DanaBot (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.danabot (Back to overview)

DanaBot

Actor(s): SCULLY SPIDER

VTCollection URLhaus

Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

References

2023-12-14 ⋅ Mandiant ⋅ Adrian McCabe, Geoff Ackerman, Rufus Brown, Ryan Tomcik
Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors
DanaBot DarkGate

2023-12-12 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff
Tips For Analyzing Delphi Binaries in IDA (Danabot)
DanaBot

2023-12-07 ⋅ eSentire ⋅ eSentire
DanaBot's Latest Move: Deploying Latrodectus
DanaBot HijackLoader Unidentified 111 (Latrodectus)

2023-12-01 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Threat Intelligence
Tweet on Danabot leading to cactus ransomware
Cactus DanaBot Storm-1044

2023-11-02 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
From DarkGate to DanaBot
DanaBot DarkGate

2023-07-17 ⋅ Flashpoint ⋅ Flashpoint
The New Release of Danabot Version 3: What You Need to Know
DanaBot

2022-12-06 ⋅ Zscaler ⋅ Dennis Schwarz
Technical Analysis of DanaBot Obfuscation Techniques
DanaBot

2022-09-26 ⋅ Kaspersky ⋅ Artem Ushkov, Haim Zigel, Oleg Kupreev
NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner Nullmixer PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar

2022-09-15 ⋅ Sekoia ⋅ Threat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer

2022-08-07 ⋅ Malverse ⋅ greenplan
Config Extractor per DanaBot (PARTE 1)
DanaBot

2022-04-20 ⋅ CISA ⋅ CISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet

2022-04-20 ⋅ CISA ⋅ Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader

2022-03-15 ⋅ Security Soup Blog ⋅ Ryan Campbell
Decoding a DanaBot Downloader
DanaBot

2022-03-02 ⋅ Zscaler ⋅ Brett Stone-Gross, Dennis Schwarz
DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense
DanaBot

2022-03-01 ⋅ VirusTotal ⋅ VirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT

2022-01-03 ⋅ AhnLab ⋅ ASEC Analysis Team
Distribution of Redline Stealer Disguised as Software Crack
DanaBot RedLine Stealer Vidar

2021-12-15 ⋅ Mandiant ⋅ Alessandro Parilli, James Maclachlan
No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages (UNC3379)
DanaBot

2021-11-18 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: DanaBot’s Evolution from Bank Fraud to DDos Attacks
DanaBot

2021-11-14 ⋅ Twitter (@f0wlsec) ⋅ Marius Genheimer
A static config extractor for the main component of DanaBot
DanaBot

2021-11-08 ⋅ Bitdefender ⋅ Silviu Stahie
Popular NPM Repositories Compromised in Man-in-the-Middle Attack
DanaBot

2021-11-05 ⋅ Zscaler ⋅ Dennis Schwarz
Spike in DanaBot Malware Activity
DanaBot

2021-10-24 ⋅ Sophos ⋅ Sean Gallagher
Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor
DanaBot Monero Miner

2021-09-20 ⋅ Lexfo ⋅ Lexfo
DanaBot Communications Update
DanaBot

2021-03-31 ⋅ Kaspersky ⋅ Kaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-01-26 ⋅ Proofpoint ⋅ Axel F., Brandon Murphy, Dennis Schwarz
New Year, New Version of DanaBot
DanaBot

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2020-08-09 ⋅ F5 Labs ⋅ Debbie Walkowski, Remi Cohen
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus

2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-07-12 ⋅ Malware and Stuff ⋅ Andreas Klopsch
Deobfuscating DanaBot’s API Hashing
DanaBot

2020-06-02 ⋅ Lastline Labs ⋅ James Haughom, Stefano Ortolani
Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader

2020-05-21 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2019-06-20 ⋅ Check Point ⋅ Aliaksandr Chailytko, Yaroslav Harakhavik
DanaBot Demands a Ransom Payment
DanaBot

2019-05-09 ⋅ G Data ⋅ G-Data
Strange Bits: HTML Smuggling and GitHub Hosted Malware
DanaBot

2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc.
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam

2019-03-13 ⋅ Proofpoint ⋅ Dennis Schwarz, Proofpoint Threat Insight Team
DanaBot control panel revealed
DanaBot

2019-03-01 ⋅ Fortinet ⋅ FortiGuard SE Team
Breakdown of a Targeted DanaBot Attack
DanaBot

2019-02-07 ⋅ ESET Research ⋅ ESET Research
DanaBot updated with new C&C communication
DanaBot

2018-12-20 ⋅ Yoroi ⋅ Antonio Pirozzi, Davide Testa, Luca Mella, Luigi Martire
Dissecting the Danabot Payload Targeting Italy
DanaBot

2018-12-06 ⋅ ESET Research ⋅ ESET Research
DanaBot evolves beyond banking Trojan with new spam‑sending capability
DanaBot

2018-10-02 ⋅ Proofpoint ⋅ Proofpoint Staff
DanaBot Gains Popularity and Targets US Organizations in Large Campaigns
DanaBot

2018-09-21 ⋅ ESET Research ⋅ ESET Research
DanaBot shifts its targeting to Europe, adds new features
DanaBot

2018-07-16 ⋅ SpiderLabs Blog ⋅ Fahim Abbasi
DanaBot Riding Fake MYOB Invoice Emails
DanaBot

2018-05-31 ⋅ Proofpoint ⋅ Proofpoint Staff
DanaBot - A new banking Trojan surfaces Down Under
DanaBot

Yara Rules

[TLP:WHITE] win_danabot_auto (20230808 | Detects win.danabot.)

rule win_danabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.danabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7405 83e804 8b00 83f814 7e18 8b45fc 50 }
            // n = 7, score = 400
            //   7405                 | je                  7
            //   83e804               | sub                 eax, 4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   83f814               | cmp                 eax, 0x14
            //   7e18                 | jle                 0x1a
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax

        $sequence_1 = { c1e803 83e03f 83f838 730b ba38000000 }
            // n = 5, score = 400
            //   c1e803               | shr                 eax, 3
            //   83e03f               | and                 eax, 0x3f
            //   83f838               | cmp                 eax, 0x38
            //   730b                 | jae                 0xd
            //   ba38000000           | mov                 edx, 0x38

        $sequence_2 = { 8b03 50 8b44242c 50 6a14 }
            // n = 5, score = 400
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   50                   | push                eax
            //   8b44242c             | mov                 eax, dword ptr [esp + 0x2c]
            //   50                   | push                eax
            //   6a14                 | push                0x14

        $sequence_3 = { 8b45f8 85c0 7407 83e804 }
            // n = 4, score = 400
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   83e804               | sub                 eax, 4

        $sequence_4 = { 8b16 e8???????? 8b07 50 8b442428 50 6a0a }
            // n = 7, score = 400
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   e8????????           |                     
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   50                   | push                eax
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   50                   | push                eax
            //   6a0a                 | push                0xa

        $sequence_5 = { 50 6a14 688a4c2a8d 8bc6 8b4d00 8b17 }
            // n = 6, score = 400
            //   50                   | push                eax
            //   6a14                 | push                0x14
            //   688a4c2a8d           | push                0x8d2a4c8a
            //   8bc6                 | mov                 eax, esi
            //   8b4d00               | mov                 ecx, dword ptr [ebp]
            //   8b17                 | mov                 edx, dword ptr [edi]

        $sequence_6 = { 3b85d0feffff 7452 8b85d0feffff 50 6a00 }
            // n = 5, score = 400
            //   3b85d0feffff         | cmp                 eax, dword ptr [ebp - 0x130]
            //   7452                 | je                  0x54
            //   8b85d0feffff         | mov                 eax, dword ptr [ebp - 0x130]
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_7 = { 6a00 49 75f9 51 53 56 bb???????? }
            // n = 7, score = 400
            //   6a00                 | push                0
            //   49                   | dec                 ecx
            //   75f9                 | jne                 0xfffffffb
            //   51                   | push                ecx
            //   53                   | push                ebx
            //   56                   | push                esi
            //   bb????????           |                     

        $sequence_8 = { 8b0f 8b16 e8???????? 8b07 50 8b442454 50 }
            // n = 7, score = 400
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   e8????????           |                     
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   50                   | push                eax
            //   8b442454             | mov                 eax, dword ptr [esp + 0x54]
            //   50                   | push                eax

        $sequence_9 = { 56 57 8bf1 8955f8 8945fc 8d45fc }
            // n = 6, score = 400
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf1                 | mov                 esi, ecx
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d45fc               | lea                 eax, [ebp - 4]

    condition:
        7 of them and filesize < 237568
}

Download all Yara Rules

DanaBot Propose Change

References

Yara Rules

DanaBot