{
	"id": "8f4b9251-6f32-449b-a1a2-951ad3146972",
	"created_at": "2026-04-06T00:07:18.810372Z",
	"updated_at": "2026-04-10T03:20:52.503808Z",
	"deleted_at": null,
	"sha1_hash": "3bf6ffbaf092e38381b533d79e252d8d1ef11ea6",
	"title": "DBatLoader | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1569120,
	"plain_text": "DBatLoader | ThreatLabz\r\nBy Meghraj Nandanwar, Satyam Singh\r\nPublished: 2023-03-27 · Archived: 2026-04-05 22:43:02 UTC\r\nTechnical Analysis of DBatLoader/ModiLoader\r\nDBatLoader/ModiLoader/NatsoLoader is a Delphi compiled binary that drops final payloads like Formbook,\r\nRemcos RAT, Netwire RAT, and Warzone RAT. It uses multi-layer obfuscation and image steganography\r\ntechniques to hide the initial stage from detection engines and download obfuscated later stage payloads from\r\npublic cloud services like OneDrive and Google Drive. The Loader doesn't use any Anti-Debug/Anti-VM/Anti-Sandbox techniques.\r\nStage 1:\r\nIn the first stage, four steps are followed: Extraction, Decoding, Allocation, and Execution. \r\nStep 1 - Extraction:\r\nIn this stage Form has been created via the ‘TFormSplash_FormCreate’ in this there is a function named\r\n‘Oncreate()’ which contains the actual Code for the Loader.\r\nFig.10 -Function Oncreate() contains the Loadercode\r\nDBatLoader's resource section contains a GIF image as the second stage encrypted payload.\r\nhttps://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses\r\nPage 1 of 5\n\nFig.11 - Encrypted GIF payload in resource section\r\nThe following function in DBatLoader is responsible for reading encoded data from the 'uski' resource name\r\nwithin the file and subsequently loading it into memory.\r\nStep 2 - Decoding:\r\nFig.13 - Decoding function\r\nThe following is an explanation of the function's logic:\r\nThe encrypted byte from the resource section is added to the number 79.\r\nIf the resulting value exceeds 255, an Overflow occurs, and the excess amount is ignored and stored in a\r\nvariable.\r\nOtherwise, the result is stored in the same variable.\r\nThe resulting value is then converted from hexadecimal to string, and individual bytes are retrieved to\r\ndecode the second stage DLL payload.\r\nExample python script used to decode the payload:\r\nhttps://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses\r\nPage 2 of 5\n\nFig.14 - Python script to decode payload\r\nStep 3 - Allocation:\r\nOnce the payload has been decoded, the F_Execution_main function is responsible for allocating the decoded\r\npayload into memory.\r\nFig.15 -Function for memory allocation\r\nThe decrypted payload will be allocated in the memory of the DBatLoader's own process through the use of the\r\n'VirtualAlloc' API. This decrypted payload constitutes the second stage DLL, which carries out additional\r\nmalicious activities of the DBatLoader. It is worth noting that the second stage payload can take the form of either\r\na DLL or an executable (EXE) file.\r\nFig.16 - VirtualAlloc API used for memory allocation\r\nStep 4 - Execution:\r\nhttps://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses\r\nPage 3 of 5\n\nThe main function calls another function, passing the decoded value of the second stage as an argument, in order\r\nto execute the final payload.\r\nFig.17 - Function for execution\r\nStage 2:\r\nOnce the first-stage DBatLoader loads the decoded second-stage payload into memory, the second-stage payload\r\ndrops four files on the infected system's disk path 'C:\\Users\\Public\\Libraries'. The dropped files include two\r\nbatch files named 'XdfiifagO.bat' and 'KDECO.bat', one DLL file named 'netutils.dll', and one executable file\r\nnamed 'easinvoker.exe'.\r\nFig.18 - Initial Bat script\r\nThe first 'XdfiifagO.bat' batch file then leverages a well-known technique of bypassing Windows User Account\r\nControl (UAC) called the 'Mock Trusted Directories Method' to escalate privileges without displaying a UAC\r\nprompt. This method involves creating a fake directory with extra whitespace and the same name to a legitimate\r\ntrusted location, such as \"C:\\Windows \\System32\", and copying the required files to it.\r\nSince the mock directory cannot be created through the Windows Explorer User Interface, the attacker uses a\r\nscript to create it. Once the directory is created, the batch file copies the legitimate ‘easinvoker.exe’ executable,\r\nthe malicious ‘netutils.dll’, and the ‘KDECO.bat’ script into it. The script then executes ‘easinvoker.exe’ from\r\nthe mock directory and adds a delay using the 'ping 127.0.0.1 -n 6 \u003e nul' command. Finally, the mock directory is\r\ndeleted.\r\nThe auto-elevated ‘easinvoker.exe’ executable is vulnerable to the 'relative path DLL Hijack' variant of DLL\r\nHijacking. Windows automatically elevates this process without displaying a UAC prompt if it is located in a\r\ntrusted directory. Therefore, the attacker copies ‘easinvoker.exe’ to the mock directory and uses it to load the\r\nmalicious ‘netutils.dll’, which in turn executes the ‘KDECO.bat’ script.\r\nhttps://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses\r\nPage 4 of 5\n\nFig.19 - Second Bat script\r\nThe script 'KDECO.bat' includes PowerShell commands that exclude the 'C:\\Users' directory from being scanned\r\nby Microsoft Defender.\r\n \r\nFig.20 - Function to create .url file\r\nDBatLoader achieves persistence by creating a copy of itself and a file called ‘gafiifdX.url’ in the\r\n'C:\\Users\\Public\\Libraries' directory. The 'gafiifdX.url' file is an internet shortcut that executes the dropped\r\nmalicious payload on the system. By using this file, DBatLoader creates an autorun registry key under\r\n'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' to survive a reboot.\r\nHere is the content of the 'gafiifdX.url' file:\r\n[InternetShortcut]\r\nURL=file:\"C:\\\\Users\\\\Public\\\\Libraries\\\\Xdfiifag.exe\"\r\nIconIndex=13\r\nHotKey=49\r\nSource: https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses\r\nhttps://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses"
	],
	"report_names": [
		"dbatloader-actively-distributing-malwares-targeting-european-businesses"
	],
	"threat_actors": [],
	"ts_created_at": 1775434038,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3bf6ffbaf092e38381b533d79e252d8d1ef11ea6.pdf",
		"text": "https://archive.orkl.eu/3bf6ffbaf092e38381b533d79e252d8d1ef11ea6.txt",
		"img": "https://archive.orkl.eu/3bf6ffbaf092e38381b533d79e252d8d1ef11ea6.jpg"
	}
}