SYMBOLCOMMON_NAMEaka. SYNONYMS
win.photoloader (Back to overview)

PhotoLoader

A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.

References
2023-05-04ElasticCyril François
@online{franois:20230504:unpacking:7f892ff, author = {Cyril François}, title = {{Unpacking ICEDID}}, date = {2023-05-04}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/unpacking-icedid}, language = {English}, urldate = {2023-05-05} } Unpacking ICEDID
IcedID PhotoLoader
2023-05-03unpac.meSean Wilson
@online{wilson:20230503:unpacme:ed52c88, author = {Sean Wilson}, title = {{UnpacMe Weekly: New Version of IcedId Loader}}, date = {2023-05-03}, organization = {unpac.me}, url = {https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader}, language = {English}, urldate = {2023-05-04} } UnpacMe Weekly: New Version of IcedId Loader
IcedID PhotoLoader
2023-05-03Palo Alto Networks Unit 42Mark Lim, Daniel Raygoza, Bob Jung
@online{lim:20230503:teasing:eef7ae4, author = {Mark Lim and Daniel Raygoza and Bob Jung}, title = {{Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale}}, date = {2023-05-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing}, language = {English}, urldate = {2023-05-04} } Teasing the Secrets From Threat Actors: Malware Configuration Parsing at Scale
IcedID PhotoLoader
2023-05-03Youtube (Guided Hacking)Guided Hacking
@online{hacking:20230503:polyglot:dade492, author = {Guided Hacking}, title = {{PolyGlot Malware Analysis​ - IcedID Stager}}, date = {2023-05-03}, organization = {Youtube (Guided Hacking)}, url = {https://www.youtube.com/watch?v=4j8t9kFLFIY}, language = {English}, urldate = {2023-05-05} } PolyGlot Malware Analysis​ - IcedID Stager
PhotoLoader
2023-04-28DISCARDED PodcastJoe Wise, Pim Trouerbach
@online{wise:20230428:beyond:b45d805, author = {Joe Wise and Pim Trouerbach}, title = {{Beyond Banking: IcedID Gets Forked}}, date = {2023-04-28}, organization = {DISCARDED Podcast}, url = {https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1}, language = {English}, urldate = {2023-05-04} } Beyond Banking: IcedID Gets Forked
IcedID PhotoLoader
2023-04-12InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20230412:recent:66863ee, author = {Brad Duncan}, title = {{Recent IcedID (Bokbot) activity}}, date = {2023-04-12}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/29740}, language = {English}, urldate = {2023-04-18} } Recent IcedID (Bokbot) activity
IcedID PhotoLoader
2023-04-06OALabsSergei Frankoff
@online{frankoff:20230406:photoloader:76a4798, author = {Sergei Frankoff}, title = {{PhotoLoader ICEDID}}, date = {2023-04-06}, organization = {OALabs}, url = {https://research.openanalysis.net/icedid/bokbot/photoloader/config/2023/04/06/photoloader.html}, language = {English}, urldate = {2023-05-02} } PhotoLoader ICEDID
PhotoLoader
2023-03-17ElasticCyril François, Daniel Stepanic
@online{franois:20230317:thawing:b8065d4, author = {Cyril François and Daniel Stepanic}, title = {{Thawing the permafrost of ICEDID Summary}}, date = {2023-03-17}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary}, language = {English}, urldate = {2023-03-20} } Thawing the permafrost of ICEDID Summary
IcedID PhotoLoader
2023-02-24Team CymruTeam Cymru
@online{cymru:20230224:desde:d9ec280, author = {Team Cymru}, title = {{Desde Chile con Malware (From Chile with Malware)}}, date = {2023-02-24}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/from-chile-with-malware}, language = {English}, urldate = {2023-03-13} } Desde Chile con Malware (From Chile with Malware)
IcedID PhotoLoader
2023-01-19CiscoGuilherme Venere
@online{venere:20230119:following:c60f349, author = {Guilherme Venere}, title = {{Following the LNK metadata trail}}, date = {2023-01-19}, organization = {Cisco}, url = {https://blog.talosintelligence.com/following-the-lnk-metadata-trail}, language = {English}, urldate = {2023-04-06} } Following the LNK metadata trail
BumbleBee PhotoLoader QakBot
2022-10-27MicrosoftMicrosoft Security Threat Intelligence
@online{intelligence:20221027:raspberry:b6d1ce4, author = {Microsoft Security Threat Intelligence}, title = {{Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity}}, date = {2022-10-27}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/}, language = {English}, urldate = {2023-03-13} } Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak
2022-10-07Team CymruS2 Research Team
@online{team:20221007:visualizza:0ed3fe8, author = {S2 Research Team}, title = {{A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon}}, date = {2022-10-07}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns}, language = {English}, urldate = {2022-10-10} } A Visualizza into Recent IcedID Campaigns: Reconstructing Threat Actor Metrics with Pure Signal™ Recon
IcedID PhotoLoader
2022-09-27Palo Alto Networks Unit 42Mark Lim
@online{lim:20220927:more:5992cc3, author = {Mark Lim}, title = {{More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID}}, date = {2022-09-27}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/}, language = {English}, urldate = {2022-09-30} } More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
PhotoLoader
2022-07-07FortinetErin Lin
@online{lin:20220707:notable:71d2df3, author = {Erin Lin}, title = {{Notable Droppers Emerge in Recent Threat Campaigns}}, date = {2022-07-07}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns}, language = {English}, urldate = {2022-07-15} } Notable Droppers Emerge in Recent Threat Campaigns
BumbleBee Emotet PhotoLoader QakBot
2022-05-11InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220511:ta578:0a0a686, author = {Brad Duncan}, title = {{TA578 using thread-hijacked emails to push ISO files for Bumblebee malware}}, date = {2022-05-11}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/28636}, language = {English}, urldate = {2022-05-11} } TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
BumbleBee Cobalt Strike IcedID PhotoLoader
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-04Twitter (@felixw3000)Felix
@online{felix:20220504:twitter:0fb7e35, author = {Felix}, title = {{Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.}}, date = {2022-05-04}, organization = {Twitter (@felixw3000)}, url = {https://twitter.com/felixw3000/status/1521816045769662468}, language = {English}, urldate = {2022-05-09} } Twitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.
Cobalt Strike IcedID PhotoLoader
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-03-31TrellixJohn Fokker, Jambul Tologonov
@online{fokker:20220331:conti:3bc2974, author = {John Fokker and Jambul Tologonov}, title = {{Conti Leaks: Examining the Panama Papers of Ransomware}}, date = {2022-03-31}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html}, language = {English}, urldate = {2022-04-07} } Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-28IntezerJoakim Kennedy, Ryan Robinson
@online{kennedy:20220328:new:cede4da, author = {Joakim Kennedy and Ryan Robinson}, title = {{New Conversation Hijacking Campaign Delivering IcedID}}, date = {2022-03-28}, organization = {Intezer}, url = {https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/}, language = {English}, urldate = {2022-04-05} } New Conversation Hijacking Campaign Delivering IcedID
IcedID PhotoLoader
2022-02-22eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220222:icedid:67f870d, author = {eSentire Threat Response Unit (TRU)}, title = {{IcedID to Cobalt Strike In Under 20 Minutes}}, date = {2022-02-22}, organization = {eSentire}, url = {https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes}, language = {English}, urldate = {2022-05-23} } IcedID to Cobalt Strike In Under 20 Minutes
Cobalt Strike IcedID PhotoLoader
2021-04-13Silent PushMartijn Grooten
@online{grooten:20210413:malicious:094869a, author = {Martijn Grooten}, title = {{Malicious infrastructure as a service}}, date = {2021-04-13}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/malicious-infrastructure-as-a-service}, language = {English}, urldate = {2022-06-09} } Malicious infrastructure as a service
IcedID PhotoLoader QakBot
2021-03-31Silent PushMartijn Grooten
@online{grooten:20210331:icedid:42c6051, author = {Martijn Grooten}, title = {{IcedID Command and Control Infrastructure}}, date = {2021-03-31}, organization = {Silent Push}, url = {https://www.silentpush.com/blog/icedid-command-and-control-infrastructure}, language = {English}, urldate = {2022-06-09} } IcedID Command and Control Infrastructure
IcedID PhotoLoader
2021AWAKEAwake Security
@online{security:2021:breaking:3bdfe99, author = {Awake Security}, title = {{Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)}}, date = {2021}, organization = {AWAKE}, url = {https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/}, language = {English}, urldate = {2022-06-09} } Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)
Cobalt Strike IcedID PhotoLoader
2020-04-28Random REJason Reaves
@online{reaves:20200428:icedid:9b7de2f, author = {Jason Reaves}, title = {{IcedID PhotoLoader evolution}}, date = {2020-04-28}, organization = {Random RE}, url = {https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html}, language = {English}, urldate = {2022-03-23} } IcedID PhotoLoader evolution
PhotoLoader
Yara Rules
[TLP:WHITE] win_photoloader_auto (20230407 | Detects win.photoloader.)
rule win_photoloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.photoloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c0c003 0fb6c8 8bc1 83e10f }
            // n = 4, score = 1100
            //   c0c003               | rol                 al, 3
            //   0fb6c8               | movzx               ecx, al
            //   8bc1                 | mov                 eax, ecx
            //   83e10f               | and                 ecx, 0xf

        $sequence_1 = { 894704 33c9 b800000040 0fa2 }
            // n = 4, score = 900
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   33c9                 | xor                 ecx, ecx
            //   b800000040           | mov                 eax, 0x40000000
            //   0fa2                 | cpuid               

        $sequence_2 = { f7411400000020 7407 8b41f8 3901 }
            // n = 4, score = 900
            //   f7411400000020       | test                dword ptr [ecx + 0x14], 0x20000000
            //   7407                 | je                  9
            //   8b41f8               | mov                 eax, dword ptr [ecx - 8]
            //   3901                 | cmp                 dword ptr [ecx], eax

        $sequence_3 = { 0fa2 89442420 895c2424 894c2428 8954242c 0f31 }
            // n = 6, score = 900
            //   0fa2                 | cpuid               
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx
            //   894c2428             | mov                 dword ptr [esp + 0x28], ecx
            //   8954242c             | mov                 dword ptr [esp + 0x2c], edx
            //   0f31                 | rdtsc               

        $sequence_4 = { ff15???????? 25ffffff00 0d00000005 e9???????? 8bd7 }
            // n = 5, score = 900
            //   ff15????????         |                     
            //   25ffffff00           | and                 eax, 0xffffff
            //   0d00000005           | or                  eax, 0x5000000
            //   e9????????           |                     
            //   8bd7                 | mov                 edx, edi

        $sequence_5 = { 33ff 8bf7 8d6f10 ff15???????? 0f31 }
            // n = 5, score = 900
            //   33ff                 | xor                 edi, edi
            //   8bf7                 | mov                 esi, edi
            //   8d6f10               | lea                 ebp, [edi + 0x10]
            //   ff15????????         |                     
            //   0f31                 | rdtsc               

        $sequence_6 = { 33c9 b801000000 0fa2 89442420 }
            // n = 4, score = 900
            //   33c9                 | xor                 ecx, ecx
            //   b801000000           | mov                 eax, 1
            //   0fa2                 | cpuid               
            //   89442420             | mov                 dword ptr [esp + 0x20], eax

        $sequence_7 = { ffd0 ff15???????? 25ffffff00 0fbae81b }
            // n = 4, score = 900
            //   ffd0                 | call                eax
            //   ff15????????         |                     
            //   25ffffff00           | and                 eax, 0xffffff
            //   0fbae81b             | bts                 eax, 0x1b

        $sequence_8 = { 6685c0 741a 57 8bfb 8bc8 }
            // n = 5, score = 200
            //   6685c0               | test                ax, ax
            //   741a                 | je                  0x1c
            //   57                   | push                edi
            //   8bfb                 | mov                 edi, ebx
            //   8bc8                 | mov                 ecx, eax

        $sequence_9 = { ff742410 8b35???????? 68???????? 68???????? 53 ffd6 }
            // n = 6, score = 200
            //   ff742410             | push                dword ptr [esp + 0x10]
            //   8b35????????         |                     
            //   68????????           |                     
            //   68????????           |                     
            //   53                   | push                ebx
            //   ffd6                 | call                esi

        $sequence_10 = { 50 ff15???????? 8d442418 50 8d542418 8d4c2434 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d442418             | lea                 eax, [esp + 0x18]
            //   50                   | push                eax
            //   8d542418             | lea                 edx, [esp + 0x18]
            //   8d4c2434             | lea                 ecx, [esp + 0x34]

        $sequence_11 = { e8???????? 50 55 8d047b 68???????? }
            // n = 5, score = 200
            //   e8????????           |                     
            //   50                   | push                eax
            //   55                   | push                ebp
            //   8d047b               | lea                 eax, [ebx + edi*2]
            //   68????????           |                     

        $sequence_12 = { 51 8d4dfc ba???????? 51 }
            // n = 4, score = 200
            //   51                   | push                ecx
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   ba????????           |                     
            //   51                   | push                ecx

        $sequence_13 = { 81c444010000 c3 83ec10 53 55 }
            // n = 5, score = 200
            //   81c444010000         | add                 esp, 0x144
            //   c3                   | ret                 
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   55                   | push                ebp

        $sequence_14 = { 8b8690010000 85c0 7426 83f808 7721 50 8d8694010000 }
            // n = 7, score = 200
            //   8b8690010000         | mov                 eax, dword ptr [esi + 0x190]
            //   85c0                 | test                eax, eax
            //   7426                 | je                  0x28
            //   83f808               | cmp                 eax, 8
            //   7721                 | ja                  0x23
            //   50                   | push                eax
            //   8d8694010000         | lea                 eax, [esi + 0x194]

    condition:
        7 of them and filesize < 98304
}
Download all Yara Rules