Learning From ICEID loader - Including its Steganography
Payload Parsing
Published: 2020-08-10 · Archived: 2026-04-05 12:41:55 UTC
This ICEID stager or loader show some interesting way in loading the the ICEID downloader to bypassed some
API monitoring tools to unpack its code and to evade forensic tools in memory. I also learned how it tries to parse
the png header to decrypt its encrypted payload (Steganography)
So Lets Start!
Loading Runas.exe:
One Interesting code of this IceID stager/loader is that it tries to load the "runas.exe" using LoadLibraryExA.
Currrently I don't know what are the other purpose of this loading aside from evading or bypassing emulation
tools or engine.
figure 1: loadlibraryExA runas.exe
Decrypting Shellcode Loader and the IceID Downloader:
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
Page 1 of 11

Next it will decrypt the encrypted shellcode and IceID downloader from its RSRC section. This is done by finding
specific resource name, locate its address location and its resource entry size to the file as shown in the figure 2
below. 
figure 2: Finding ResourceEntry
After this It will allocate a Virtual Memory using alternative API of VirtualAlloc which is VirtualAllocExNumA
that may evade some unpacking tool that hook common Virtual Allocation API.
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
Page 2 of 11

figure 3: Allocation of Memory
Then it will decrypt the encrypted rsrc data using Microsoft CSP API show in figure below with  RC4 algorithm.
Interestingly, The common way to decrypt an encrypted blob of data using CSP API is "CryptDecrpyt" butthis
malware used "CryptEncrypt" API instead to decrypt the blob.
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
Page 3 of 11

figure 4: the decryption function for encrypted resource section
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
Page 4 of 11

figure 5: decrypted shellcode and ICEID downloader
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
Page 5 of 11

Processing PNG Payload - Steganography:
This part of the ICEID downloader is really interesting where I learned how it parse the PNG header to look for
IDAT PNG header and decrypt it, but first it will check if the commandline of the ICEID downloader process has
a arguments "-id=" that contain an int value that would be the name of the downloaded steganography png file that
should be place in %tmp% folder. 
figure 6: checking the process commandline and decrytion function
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
Page 6 of 11

figure 7: the parsing of PNG payload
after having the IDAT header position it will parse the rc4 key below it and the encrypted data to decrypt it using
RC4 decryption algorithm.
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
Page 7 of 11

figure 8: parsing png header payload
ANTI-Memory Forensic:
Also I notice that upon loading the ICEID downloader to the memory to execute it, the loader removed the DOS
header as a common anti-forensic technique.
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
Page 8 of 11

figure 9: Anti Memory Forensic Technique
IOC:
Loader:
https://app.any.run/tasks/b4beb108-60c8-4ae5-8f7b-4f21ffa5da7a/
SHA1: 56be44a912e2677e98cbce0c42a8344a7de34ea1
MD5: bd57f946b9294c90772e57e20247d1eb
SHA256: 81801711abd4b24eb39be359ce18a54600f3a362c033a38c01881c941f8743b4
ICEID downloader:
Sha1: e8a1f8e06b332cece343718d80ad942b1466c07b
MD5: 5c2766313ce3ce8d3321c81f347d2813
Sha256: 295dc254c4d168ab935e84b229746586ce69028f39f0612f6a900b7a01bae9e5
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
Page 9 of 11

Strings:
8476:GetNativeSystemInfo
8496:ZwQuerySystemInformation
8524:NTDLL.DLL
8544:0123456789ABCDEF
8576:RtlGetVersion
8688:GetAdaptersInfo
8704:IPHLPAPI.DLL
8776:url("
8788:src="
9146:LookupAccountNameW
9168:GetUserNameA
9182:ADVAPI32.dll
9198:StrStrIA
9210:StrToIntA
9222:StrChrA
9230:SHLWAPI.dll
9244:GetModuleFileNameA
9266:HeapFree
9278:WaitForSingleObject
9300:GetCommandLineA
9318:Sleep
9326:GetTempPathA
9342:LoadLibraryA
9358:GetProcAddress
9376:ExitProcess
9390:GetProcessHeap
9408:GetTickCount
9424:ReadFile
9436:WriteFile
9448:CreateFileA
9462:CloseHandle
9476:HeapAlloc
9488:GetFileSize
9502:lstrlenA
9514:HeapReAlloc
9528:GetComputerNameExW
9550:GetTickCount64
9568:GetLastError
9584:SwitchToThread
9602:GetComputerNameExA
9622:KERNEL32.dll
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
Page 10 of 11

9638:wsprintfA
9650:wsprintfW
9660:USER32.dll
9674:WinHttpQueryDataAvailable
9702:WinHttpConnect
9720:WinHttpSetStatusCallback
9748:WinHttpSendRequest
9770:WinHttpCloseHandle
9792:WinHttpSetOption
9812:WinHttpOpenRequest
9834:WinHttpReadData
9852:WinHttpQueryHeaders
9874:WinHttpOpen
9888:WinHttpReceiveResponse
9914:WinHttpQueryOption
9936:WinHttpAddRequestHeaders
9962:WINHTTP.dll
9976:memset
9984:MSVCRT.dll
10752:dave
Closing:
In this blog post I learned new way to allocate Virtual memory, LoadLibraryExA for executable and last parsing
png header. I hope I share something. :)
Source: https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
Page 11 of 11