Email Spam with Attachment Modiloader, (Sat, Jun 24th)

This post was originally published on this site

This week (2023-06-21) I found 2 emails attachment in quarantine that had different text with the same attachment. The first one had an Office 365 indicating the admin had setup a custom rule to block the message and could not be delivered to the recipients and what to do to fix it.

This attachment is well detected by multiple AV vendor as trojan downloader. I used AssemblyLine [1] for to analyse this zip file ( [2] and recovered a long list of indicators from the analysis. Brad [3] published a similar diary with Modiloader last month.

AssemblyLine classifies the indicators as informative, suspicious, malicious during the analysis. 

Emerging Threat Signature

ET MALWARE FormBook CnC Checkin (GET)

Indicators of Compromised – Malicious

Indicators of Compromised – Suspicious

SHA256 Hashes





Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.