DBatLoader | ThreatLabz
By Meghraj Nandanwar, Satyam Singh
Published: 2023-03-27 · Archived: 2026-04-05 22:43:02 UTC
Technical Analysis of DBatLoader/ModiLoader
DBatLoader/ModiLoader/NatsoLoader is a Delphi compiled binary that drops final payloads like Formbook,
Remcos RAT, Netwire RAT, and Warzone RAT. It uses multi-layer obfuscation and image steganography
techniques to hide the initial stage from detection engines and download obfuscated later stage payloads from
public cloud services like OneDrive and Google Drive. The Loader doesn't use any Anti-Debug/Anti-VM/Anti-Sandbox techniques.
Stage 1:
In the first stage, four steps are followed: Extraction, Decoding, Allocation, and Execution. 
Step 1 - Extraction:
In this stage Form has been created via the ‘TFormSplash_FormCreate’ in this there is a function named
‘Oncreate()’ which contains the actual Code for the Loader.
Fig.10 -Function Oncreate() contains the Loadercode
DBatLoader's resource section contains a GIF image as the second stage encrypted payload.
https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses
Page 1 of 5

Fig.11 - Encrypted GIF payload in resource section
The following function in DBatLoader is responsible for reading encoded data from the 'uski' resource name
within the file and subsequently loading it into memory.
Step 2 - Decoding:
Fig.13 - Decoding function
The following is an explanation of the function's logic:
The encrypted byte from the resource section is added to the number 79.
If the resulting value exceeds 255, an Overflow occurs, and the excess amount is ignored and stored in a
variable.
Otherwise, the result is stored in the same variable.
The resulting value is then converted from hexadecimal to string, and individual bytes are retrieved to
decode the second stage DLL payload.
Example python script used to decode the payload:
https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses
Page 2 of 5

Fig.14 - Python script to decode payload
Step 3 - Allocation:
Once the payload has been decoded, the F_Execution_main function is responsible for allocating the decoded
payload into memory.
Fig.15 -Function for memory allocation
The decrypted payload will be allocated in the memory of the DBatLoader's own process through the use of the
'VirtualAlloc' API. This decrypted payload constitutes the second stage DLL, which carries out additional
malicious activities of the DBatLoader. It is worth noting that the second stage payload can take the form of either
a DLL or an executable (EXE) file.
Fig.16 - VirtualAlloc API used for memory allocation
Step 4 - Execution:
https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses
Page 3 of 5

The main function calls another function, passing the decoded value of the second stage as an argument, in order
to execute the final payload.
Fig.17 - Function for execution
Stage 2:
Once the first-stage DBatLoader loads the decoded second-stage payload into memory, the second-stage payload
drops four files on the infected system's disk path 'C:\Users\Public\Libraries'. The dropped files include two
batch files named 'XdfiifagO.bat' and 'KDECO.bat', one DLL file named 'netutils.dll', and one executable file
named 'easinvoker.exe'.
Fig.18 - Initial Bat script
The first 'XdfiifagO.bat' batch file then leverages a well-known technique of bypassing Windows User Account
Control (UAC) called the 'Mock Trusted Directories Method' to escalate privileges without displaying a UAC
prompt. This method involves creating a fake directory with extra whitespace and the same name to a legitimate
trusted location, such as "C:\Windows \System32", and copying the required files to it.
Since the mock directory cannot be created through the Windows Explorer User Interface, the attacker uses a
script to create it. Once the directory is created, the batch file copies the legitimate ‘easinvoker.exe’ executable,
the malicious ‘netutils.dll’, and the ‘KDECO.bat’ script into it. The script then executes ‘easinvoker.exe’ from
the mock directory and adds a delay using the 'ping 127.0.0.1 -n 6 > nul' command. Finally, the mock directory is
deleted.
The auto-elevated ‘easinvoker.exe’ executable is vulnerable to the 'relative path DLL Hijack' variant of DLL
Hijacking. Windows automatically elevates this process without displaying a UAC prompt if it is located in a
trusted directory. Therefore, the attacker copies ‘easinvoker.exe’ to the mock directory and uses it to load the
malicious ‘netutils.dll’, which in turn executes the ‘KDECO.bat’ script.
https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses
Page 4 of 5

Fig.19 - Second Bat script
The script 'KDECO.bat' includes PowerShell commands that exclude the 'C:\Users' directory from being scanned
by Microsoft Defender.
 
Fig.20 - Function to create .url file
DBatLoader achieves persistence by creating a copy of itself and a file called ‘gafiifdX.url’ in the
'C:\Users\Public\Libraries' directory. The 'gafiifdX.url' file is an internet shortcut that executes the dropped
malicious payload on the system. By using this file, DBatLoader creates an autorun registry key under
'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' to survive a reboot.
Here is the content of the 'gafiifdX.url' file:
[InternetShortcut]
URL=file:"C:\\Users\\Public\\Libraries\\Xdfiifag.exe"
IconIndex=13
HotKey=49
Source: https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses
https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses
Page 5 of 5