Last Updated: 2023-06-24 20:09:55 UTC
by Guy Bruneau (Version: 1)
This week (2023-06-21) I found 2 emails attachment in quarantine that had different text with the same attachment. The first one had an Office 365 indicating the admin had setup a custom rule to block the message and could not be delivered to the recipients and what to do to fix it.
This attachment is well detected by multiple AV vendor as trojan downloader. I used AssemblyLine  for to analyse this zip file (9658904352011.zip)  and recovered a long list of indicators from the analysis. Brad  published a similar diary with Modiloader last month.
AssemblyLine classifies the indicators as informative, suspicious, malicious during the analysis.
Emerging Threat Signature
ET MALWARE FormBook CnC Checkin (GET)
Indicators of Compromised - Malicious
Indicators of Compromised - Suspicious