{
	"id": "ba5dd70f-263a-4071-8431-0af4b5ce577d",
	"created_at": "2026-04-06T00:19:13.564698Z",
	"updated_at": "2026-04-10T03:20:35.778843Z",
	"deleted_at": null,
	"sha1_hash": "6e79983ac94ad5e15236d3692a4f7143e01b7c61",
	"title": "DBatLoader (ModiLoader) Being Distributed to Turkish Users - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1283025,
	"plain_text": "DBatLoader (ModiLoader) Being Distributed to Turkish Users -\r\nASEC\r\nBy ATCP\r\nPublished: 2025-05-15 · Archived: 2026-04-05 20:03:23 UTC\r\nRecently, AhnLab SEcurity intelligence Center (ASEC) has identified cases of the ModiLoader (DBatLoader)\r\nmalware being distributed via email. ModiLoader ultimately executes SnakeKeylogger. SnakeKeylogger is an\r\nInfostealer-type malware developed in .NET. It is known for its data exfiltration methods using emails, FTP,\r\nSMTP, or Telegram. Figure 1 shows the email being distributed. The email is written in Turkish and is being\r\ndistributed by impersonating a Turkish bank. Users are prompted to open the malicious attachment to check their\r\ntransaction history. The compressed file contains the BAT malware shown in Figure 2.\r\nhttps://asec.ahnlab.com/en/88025/\r\nPage 1 of 11\n\nFigure 1. Email body\r\nFigure 2. Inside the rar compressed file (bat file)\r\nFigure 3 shows the BAT code creating and executing the DBatLoader malware (x.exe) encoded in Base64 in the\r\n%temp% directory. Figure 4 is the image of the created DBatLoader malware (x.exe).\r\nhttps://asec.ahnlab.com/en/88025/\r\nPage 2 of 11\n\nFigure 3. Main part of the bat script (creating and executing x.exe)\r\nhttps://asec.ahnlab.com/en/88025/\r\nPage 3 of 11\n\nFigure 4. x.exe (DBatLoader) created in the Temp directory\r\nFigures 5 and 6 show the obfuscated and decrypted forms of three bat scripts (5696.cmd, 8641.cmd, neo.cmd)\r\nexecuted by DBatLoader (x.exe). DBatLoader uses these bat scripts and files such as svchost.pif, netutils.dll, and\r\nwxiygomE.pif to achieve its attack goals of evading detection and executing keyloggers.\r\nFigure 5. DBatLoader executing the obfuscated bat script\r\nFigure 6. DBatLoader decrypting the bat script\r\nAttack Process\r\n1. Evasion of Detection\r\nhttps://asec.ahnlab.com/en/88025/\r\nPage 4 of 11\n\nFigure 7 is the 8641.cmd script of the bat script. The Esentutl command is used to copy cmd.exe as alpha.pif. The\r\nmkdir command is then used to create a folder (Windows \\SysWow64) including a space in its name to disguise it\r\nas a legitimate path.\r\nFigure 7. Functions of 8641.cmd\r\nDBatLoader (x.exe) creates a program with the disguised name svchost.pif in the Windows \\SysWow64 directory.\r\nAs shown in Figure 8, this program has the same name as the legitimate process easinvoker.exe, and an malicious\r\nnetutils.dll is created in the same directory to perform DLL side-loading. As a result, the legitimate easinvoker.exe\r\nprocess exhibits malicious behavior. Figure 9 shows the decrypted 5696.cmd script. The script executes\r\nsvchost.pif to load the malicious netutils.dll as a side-loaded DLL. It then uses the ping command to introduce a\r\n10-second delay before deleting the malicious netutils.dll file. Figure 10 shows the functions of the malicious\r\nnetutils.dll, which involves decoding encoded commands to execute a command that runs the neo.cmd file.\r\nFigure 8. Legitimate program (easinvoker.exe) with the file name disguised as svchost.pif\r\nFigure 9. Functions of 5696.cmd\r\nhttps://asec.ahnlab.com/en/88025/\r\nPage 5 of 11\n\nFigure 10. Functions of manipulated netutils.dll (executing neo.cmd)\r\n[Figure 11] shows the contents of the neo.cmd script, which uses the extrac32 command to copy powershell.exe\r\nunder the name xkn.pif. Through a command executed on xkn.pif (powershell.exe), subdirectories under “C:” are\r\nadded to Windows Defender’s exclusion paths, achieving the goal of bypassing detection.\r\nFigure 11. Functions of neo.cmd\r\n2. Information Theft (SnakeKeyLogger)\r\nFigure 12 shows the process tree of behaviors executed from DBatLoader (x.exe). After achieving detection\r\nevasion, a file named wxiygomE.pif is created. The program is a module (loader.exe) of the legitimate\r\nhttps://asec.ahnlab.com/en/88025/\r\nPage 6 of 11\n\nmercurymail program, shown in Figure 13. Afterward, the legitimate process with a disguised name\r\n(wxiygomE.pif) is executed, and SnakeKeylogger is injected.\r\nFigure 12. Process tree of DbatLoader (x.exe)\r\nhttps://asec.ahnlab.com/en/88025/\r\nPage 7 of 11\n\nFigure 13. Normal program with a disguised file name (loader.exe)\r\nFigure 14 is the list of functions corresponding to the functions of SnakeKeylogger injected into the legitimate\r\nprocess (wxiygomE.pif). These include malicious functions such as exfiltrating keylogging data such as system\r\ninformation, keyboard inputs, and clipboard data.\r\nhttps://asec.ahnlab.com/en/88025/\r\nPage 8 of 11\n\nFigure 14. Function list of SnakeKeylogger\r\nhttps://asec.ahnlab.com/en/88025/\r\nPage 9 of 11\n\nFigure 15 corresponds to the threat actor’s configuration value in SnakeKeylogger. The configured Telegram bot\r\ntoken is used to transmit the exfiltrated information to the Telegram C2.\r\nFigure 15. Threat actor’s configuration for SnakeKeylogger\r\nConclusion\r\nThe DbatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal\r\nprocesses (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its\r\nbehaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for\r\nbehaviors such as file copying and changing policies. As it is difficult to detect the infection when targeting\r\nindividuals, individual users need to be cautious and maintain a strong sense of security by being careful about\r\ninitial access techniques such as executing script extensions from phishing emails and keeping their security\r\nproducts up-to-date to prevent such attacks.\r\nMD5\r\n7fa27c24b89cdfb47350ecfd70e30e93\r\na0a35155c0daf2199215666b00b9609c\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//api[.]telegram[.]org/bot8135369946[:]AAEGf2H0ErFZIOLbSXn5AVeBr_xgB-x1Qmk/sendDocument?\r\nchat_id=7009913093\r\nhttps://asec.ahnlab.com/en/88025/\r\nPage 10 of 11\n\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/88025/\r\nhttps://asec.ahnlab.com/en/88025/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/88025/"
	],
	"report_names": [
		"88025"
	],
	"threat_actors": [],
	"ts_created_at": 1775434753,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e79983ac94ad5e15236d3692a4f7143e01b7c61.pdf",
		"text": "https://archive.orkl.eu/6e79983ac94ad5e15236d3692a4f7143e01b7c61.txt",
		"img": "https://archive.orkl.eu/6e79983ac94ad5e15236d3692a4f7143e01b7c61.jpg"
	}
}