🚨 Suspicious IP #opendir:.209.126.87[.92:8888. 🌐 Domain:.premiere-coal-tonight-procedure.trycloudflare[.com . 🔗 File chain:.iz.exe - #modiloader #remcos.🔽.onedrive[.live.com/download?resid=F4D24344D7B13420%21110&authkey=!AL5-vxbOzO8Bd8E.🔽.255_Sraomttecbk. 📝 1/2

Dropping a #Yara rule for a new variant of #DBatLoader/#ModiLoader in the wild:. #100DaysOfYara

#DBatLoader #ModiLoader 🔥

taqareer[.]tech.#modiloader #Remcos

🔓#opendir 147.50.253[.30. 🔑Abotihy.exe - #PHEMEDRONE. 🔗C2:.💬/bot5358754228:AAE42HAGW1bzIPxU7iVRC_96iDuHcwSjjVo/sendMessage?chat_id=5556872222. 🖥️8888.exe - #MODILOADER -> 147.50.253[.30:8888 -> Process.exe. 🖥️Client.exe - #NJRAT -> 147.50.253[.30:6522 -> WindowsServices.exe

ISC Diary: @malware_traffic saw #GuLoader or #ModiLoader/#DBatLoader style traffic for #RemcosRAT

Recently, I have been investigating a malware loader which is ModiLoader. This loader is delivered through the Malspam services to lure end users to execute malicious code. #VinCSS #ModiLoader #MalwareAnalysis #Z2A

🔥#maldoc sample spread #ModiLoader(#DBatLoader) was submitted from VN. 🐛hash:797ad98c5e34adaf78da488638b1bfe724d2750844e2d67725b0e84a2aa14c06.☠️external link->#mal rtf->contain #sc->download #ModiLoader payload (1/2)

#formbook #guloader #modiloader #dbatloader #cloudeye

AhnLab's ASEC team identify and analyse cases of the ModiLoader (DBatLoader) malware being distributed via emails impersonating a Turkish bank and leading to SnakeKeylogger.

ISC Diary: @malware_traffic reviews #Formbook from possible #ModiLoader (#DBatLoader)

32ba1ee78874a80a23a0d09427d52af6.05ef4ca659965c1d3faa58077b0f9943.#FormBook #ModiLoader #DBatLoader

"Pre_Procurement Verification (Mog Energy)_Ref_TR0029388827772_10_27_2022". malspam mail -> sharepoint URL -> password protected 7z -> 3 #modiloader -> #AveMaria executables. C2: pentester0.accesscam[.org. Bazaar:. check comments for #modiloader opendir

Today's quick #malware analysis with #SecurityOnion:. FORMBOOK from possible MODILOADER pcap from 2023-06-16. Thanks to @malware_traffic for sharing this #pcap!. More screenshots:. #infosec.#infosecurity.#CyberSecurity.#ThreatHunting.#IncidentResponse

#Modiloader / #Dbatloader . The .z archive leads to exe, which uses lVali UserAgent to download encrypted file from Onedrive ( so MS doesn't take it down ). Post decryption its injected in legit MS process like sndvol to do the C2 comms on 42020 port.

ModiLoader/Netwire RAT with UAC bypass script. OneDrive host: tgkzva.db.files.1drv[.]com C2 hosts: 213.152.162[.]181 184.75.221[.]171 199.249.230[.]27 185.103.96[.]143 185.104.184[.]43 C2 Port: 5133 Sample:

ISC Diary: @malware_traffic reviews a malspam-based #ModiLoader infection for #RemcosRAT

lightstone[.]ae.#modiloader @userlolxxl @AbuseAE

Email Spam with Attachment Modiloader

DBatLoader (ModiLoader) Being Distributed to Turkish Users. May 16 2025.