{ "id": "3240975f-1449-4d9a-b948-404215fff240", "created_at": "2026-04-06T00:19:15.700283Z", "updated_at": "2026-04-10T03:20:16.143342Z", "deleted_at": null, "sha1_hash": "07d399a4b45783c153fb73042b14b2670820c03d", "title": "IcedID PNG -\u003e PE parser and reconstructor for custom steganographic loader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37831, "plain_text": "IcedID PNG -\u003e PE parser and reconstructor for custom\r\nsteganographic loader\r\nBy 262588213843476\r\nArchived: 2026-04-05 22:37:58 UTC\r\n\"\"\" Py3 version of IcedID custom steganographic loader (PNG parser \u0026 PE reconstructor) Inspired by\r\nhttps://github.com/hasherezade/funky_malware_formats/tree/master/iced_id_parser Authored by @nazywam and\r\n@psrok1. pip3 install malduck lief \"\"\" import sys import malduck from lief import PE class\r\nIcedidSection(malduck.Structure): _pack_ = 1 _fields_ = [ (\"VirtualOffset\", malduck.DWORD), (\"VirtualSize\",\r\nmalduck.DWORD), (\"RawOffset\", malduck.DWORD), (\"RawSize\", malduck.DWORD), (\"Characteristics\",\r\nmalduck.BYTE) ] class IcedidHeader(malduck.Structure): _pack_ = 1 _fields_ = [ (\"ImageBase\",\r\nmalduck.QWORD), (\"ImageSize\", malduck.DWORD), (\"EntryPoint_va\", malduck.DWORD), (\"ImportDir_va\",\r\nmalduck.DWORD), (\"RelocDir_va\", malduck.DWORD), (\"RelocDir_size\", malduck.DWORD), (\"SectionCount\",\r\nmalduck.DWORD) ] def decrypt_image(path: str) -\u003e bytes: p = malduck.procmem.from_file(path) idat_off =\r\nnext(p.findp(b'IDAT')) idat_len = p.uint32p(idat_off - 4) data = p.readp(idat_off + 4, idat_len) decrypted =\r\nmalduck.rc4(data[:8], data[8:]) return decrypted def reconstruct(payload: bytes) -\u003e bytes: p =\r\nmalduck.procmem(payload) data_offset = offset = 0x1188 header_data = p.readp(offset, IcedidHeader.sizeof())\r\nheader = IcedidHeader.parse(header_data) offset += IcedidHeader.sizeof() sections_data = p.readp(offset,\r\nIcedidSection.sizeof() * header.SectionCount) sections = [IcedidSection.parse(data) for data in\r\nmalduck.chunks(sections_data, IcedidSection.sizeof())] pe = PE.Binary('icedid_binary', PE.PE_TYPE.PE32)\r\npe.optional_header.imagebase = header.ImageBase pe.optional_header.addressof_entrypoint =\r\nheader.EntryPoint_va sections = sorted(sections, key=lambda s: s.VirtualOffset) for idx, sec in\r\nenumerate(sections): section = PE.Section('') content = p.readp(data_offset + sec.RawOffset, sec.RawSize)\r\nsection.content = list(content) section.virtual_address = sec.VirtualOffset section.characteristics = 0xE0000000 if\r\nidx != len(sections) - 1: section.virtual_size = sections[idx + 1].VirtualOffset - sec.VirtualOffset\r\npe.add_section(section) pe.data_directory(PE.DATA_DIRECTORY.IMPORT_TABLE).rva =\r\nheader.ImportDir_va pe.data_directory(PE.DATA_DIRECTORY.BASE_RELOCATION_TABLE).rva =\r\nheader.RelocDir_va pe.data_directory(PE.DATA_DIRECTORY.BASE_RELOCATION_TABLE).size =\r\nheader.RelocDir_size builder = PE.Builder(pe) builder.build() return bytes(builder.get_build()) if __name__ ==\r\n'__main__': if len(sys.argv) \u003c 3: print(\"Usage: ./reconstruct.py [pngfile] [outfile]\") else: inpath = sys.argv[1]\r\npayload = decrypt_image(inpath) data = reconstruct(payload) with open(sys.argv[2], \"wb\") as f: f.write(data)\r\nprint(\"[*] Stored {} bytes in {}\".format(len(data), sys.argv[2]))\r\nSource: https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b\r\nhttps://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b" ], "report_names": [ "e6bf5851d674edda03a201e7f24a5e6b" ], "threat_actors": [], "ts_created_at": 1775434755, "ts_updated_at": 1775791216, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07d399a4b45783c153fb73042b14b2670820c03d.pdf", "text": "https://archive.orkl.eu/07d399a4b45783c153fb73042b14b2670820c03d.txt", "img": "https://archive.orkl.eu/07d399a4b45783c153fb73042b14b2670820c03d.jpg" } }