{
	"id": "2ef4c223-d0be-42bd-99b6-2ab2f565ad04",
	"created_at": "2026-04-06T00:09:45.234895Z",
	"updated_at": "2026-04-10T03:20:58.404539Z",
	"deleted_at": null,
	"sha1_hash": "e7494c6a9fc8e2c317f38ecc98433f438caf4d23",
	"title": "Learning From ICEID loader - Including its Steganography Payload Parsing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1694764,
	"plain_text": "Learning From ICEID loader - Including its Steganography\r\nPayload Parsing\r\nPublished: 2020-08-10 · Archived: 2026-04-05 12:41:55 UTC\r\nThis ICEID stager or loader show some interesting way in loading the the ICEID downloader to bypassed some\r\nAPI monitoring tools to unpack its code and to evade forensic tools in memory. I also learned how it tries to parse\r\nthe png header to decrypt its encrypted payload (Steganography)\r\nSo Lets Start!\r\nLoading Runas.exe:\r\nOne Interesting code of this IceID stager/loader is that it tries to load the \"runas.exe\" using LoadLibraryExA.\r\nCurrrently I don't know what are the other purpose of this loading aside from evading or bypassing emulation\r\ntools or engine.\r\nfigure 1: loadlibraryExA runas.exe\r\nDecrypting Shellcode Loader and the IceID Downloader:\r\nhttps://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nPage 1 of 11\n\nNext it will decrypt the encrypted shellcode and IceID downloader from its RSRC section. This is done by finding\r\nspecific resource name, locate its address location and its resource entry size to the file as shown in the figure 2\r\nbelow. \r\nfigure 2: Finding ResourceEntry\r\nAfter this It will allocate a Virtual Memory using alternative API of VirtualAlloc which is VirtualAllocExNumA\r\nthat may evade some unpacking tool that hook common Virtual Allocation API.\r\nhttps://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nPage 2 of 11\n\nfigure 3: Allocation of Memory\r\nThen it will decrypt the encrypted rsrc data using Microsoft CSP API show in figure below with  RC4 algorithm.\r\nInterestingly, The common way to decrypt an encrypted blob of data using CSP API is \"CryptDecrpyt\" butthis\r\nmalware used \"CryptEncrypt\" API instead to decrypt the blob.\r\nhttps://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nPage 3 of 11\n\nfigure 4: the decryption function for encrypted resource section\r\nhttps://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nPage 4 of 11\n\nfigure 5: decrypted shellcode and ICEID downloader\r\nhttps://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nPage 5 of 11\n\nProcessing PNG Payload - Steganography:\r\nThis part of the ICEID downloader is really interesting where I learned how it parse the PNG header to look for\r\nIDAT PNG header and decrypt it, but first it will check if the commandline of the ICEID downloader process has\r\na arguments \"-id=\" that contain an int value that would be the name of the downloaded steganography png file that\r\nshould be place in %tmp% folder. \r\nfigure 6: checking the process commandline and decrytion function\r\nhttps://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nPage 6 of 11\n\nfigure 7: the parsing of PNG payload\r\nafter having the IDAT header position it will parse the rc4 key below it and the encrypted data to decrypt it using\r\nRC4 decryption algorithm.\r\nhttps://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nPage 7 of 11\n\nfigure 8: parsing png header payload\r\nANTI-Memory Forensic:\r\nAlso I notice that upon loading the ICEID downloader to the memory to execute it, the loader removed the DOS\r\nheader as a common anti-forensic technique.\r\nhttps://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nPage 8 of 11\n\nfigure 9: Anti Memory Forensic Technique\r\nIOC:\r\nLoader:\r\nhttps://app.any.run/tasks/b4beb108-60c8-4ae5-8f7b-4f21ffa5da7a/\r\nSHA1: 56be44a912e2677e98cbce0c42a8344a7de34ea1\r\nMD5: bd57f946b9294c90772e57e20247d1eb\r\nSHA256: 81801711abd4b24eb39be359ce18a54600f3a362c033a38c01881c941f8743b4\r\nICEID downloader:\r\nSha1: e8a1f8e06b332cece343718d80ad942b1466c07b\r\nMD5: 5c2766313ce3ce8d3321c81f347d2813\r\nSha256: 295dc254c4d168ab935e84b229746586ce69028f39f0612f6a900b7a01bae9e5\r\nhttps://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nPage 9 of 11\n\nStrings:\r\n8476:GetNativeSystemInfo\r\n8496:ZwQuerySystemInformation\r\n8524:NTDLL.DLL\r\n8544:0123456789ABCDEF\r\n8576:RtlGetVersion\r\n8688:GetAdaptersInfo\r\n8704:IPHLPAPI.DLL\r\n8776:url(\"\r\n8788:src=\"\r\n9146:LookupAccountNameW\r\n9168:GetUserNameA\r\n9182:ADVAPI32.dll\r\n9198:StrStrIA\r\n9210:StrToIntA\r\n9222:StrChrA\r\n9230:SHLWAPI.dll\r\n9244:GetModuleFileNameA\r\n9266:HeapFree\r\n9278:WaitForSingleObject\r\n9300:GetCommandLineA\r\n9318:Sleep\r\n9326:GetTempPathA\r\n9342:LoadLibraryA\r\n9358:GetProcAddress\r\n9376:ExitProcess\r\n9390:GetProcessHeap\r\n9408:GetTickCount\r\n9424:ReadFile\r\n9436:WriteFile\r\n9448:CreateFileA\r\n9462:CloseHandle\r\n9476:HeapAlloc\r\n9488:GetFileSize\r\n9502:lstrlenA\r\n9514:HeapReAlloc\r\n9528:GetComputerNameExW\r\n9550:GetTickCount64\r\n9568:GetLastError\r\n9584:SwitchToThread\r\n9602:GetComputerNameExA\r\n9622:KERNEL32.dll\r\nhttps://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nPage 10 of 11\n\n9638:wsprintfA\r\n9650:wsprintfW\r\n9660:USER32.dll\r\n9674:WinHttpQueryDataAvailable\r\n9702:WinHttpConnect\r\n9720:WinHttpSetStatusCallback\r\n9748:WinHttpSendRequest\r\n9770:WinHttpCloseHandle\r\n9792:WinHttpSetOption\r\n9812:WinHttpOpenRequest\r\n9834:WinHttpReadData\r\n9852:WinHttpQueryHeaders\r\n9874:WinHttpOpen\r\n9888:WinHttpReceiveResponse\r\n9914:WinHttpQueryOption\r\n9936:WinHttpAddRequestHeaders\r\n9962:WINHTTP.dll\r\n9976:memset\r\n9984:MSVCRT.dll\r\n10752:dave\r\nClosing:\r\nIn this blog post I learned new way to allocate Virtual memory, LoadLibraryExA for executable and last parsing\r\npng header. I hope I share something. :)\r\nSource: https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nhttps://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html"
	],
	"report_names": [
		"learning-from-iceid-loader-including.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434185,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e7494c6a9fc8e2c317f38ecc98433f438caf4d23.pdf",
		"text": "https://archive.orkl.eu/e7494c6a9fc8e2c317f38ecc98433f438caf4d23.txt",
		"img": "https://archive.orkl.eu/e7494c6a9fc8e2c317f38ecc98433f438caf4d23.jpg"
	}
}