SYMBOLCOMMON_NAMEaka. SYNONYMS
win.photoloader (Back to overview)

PhotoLoader

aka: GZIPLOADER
VTCollection    

A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.

References
2024-01-090x0d4y0x0d4y
IcedID – Technical Malware Analysis [Second Stage]
IcedID PhotoLoader
2023-07-04Leandro Froes
Reversing a recent IcedID Crypter
PhotoLoader
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-06-22DeepInstinctDeep Instinct Threat Lab, Mark Vaitzman, Shaul Vilkomir-Preisman
PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID
PindOS BumbleBee PhotoLoader
2023-05-30Palo Alto Networks Unit 42Brad Duncan
Cold as Ice: Answers to Unit 42 Wireshark Quiz for IcedID
IcedID PhotoLoader
2023-05-22The DFIR ReportThe DFIR Report
IcedID Macro Ends in Nokoyawa Ransomware
IcedID Nokoyawa Ransomware PhotoLoader
2023-05-04ElasticCyril François
Unpacking ICEDID
IcedID PhotoLoader
2023-05-03Youtube (Guided Hacking)Guided Hacking
PolyGlot Malware Analysis​ - IcedID Stager
PhotoLoader
2023-05-03unpac.meSean Wilson
UnpacMe Weekly: New Version of IcedId Loader
IcedID PhotoLoader
2023-05-03Palo Alto Networks Unit 42Bob Jung, Daniel Raygoza, Mark Lim
Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale
IcedID PhotoLoader
2023-04-28DISCARDED PodcastJoe Wise, Pim Trouerbach
Beyond Banking: IcedID Gets Forked
IcedID PhotoLoader
2023-04-21SophosColin Cowie, Paul Jaramillo
IcedID: Defrosting a Recent Campaign Illustrating evolving tactics and shared infrastructure
IcedID PhotoLoader
2023-04-12InfoSec Handlers Diary BlogBrad Duncan
Recent IcedID (Bokbot) activity
IcedID PhotoLoader
2023-04-06OALabsSergei Frankoff
PhotoLoader ICEDID
PhotoLoader
2023-03-27ProofpointJoe Wise, Kelsey Merriman, Pim Trouerbach
Fork in the Ice: The New Era of IcedID
IcedID PHOTOFORK PHOTOLITE PhotoLoader
2023-03-17ElasticCyril François, Daniel Stepanic
Thawing the permafrost of ICEDID Summary
IcedID PhotoLoader
2023-02-24Team CymruTeam Cymru
Desde Chile con Malware (From Chile with Malware)
IcedID PhotoLoader
2023-01-19CiscoGuilherme Venere
Following the LNK metadata trail
BumbleBee PhotoLoader QakBot
2022-10-27MicrosoftMicrosoft Security Threat Intelligence
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak
2022-10-07Team CymruS2 Research Team
A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon
IcedID PhotoLoader
2022-09-27Palo Alto Networks Unit 42Mark Lim
More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
PhotoLoader
2022-07-07FortinetErin Lin
Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-04Twitter (@felixw3000)Felix
Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-28IntezerJoakim Kennedy, Ryan Robinson
New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader
2022-02-22eSentireeSentire Threat Response Unit (TRU)
IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2021-04-13Silent PushMartijn Grooten
Malicious infrastructure as a service
IcedID PhotoLoader QakBot
2021-03-31Silent PushMartijn Grooten
IcedID Command and Control Infrastructure
IcedID PhotoLoader
2021-01-01AWAKEAwake Security
Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader
2020-04-28Random REJason Reaves
IcedID PhotoLoader evolution
PhotoLoader
Yara Rules
[TLP:WHITE] win_photoloader_auto (20230808 | Detects win.photoloader.)
rule win_photoloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.photoloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0d00000005 e9???????? 8bd7 397b1c 7640 }
            // n = 5, score = 1500
            //   0d00000005           | or                  eax, 0x5000000
            //   e9????????           |                     
            //   8bd7                 | mov                 edx, edi
            //   397b1c               | cmp                 dword ptr [ebx + 0x1c], edi
            //   7640                 | jbe                 0x42

        $sequence_1 = { 8bf7 8d6f10 ff15???????? 0f31 }
            // n = 4, score = 1500
            //   8bf7                 | mov                 esi, edi
            //   8d6f10               | lea                 ebp, [edi + 0x10]
            //   ff15????????         |                     
            //   0f31                 | rdtsc               

        $sequence_2 = { c0c003 0fb6c8 8bc1 83e10f }
            // n = 4, score = 1500
            //   c0c003               | rol                 al, 3
            //   0fb6c8               | movzx               ecx, al
            //   8bc1                 | mov                 eax, ecx
            //   83e10f               | and                 ecx, 0xf

        $sequence_3 = { 33c9 b801000000 0fa2 89442420 895c2424 }
            // n = 5, score = 1500
            //   33c9                 | xor                 ecx, ecx
            //   b801000000           | mov                 eax, 1
            //   0fa2                 | cpuid               
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx

        $sequence_4 = { 33c9 b800000040 0fa2 895f0c }
            // n = 4, score = 1500
            //   33c9                 | xor                 ecx, ecx
            //   b800000040           | mov                 eax, 0x40000000
            //   0fa2                 | cpuid               
            //   895f0c               | mov                 dword ptr [edi + 0xc], ebx

        $sequence_5 = { 0fa2 894704 33c9 b800000040 }
            // n = 4, score = 1500
            //   0fa2                 | cpuid               
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   33c9                 | xor                 ecx, ecx
            //   b800000040           | mov                 eax, 0x40000000

        $sequence_6 = { 895c2424 894c2428 8954242c 0f31 }
            // n = 4, score = 1500
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   894c2428             | mov                 dword ptr [esp + 0x28], ecx
            //   8954242c             | mov                 dword ptr [esp + 0x2c], edx
            //   0f31                 | rdtsc               

        $sequence_7 = { f7411400000020 7407 8b41f8 3901 7714 }
            // n = 5, score = 1500
            //   f7411400000020       | test                dword ptr [ecx + 0x14], 0x20000000
            //   7407                 | je                  9
            //   8b41f8               | mov                 eax, dword ptr [ecx - 8]
            //   3901                 | cmp                 dword ptr [ecx], eax
            //   7714                 | ja                  0x16

        $sequence_8 = { 85d2 7417 448bc2 0f31 48c1e220 480bc2 8801 }
            // n = 7, score = 1400
            //   85d2                 | xor                 ecx, ecx
            //   7417                 | mov                 eax, 1
            //   448bc2               | cpuid               
            //   0f31                 | mov                 dword ptr [esp + 0x20], eax
            //   48c1e220             | mov                 dword ptr [esp + 0x24], ebx
            //   480bc2               | mov                 dword ptr [esp + 0x28], ecx
            //   8801                 | and                 eax, 0xffffff

        $sequence_9 = { 1bc0 23442410 3b03 7418 }
            // n = 4, score = 200
            //   1bc0                 | ret                 
            //   23442410             | push                ebp
            //   3b03                 | mov                 ebp, esp
            //   7418                 | sub                 esp, 0x218

        $sequence_10 = { 8903 8d44242c 50 6804010000 ff15???????? ff35???????? 8d4c2430 }
            // n = 7, score = 200
            //   8903                 | pop                 ebp
            //   8d44242c             | ret                 
            //   50                   | mov                 ecx, dword ptr [ebp + 8]
            //   6804010000           | mov                 eax, dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   8d4c2430             | mov                 dword ptr [ecx], eax

        $sequence_11 = { 5d c3 8b4d08 8b45fc 8901 8b450c }
            // n = 6, score = 200
            //   5d                   | inc                 edi
            //   c3                   | mov                 ecx, dword ptr [ebx + edx*8 + 8]
            //   8b4d08               | rol                 al, 3
            //   8b45fc               | movzx               ecx, al
            //   8901                 | mov                 eax, ecx
            //   8b450c               | and                 ecx, 0xf

        $sequence_12 = { c3 55 8bec 81ec18020000 53 8ad9 }
            // n = 6, score = 200
            //   c3                   | push                eax
            //   55                   | push                0x104
            //   8bec                 | lea                 ecx, [esp + 0x30]
            //   81ec18020000         | push                ecx
            //   53                   | lea                 eax, [ebp - 0xa4]
            //   8ad9                 | mov                 esi, edx

        $sequence_13 = { 8b5604 8d44240c 8b0e 55 }
            // n = 4, score = 200
            //   8b5604               | push                ebx
            //   8d44240c             | mov                 bl, cl
            //   8b0e                 | sbb                 eax, eax
            //   55                   | and                 eax, dword ptr [esp + 0x10]

        $sequence_14 = { 51 8d855cffffff 8bf2 68???????? }
            // n = 4, score = 200
            //   51                   | mov                 eax, dword ptr [ebp + 0xc]
            //   8d855cffffff         | mov                 dword ptr [ebx], eax
            //   8bf2                 | lea                 eax, [esp + 0x2c]
            //   68????????           |                     

        $sequence_15 = { 56 33c0 8d6c240c 57 }
            // n = 4, score = 200
            //   56                   | cmp                 eax, dword ptr [ebx]
            //   33c0                 | je                  0x1a
            //   8d6c240c             | mov                 edx, dword ptr [esi + 4]
            //   57                   | lea                 eax, [esp + 0xc]

    condition:
        7 of them and filesize < 107520
}
Download all Yara Rules