicious infrastructure as a service
IcedID PhotoLoader QakBot
2021-03-31Silent PushMartijn Grooten
IcedID Command and Control Infrastructure
IcedID PhotoLoader
2021-01-01AWAKEAwake Security
Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader
2020-04-28Random REJason Reaves
IcedID PhotoLoader evolution
PhotoLoader
Yara Rules
[TLP:WHITE] win_photoloader_auto (20241030 | Detects win.photoloader.)
rule win_photoloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.photoloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fa2 894704 33c9 b800000040 }
            // n = 4, score = 1600
            //   0fa2                 | cpuid               
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   33c9                 | xor                 ecx, ecx
            //   b800000040           | mov                 eax, 0x40000000

        $sequence_1 = { b800000040 0fa2 895f0c e8???????? }
            // n = 4, score = 1600
            //   b800000040           | mov                 eax, 0x40000000
            //   0fa2                 | cpuid               
            //   895f0c               | mov                 dword ptr [edi + 0xc], ebx
            //   e8????????           |                     

        $sequence_2 = { f7411400000020 7407 8b41f8 3901 }
            // n = 4, score = 1600
            //   f7411400000020       | test                dword ptr [ecx + 0x14], 0x20000000
            //   7407                 | je                  9
            //   8b41f8               | mov                 eax, dword ptr [ecx - 8]
            //   3901                 | cmp                 dword ptr [ecx], eax

        $sequence_3 = { b801000000 0fa2 89442420 895c2424 894c2428 8954242c }
            // n = 6, score = 1600
            //   b801000000           | mov                 eax, 1
            //   0fa2                 | cpuid               
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   894c2428             | mov                 dword ptr [esp + 0x28], ecx
            //   8954242c             | mov                 dword ptr [esp + 0x2c], edx

        $sequence_4 = { 25ffffff00 0d00000005 e9???????? 8bd7 397b1c 7640 8bc2 }
            // n = 7, score = 1600
            //   25ffffff00           | and                 eax, 0xffffff
            //   0d00000005           | or                  eax, 0x5000000
            //   e9????????           |                     
            //   8bd7                 | mov                 edx, edi
            //   397b1c               | cmp                 dword ptr [ebx + 0x1c], edi
            //   7640                 | jbe                 0x42
            //   8bc2                 | mov                 eax, edx

        $sequence_5 = { c0c003 0fb6c8 8bc1 83e10f }
            // n = 4, score = 1600
            //   c0c003               | rol                 al, 3
            //   0fb6c8               | movzx               ecx, al
            //   8bc1                 | mov                 eax, ecx
            //   83e10f               | and                 ecx, 0xf

        $sequence_6 = { 8bf7 8d6f10 ff15???????? 0f31 }
            // n = 4, score = 1600
            //   8bf7                 | mov                 esi, edi
            //   8d6f10               | lea                 ebp, [edi + 0x10]
            //   ff15????????         |                     
            //   0f31                 | rdtsc               

        $sequence_7 = { 488b5c2408 c3 0f31 4f8d1489 48c1e220 478b4cd308 480bc2 }
            // n = 7, score = 1500
            //   488b5c2408           | dec                 eax
            //   c3                   | mov                 ebx, dword ptr [esp + 8]
            //   0f31                 | ret                 
            //   4f8d1489             | rdtsc               
            //   48c1e220             | dec                 edi
            //   478b4cd308           | lea                 edx, [ecx + ecx*4]
            //   480bc2               | dec                 eax

        $sequence_8 = { ff15???????? 25ffffff00 0d00000007 eb4a }
            // n = 4, score = 1500
            //   ff15????????         |                     
            //   25ffffff00           | or                  eax, 0x5000000
            //   0d00000007           | mov                 edx, edi
            //   eb4a                 | cmp                 dword ptr [ebx + 0x1c], edi

        $sequence_9 = { 7507 66c74424287800 8d442428 ba???????? }
            // n = 4, score = 200
            //   7507                 | lea                 ebp, [esp + 0x10]
            //   66c74424287800       | xor                 ecx, ecx
            //   8d442428             | mov                 eax, 0x80000001
            //   ba????????           |                     

        $sequence_10 = { 85f6 7431 8b06 33ff 8bce 47 eb05 }
            // n = 7, score = 200
            //   85f6                 | movzx               ecx, al
            //   7431                 | mov                 eax, ecx
            //   8b06                 | and                 ecx, 0xf
            //   33ff                 | add                 edi, eax
            //   8bce                 | lea                 ecx, [ebx + edi*2]
            //   47                   | mov                 eax, ebx
            //   eb05                 | mov                 esi, eax

        $sequence_11 = { 8bf0 8d6c2410 33c9 b801000080 0fa2 894500 895d04 }
            // n = 7, score = 200
            //   8bf0                 | mov                 edx, edi
            //   8d6c2410             | cmp                 dword ptr [ebx + 0x1c], edi
            //   33c9                 | jbe                 0x42
            //   b801000080           | mov                 eax, 0x40000000
            //   0fa2                 | cpuid               
            //   894500               | mov                 dword ptr [edi + 0xc], ebx
            //   895d04               | mov                 dword ptr [edi + 4], eax

        $sequence_12 = { 741a 57 8bfb 8bc8 2bfa 66890c17 }
            // n = 6, score = 200
            //   741a                 | xor                 ecx, ecx
            //   57                   | mov                 eax, 0x40000000
            //   8bfb                 | cpuid               
            //   8bc8                 | mov                 dword ptr [edi + 0xc], ebx
            //   2bfa                 | inc                 esp
            //   66890c17             | mov                 eax, edx

        $sequence_13 = { ff15???????? 8bf0 85f6 746d 8d442418 50 8d442414 }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   8bf0                 | rdtsc               
            //   85f6                 | dec                 eax
            //   746d                 | shl                 edx, 0x20
            //   8d442418             | dec                 eax
            //   50                   | or                  eax, edx
            //   8d442414             | rol                 al, 3

        $sequence_14 = { ff542420 0f31 8bc8 8bf2 0f31 }
            // n = 5, score = 200
            //   ff542420             | cpuid               
            //   0f31                 | mov                 dword ptr [ebp], eax
            //   8bc8                 | mov                 dword ptr [ebp + 4], ebx
            //   8bf2                 | je                  0x1c
            //   0f31                 | push                edi

        $sequence_15 = { e8???????? 03f8 8d0c7b e8???????? 8bc3 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   03f8                 | mov                 dword ptr [esp + 0x24], ebx
            //   8d0c7b               | and                 eax, 0xffffff
            //   e8????????           |                     
            //   8bc3                 | or                  eax, 0x5000000

    condition:
        7 of them and filesize < 107520
}
Download all Yara Rules