Malware Analysis Report

2025-08-10 19:45

Sample ID 240131-lymq3ahff5
Target 841d1d706e5fda5a4c6c2f6c512c18c2
SHA256 dfcd8994628bee6d7f0aa4575047e01e3f8caf1a5cd126fe79f70fcf89e5a24b
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dfcd8994628bee6d7f0aa4575047e01e3f8caf1a5cd126fe79f70fcf89e5a24b

Threat Level: Known bad

The file 841d1d706e5fda5a4c6c2f6c512c18c2 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-31 09:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 09:56

Reported

2024-01-31 09:59

Platform

win7-20231215-en

Max time kernel

141s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\_rejoice51.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A
File opened for modification C:\Windows\SysWOW64\_rejoice51.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe
PID 2868 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe
PID 2868 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe
PID 2868 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe
PID 496 wrote to memory of 404 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\WerFault.exe
PID 496 wrote to memory of 404 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\WerFault.exe
PID 496 wrote to memory of 404 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\WerFault.exe
PID 496 wrote to memory of 404 N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Windows\SysWOW64\WerFault.exe
PID 2868 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe

"C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 288

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

Network

N/A

Files

memory/2868-0-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/2868-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice51.exe

MD5 841d1d706e5fda5a4c6c2f6c512c18c2
SHA1 1b5c9251c9f5bf24e7a014e20b4e710f17e4a540
SHA256 dfcd8994628bee6d7f0aa4575047e01e3f8caf1a5cd126fe79f70fcf89e5a24b
SHA512 2ba25dba4f736c6f93d98eb12c99cbaaffb4c018f5fc6a8572e95eb95aa298964fd54b5d0a206d3894ebf054e37f67322f7d134ab3d7cc8ff2466664d1a9c1ee

C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice51.exe

MD5 b13ecb3b61bb6f67032e2fc73b590fb9
SHA1 e43f0d99de0918509f3ca4d5a76b587132ce4f4b
SHA256 be3e1dd31c7e6d4d15cf54ffbff075dde201fd6ffcc66febeb231578c06978dd
SHA512 9c954d5d9083f4cfda876db28e5382397a479c675bbd9742ec562b54c25fc55e1fdca713633e70e9f4f7e9892c0e981eba69649c512f1ee02364ed36558b20f2

C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice51.exe

MD5 ad371df1f3d46ad9b1aab8e03d3ec64a
SHA1 8e5bffa7287b21e2d030ecd19ca23a630335efe9
SHA256 f1dbef6d6bb557e16c74c66fa333c6506441819f14990286e65adb04ec812ae8
SHA512 ddd60412108803c358429ad3f5d213d4b4ece186b79f8485d770a7373bdb139ceccd14db80660b3b2c72a22502db0b5538d34ee6b75368ca30fca69a58359e6b

memory/496-12-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/2868-10-0x0000000003050000-0x0000000003224000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe

MD5 e755b4825a2b62a35cd43fd43c86d9da
SHA1 c830b672aac2b12cb97517bfd939fa5745711f01
SHA256 4794f0173154c712e0c3546523f1bb8f2c8718fe1a44606a8d0336122025ff1f
SHA512 60a82a21229b216b5b07017448a84b34215f9762ee39c2ca99eae1c3986a1cd325b8ba29ce8ae244dc1a936aaff8629034c612bfa745d30770f536103e3f9214

memory/2868-13-0x0000000003050000-0x0000000003224000-memory.dmp

memory/496-18-0x0000000000270000-0x0000000000271000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice51.exe

MD5 23f014ee5d6dd2064293093f0c47adc2
SHA1 0588e028ed9a495ec95b36fdb07bfc53c0983c63
SHA256 5ee5f62591ca30dd4bf594c4086daa8fbe9a96ab062ffab1883ef01f6dc605f3
SHA512 40f07b52b901bcbde9bd647683b9b466f7f6314c1491a14018c1af004b7eaf99e67acaed0efe24ab0f4db55da5962ca14e7223924c7bc67096ae4daee2d675c8

\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice51.exe

MD5 d89cb9a7358663bca4d4463fa725f6d7
SHA1 a626d0c513c7be3c5a6800d6a662eb41cbb7b33e
SHA256 759c1218366e30b37451574781cfcced60fbb7eec9b4266b474c037ae8951d10
SHA512 2375a6a4f0cc8276960caf044c47b93de47a10391758ce8e67c1da23247dd56d35b63fba3f8fb1bc07113bdf672e2141b1937c0bb34ccc60414af79605017b73

\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice51.exe

MD5 f0d678bc6582e5e78b6df6429036b2c7
SHA1 2ac3fac6227676f705d876e88a30a6cff07dd886
SHA256 43bb3847d25ff8175ca5a4e32386be6a5a5ff59a3aaebec71baa3e3f8766c56f
SHA512 101b7e778c44ca2ee056c29298613b52289354f77cace877c978ee11e0635285bd19d363270fde78dc70eae6ccb6412626ed7467f53c29ec5a9fcb245c9ba97b

memory/2868-22-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/496-23-0x0000000000400000-0x00000000005D4000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSInfo\Delet.bat

MD5 06c202ea021eb56220e615e2b21bafc2
SHA1 93dbc14d2d9b79e7c244bd8072c4d7729cd0283f
SHA256 8489c4e58aa775d4c810a558a87280a2059ae749e0c3cf3d5df40b0ae637f3dd
SHA512 f572d7de7699ba199b6ab85fc2ae5839624c72694de54eae166745050fbe4d705a33273c6908db3175a8b40e0eec01026fa16a972e213d1fba9b25ddc11a3180

memory/2868-35-0x0000000000400000-0x00000000005D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 09:56

Reported

2024-01-31 09:59

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\_rejoice51.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A
File created C:\Windows\SysWOW64\_rejoice51.exe C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe

"C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe"

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe

"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 193.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/2296-0-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/2296-1-0x0000000002780000-0x0000000002781000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\rejoice51.exe

MD5 0addf595e63b56c35c3bfa41d94d1034
SHA1 1019eb49da5fe49e309ed933e0570afa7c4e72ac
SHA256 cf6b86b823397708d29c1400526cd4ce670e8fd4852aee1a8a97c4a836793174
SHA512 c343e7cea562ddfd80643518cee24254b3dd4d23e7a2838dc2b0fc6b1caaf155f2b9dd391e7d1266566b4d2f503178274f59b43fb75d256f50a47b4c0d5a915d

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe

MD5 841d1d706e5fda5a4c6c2f6c512c18c2
SHA1 1b5c9251c9f5bf24e7a014e20b4e710f17e4a540
SHA256 dfcd8994628bee6d7f0aa4575047e01e3f8caf1a5cd126fe79f70fcf89e5a24b
SHA512 2ba25dba4f736c6f93d98eb12c99cbaaffb4c018f5fc6a8572e95eb95aa298964fd54b5d0a206d3894ebf054e37f67322f7d134ab3d7cc8ff2466664d1a9c1ee

memory/4812-7-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/4812-11-0x00000000023B0000-0x00000000023B1000-memory.dmp

C:\Windows\SysWOW64\_rejoice51.exe

MD5 5c7c571e3f754da751e125b4d377ef31
SHA1 df1233b2cae04a9bb1c9ab82036382f31cf05637
SHA256 8f4b03e396e82bc2e7b1fa843ad9ed4209d10cd58953492e2b84433517cb9714
SHA512 050bc1951a9e720c9abf8ee452842bad63e39c4db4446451e7a6d2dbba9f0f9681d77e25633b108a8eea8f8dea9a359f7559860fdbf3a256f6bebda702188664

memory/4812-13-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/2296-15-0x0000000000400000-0x00000000005D4000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat

MD5 06c202ea021eb56220e615e2b21bafc2
SHA1 93dbc14d2d9b79e7c244bd8072c4d7729cd0283f
SHA256 8489c4e58aa775d4c810a558a87280a2059ae749e0c3cf3d5df40b0ae637f3dd
SHA512 f572d7de7699ba199b6ab85fc2ae5839624c72694de54eae166745050fbe4d705a33273c6908db3175a8b40e0eec01026fa16a972e213d1fba9b25ddc11a3180