{ "id": "62fcb0e5-ffba-41c0-b5b3-f4b7188cbf7c", "created_at": "2026-04-06T00:18:35.197038Z", "updated_at": "2026-04-10T03:20:37.236853Z", "deleted_at": null, "sha1_hash": "3cee8aace3ab8e4e22820788de4da00d208e5923", "title": "Malware Analysis: ModiLoader - VinCSS Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 176368, "plain_text": "Malware Analysis: ModiLoader - VinCSS Blog\r\nBy Yến Hứa\r\nPublished: 2020-09-11 · Archived: 2026-04-05 20:39:40 UTC\r\nTable of Contents\r\n1. Introduction\r\n2. About the sample\r\n3. Technical analysis\r\n3.1. First stage analysis\r\n3.2. Second stage analysis\r\n3.3. Third stage analysis\r\n4. References\r\n1. Introduction\r\nRecently, I have been investigating a malware loader which is ModiLoader. This loader is delivered through the\r\nMalspam services to lure end users to execute malicious code. Similar to other loaders, ModiLoader also has\r\nmulti stages to download the final payload which is responsible for stealing the victim’s information. After digged\r\ninto some samples, I realized that this loader is quite simple and didn’t apply anti-analysis techniques like Anti-Debug, Anti-VM that we have seen in GuLoader/CloudEyE samples (1;2). Instead, for avoiding antivirus\r\ndetection, this loader uses digital signatures, decrypts payloads, Url, the inject code function at runtime and\r\nexecutes the payload directly from memory.\r\nCurrently, according to my observation, there are not many analysis documents about this loader in the world as\r\nwell as in Vietnam. So, in this post, I will cover techniques are used by this loader as well as apply new released\r\ntool from FireEye is capa that helps to quickly find the loader’s main code. During the analysis, I also try to\r\nsimulate the malicious code in python script for automatic extracting and decoding payload, Url.\r\n2. About the sample\r\nSHA256: 9d71c01a2e63e041ca58886eba792d3fc0c0064198d225f2f0e2e70c6222365c\r\nResults from PE Scanner tools show that this loader is written in Delphi, using Digital Signatures to bypass the\r\nAV programs running on the client:\r\nhttps://blog.vincss.net/re016-malware-analysis-modiloader/\r\nPage 1 of 11\n\n3. Technical analysis\r\n3.1. First stage analysis\r\nAt the first stage, the loader (considered as the first payload) performs the task of extracting data, decoding the\r\nsecond payload (this payload can be dll or exe), and executing the payload from memory.\r\nBy using IDA, at the end of the automated analysis, IDA has identified up to 5,385 functions:\r\nhttps://blog.vincss.net/re016-malware-analysis-modiloader/\r\nPage 2 of 11\n\nCode block at start() function of loader:\r\nAlthough, much more functions were identified as above, most of them are Windows APIs as well as Delphi’s\r\nlibrary functions, so that finding out the main code related to decoding the second payload will take a long time.\r\nWith the help of capa, I quickly found the code related to executing the second payload and then traced back to the\r\ncode that responsible for decoding this payload.\r\nhttps://blog.vincss.net/re016-malware-analysis-modiloader/\r\nPage 3 of 11\n\nThe entire code at sub_498CDC() function is responsible for parsing the payload, mapping into the memory and\r\nexecuting it. Code in this function before and after applying the relevant struct:\r\nTrace back will reach sub_4994EC(), this function performs tasks:\r\nReads all data from the resource named “T__7412N15D” into memory.\r\nFinds “OPPO” string in resource binary data to retrieve the encrypted payload.\r\nPerforms decoding to get the second payload. The key used in decoding process is a numeric value.\r\nSearches string in the second payload and replace it with the encoded URL string.\r\nhttps://blog.vincss.net/re016-malware-analysis-modiloader/\r\nPage 4 of 11\n\nIn the picture above, the decryption key is an integer converted from the string. In this sample, key value is 0x30.\r\nThe code is responsible for decoding the payload as shown below:\r\nAn implementation of this decoding operation can be written in Python as the below image:\r\nOnce the payload has been decoded, the loader will search for the placeholder in the decoded payload and replace\r\nthe 168 “z” characters with the encoded URL string. Finally, once the payload is ready for execution, it\r\nhttps://blog.vincss.net/re016-malware-analysis-modiloader/\r\nPage 5 of 11\n\ncalls sub_498CDC() for executing the payload.\r\nAnd from beginning until now, the above entire technical analysis can be done with a python script to obtain the\r\nsecond payload.\r\n3.2. Second stage analysis\r\nCheck the payload retrieved in the above step, it is also written in Delphi:\r\nWith the similar method, I found sub_45BE08() which is responsible for allocating the region of memory, map\r\nthe final payload after decoded into this region, and then execute it.\r\nBy tracing back, I found the code that starts at TForm1_Timer1Timer (recognized by IDA by signature) at the\r\naddress is 0x45CC10. Before calling f_main_loader() at address is 0x45C26C, the code from here is responsible\r\nfor decoding Url and checking the Internet connection by trying to connect to the decoded Url\r\nis https://www.microsoft.com.\r\nDecoding algorithm at f_decode_char_and_concat_str() function is as simple as follows: dec_char = (enc_char\r\n\u003e\u003e 4) | (0x10 * enc_char);\r\nhttps://blog.vincss.net/re016-malware-analysis-modiloader/\r\nPage 6 of 11\n\nAt f_main_loader(), it also uses the same above function to decode and get the string is “Yes”. This string is later\r\nused as xor_Key for decoding the Url to download the last payload (The encrypted Url is the string in the\r\nreplacement step that was described above) as well as decoding the downloaded\r\npayload. f_decode_url_and_payload(void *enc_buf, LPSTR szKey, void *dec_buf) function takes three\r\nparameters:\r\nThe first parameter is enc_buf, used for store the encoded data.\r\nThe second parameter is szKey. It is the “Yes” string used to decode the data.\r\nThe third parameter is dec_buf, used for store the decoded data.\r\nDiving into this decoding function, you will realize that it will loop through all data, each iteration takes 2 bytes,\r\nconvert the string to an integer, then xor with the character extracted from the decryption key. Once decrypted, the\r\nbyte is then concatenated to the third argument, which is the output buffer.\r\nThis entire decoding function is rewritten in python as follows:\r\nhttps://blog.vincss.net/re016-malware-analysis-modiloader/\r\nPage 7 of 11\n\nBack to the f_main_loader(), first it will decode the Url for retrieving the last payload:\r\nPerform decoding using the python code above, I obtain the Url as below image:\r\nNext, it uses the WinHTTP WinHttpRequest COM object for downloading the encrypted payload from the\r\nabove Url. Instead of using Internet APIs functions from Wininet library as in some other samples, the change to\r\nusing COM object might be aimed at avoiding detection by AV programs.\r\nHere, I use wget to download the payload. The payload’s content is stored in hex strings similar to the encoded\r\nabove Url.\r\nhttps://blog.vincss.net/re016-malware-analysis-modiloader/\r\nPage 8 of 11\n\nPayload data will be reversed and decoded by the same f_decode_url_and_payload function with the same\r\ndecoding key is “Yes”. Once decrypted, the sample will allocate a region of memory, map the payload into that\r\nregion, and then execute it.\r\nAlong with the python code above, I can decode the downloaded payload and obtain the final payload. This\r\npayload is a dll file and also written in Delphi:\r\n3.3. Third stage analysis\r\nThe above payload is quite complicated, it performs the following tasks:\r\nReads data from a resource named “DVCLAL” into memory.\r\nDecrypts this resource, then based on the “*()%@5YT!@#G__T@#$%^\u0026*()__#@$#57$#!@” pattern to\r\nread the decrypted data into the corresponding variables.\r\nhttps://blog.vincss.net/re016-malware-analysis-modiloader/\r\nPage 9 of 11\n\nRetrieves the user’s directory information through the %USERPROFILE% environment variable and set\r\nup the path to %USERPROFILE%AppDataLocal folder.\r\nCreates Vwnt.url and Vwntnet.exe (copy of loader) files in %USERPROFILE%AppDataLocal folder\r\nif that files not exist, then set the value is “Vwnt” that pointing to\r\nthe %USERPROFILE%AppDataLocalVwnt.url file at\r\n“HKCUSoftwareMicrosoftWindowsCurrentVersionRun” key. Then write data to Vwnt.url with\r\ncontent that points to Vwntnet.exe file:\r\nCombines the decrypted data from the above resource for decrypting the new payload.\r\nDecrypts the function is responsible for injecting code. Check “C:Program Files (x86)internet\r\nexplorerieinstal.exe” exists or not, if exists it will inject payload into ieinstal.exe.\r\nhttps://blog.vincss.net/re016-malware-analysis-modiloader/\r\nPage 10 of 11\n\nBased on the strings was dumped from the decrypted payload, I can confirm that it belongs to the Warzone\r\nRAT, a well-known RAT that is being offered online and promoted on various hacking forums.\r\n4. References\r\nMalwareBazaarDatabase (ModiLoader)\r\nDBatLoader/ModiLoaderAnalysis – First Stage\r\ncapa:Automatically Identify Malware Capabilities\r\nWarzone:Behind the enemy lines\r\nXem bài phiên bản tiếng Việt\r\nTran Trung Kien (aka m4n0w4r) \r\nMalware Analysis Expert\r\nR\u0026D Center – VinCSS (a member of Vingroup)\r\nSource: https://blog.vincss.net/re016-malware-analysis-modiloader/\r\nhttps://blog.vincss.net/re016-malware-analysis-modiloader/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.vincss.net/re016-malware-analysis-modiloader/" ], "report_names": [ "re016-malware-analysis-modiloader" ], "threat_actors": [], "ts_created_at": 1775434715, "ts_updated_at": 1775791237, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3cee8aace3ab8e4e22820788de4da00d208e5923.pdf", "text": "https://archive.orkl.eu/3cee8aace3ab8e4e22820788de4da00d208e5923.txt", "img": "https://archive.orkl.eu/3cee8aace3ab8e4e22820788de4da00d208e5923.jpg" } }