Email Spam with Attachment Modiloader

Published: 2023-06-24
Last Updated: 2023-06-24 20:09:55 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

This week (2023-06-21) I found 2 emails attachment in quarantine that had different text with the same attachment. The first one had an Office 365 indicating the admin had setup a custom rule to block the message and could not be delivered to the recipients and what to do to fix it.

This attachment is well detected by multiple AV vendor as trojan downloader. I used AssemblyLine [1] for to analyse this zip file ( [2] and recovered a long list of indicators from the analysis. Brad [3] published a similar diary with Modiloader last month.

AssemblyLine classifies the indicators as informative, suspicious, malicious during the analysis. 

Emerging Threat Signature

ET MALWARE FormBook CnC Checkin (GET)

Indicators of Compromised - Malicious

Indicators of Compromised - Suspicious

SHA256 Hashes





Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

0 comment(s)


Diary Archives