SYMBOLCOMMON_NAMEaka. SYNONYMS
win.danabot (Back to overview)

DanaBot

Actor(s): SCULLY SPIDER

URLhaus    

Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

References
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-07-12Malware and StuffAndreas Klopsch
@online{klopsch:20200712:deobfuscating:a374688, author = {Andreas Klopsch}, title = {{Deobfuscating DanaBot’s API Hashing}}, date = {2020-07-12}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/deobfuscating-danabots-api-hashing/}, language = {English}, urldate = {2020-07-15} } Deobfuscating DanaBot’s API Hashing
DanaBot
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2019-06-20Check PointYaroslav Harakhavik, Aliaksandr Chailytko
@online{harakhavik:20190620:danabot:238fce9, author = {Yaroslav Harakhavik and Aliaksandr Chailytko}, title = {{DanaBot Demands a Ransom Payment}}, date = {2019-06-20}, organization = {Check Point}, url = {https://research.checkpoint.com/danabot-demands-a-ransom-payment/}, language = {English}, urldate = {2020-01-07} } DanaBot Demands a Ransom Payment
DanaBot
2019-05-09G DataG-Data
@online{gdata:20190509:strange:2e58aae, author = {G-Data}, title = {{Strange Bits: HTML Smuggling and GitHub Hosted Malware}}, date = {2019-05-09}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github}, language = {English}, urldate = {2019-12-10} } Strange Bits: HTML Smuggling and GitHub Hosted Malware
DanaBot
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2019-03-13ProofpointDennis Schwarz, Proofpoint Threat Insight Team
@online{schwarz:20190313:danabot:a6b3c02, author = {Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{DanaBot control panel revealed}}, date = {2019-03-13}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed}, language = {English}, urldate = {2019-12-20} } DanaBot control panel revealed
DanaBot
2019-03-01FortinetFortiGuard SE Team
@online{team:20190301:breakdown:fbb8608, author = {FortiGuard SE Team}, title = {{Breakdown of a Targeted DanaBot Attack}}, date = {2019-03-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html}, language = {English}, urldate = {2019-11-26} } Breakdown of a Targeted DanaBot Attack
DanaBot
2019-02-07ESET ResearchESET Research
@online{research:20190207:danabot:6346e2b, author = {ESET Research}, title = {{DanaBot updated with new C&C communication}}, date = {2019-02-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/}, language = {English}, urldate = {2019-11-14} } DanaBot updated with new C&C communication
DanaBot
2018-12-20YoroiZLAB-Yoroi
@online{zlabyoroi:20181220:dissecting:e9c16fb, author = {ZLAB-Yoroi}, title = {{Dissecting the Danabot Payload Targeting Italy}}, date = {2018-12-20}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/}, language = {English}, urldate = {2020-01-10} } Dissecting the Danabot Payload Targeting Italy
DanaBot
2018-12-06ESET ResearchESET Research
@online{research:20181206:danabot:dd22bc3, author = {ESET Research}, title = {{DanaBot evolves beyond banking Trojan with new spam‑sending capability}}, date = {2018-12-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/}, language = {English}, urldate = {2019-11-14} } DanaBot evolves beyond banking Trojan with new spam‑sending capability
DanaBot
2018-10-02ProofpointProofpoint Staff
@online{staff:20181002:danabot:b7282b9, author = {Proofpoint Staff}, title = {{DanaBot Gains Popularity and Targets US Organizations in Large Campaigns}}, date = {2018-10-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns}, language = {English}, urldate = {2019-12-20} } DanaBot Gains Popularity and Targets US Organizations in Large Campaigns
DanaBot
2018-09-21ESET ResearchESET Research
@online{research:20180921:danabot:a939e5f, author = {ESET Research}, title = {{DanaBot shifts its targeting to Europe, adds new features}}, date = {2018-09-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/}, language = {English}, urldate = {2019-11-14} } DanaBot shifts its targeting to Europe, adds new features
DanaBot
2018-07-16SpiderLabs BlogFahim Abbasi
@online{abbasi:20180716:danabot:08d5942, author = {Fahim Abbasi}, title = {{DanaBot Riding Fake MYOB Invoice Emails}}, date = {2018-07-16}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/}, language = {English}, urldate = {2020-01-10} } DanaBot Riding Fake MYOB Invoice Emails
DanaBot
2018-05-31ProofpointProofpoint Staff
@online{staff:20180531:danabot:b1b2487, author = {Proofpoint Staff}, title = {{DanaBot - A new banking Trojan surfaces Down Under}}, date = {2018-05-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0}, language = {English}, urldate = {2019-12-20} } DanaBot - A new banking Trojan surfaces Down Under
DanaBot
Yara Rules
[TLP:WHITE] win_danabot_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_danabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6803800000 8b45f4 50 }
            // n = 4, score = 1700
            //   6a00                 | push                0
            //   6803800000           | push                0x8003
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   50                   | push                eax

        $sequence_1 = { 8d45f0 50 6a00 6a00 6803800000 }
            // n = 5, score = 1400
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6803800000           | push                0x8003

        $sequence_2 = { 6a00 8d45ec 50 6a00 6a02 8b45f0 50 }
            // n = 7, score = 1400
            //   6a00                 | push                0
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   50                   | push                eax

        $sequence_3 = { e8???????? 8b45e0 8b55e4 52 }
            // n = 4, score = 1200
            //   e8????????           |                     
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   52                   | push                edx

        $sequence_4 = { b814000000 85c0 7419 e8???????? 833d????????ff }
            // n = 5, score = 1200
            //   b814000000           | mov                 eax, 0x14
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b
            //   e8????????           |                     
            //   833d????????ff       |                     

        $sequence_5 = { 648920 68000000f0 6a01 6a00 6a00 }
            // n = 5, score = 1200
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   68000000f0           | push                0xf0000000
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_6 = { 8b45d4 e8???????? 50 ff15???????? }
            // n = 4, score = 1200
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   e8????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_7 = { 5b c3 b814000000 85c0 741f }
            // n = 5, score = 1200
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   b814000000           | mov                 eax, 0x14
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21

        $sequence_8 = { b814000000 85c0 742b 833d????????ff }
            // n = 4, score = 1200
            //   b814000000           | mov                 eax, 0x14
            //   85c0                 | test                eax, eax
            //   742b                 | je                  0x2d
            //   833d????????ff       |                     

        $sequence_9 = { 8b45ec 8b4018 48 85c0 }
            // n = 4, score = 1000
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax

        $sequence_10 = { 8b45a4 8d4da8 33d2 e8???????? }
            // n = 4, score = 900
            //   8b45a4               | mov                 eax, dword ptr [ebp - 0x5c]
            //   8d4da8               | lea                 ecx, [ebp - 0x58]
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     

        $sequence_11 = { a3???????? a1???????? a3???????? 33c0 5a 59 59 }
            // n = 7, score = 900
            //   a3????????           |                     
            //   a1????????           |                     
            //   a3????????           |                     
            //   33c0                 | xor                 eax, eax
            //   5a                   | pop                 edx
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_12 = { 50 6a00 6aff 6a00 8b45ec 50 ff15???????? }
            // n = 7, score = 900
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6aff                 | push                -1
            //   6a00                 | push                0
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_13 = { 6810660000 8b45f0 50 ff15???????? 85c0 }
            // n = 5, score = 900
            //   6810660000           | push                0x6610
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_14 = { 7e0a a1???????? a3???????? a1???????? 3b05???????? 740a a1???????? }
            // n = 7, score = 800
            //   7e0a                 | xor                 eax, eax
            //   a1????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   3b05????????         |                     
            //   740a                 | pop                 edx
            //   a1????????           |                     

        $sequence_15 = { a1???????? a3???????? 8d45e4 50 }
            // n = 4, score = 800
            //   a1????????           |                     
            //   a3????????           |                     
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax

        $sequence_16 = { 68???????? 64ff30 648920 a1???????? a3???????? a1???????? 0305???????? }
            // n = 7, score = 800
            //   68????????           |                     
            //   64ff30               | pop                 edx
            //   648920               | pop                 ecx
            //   a1????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   0305????????         |                     

        $sequence_17 = { e8???????? a1???????? 0305???????? 8b15???????? 0315???????? }
            // n = 5, score = 800
            //   e8????????           |                     
            //   a1????????           |                     
            //   0305????????         |                     
            //   8b15????????         |                     
            //   0315????????         |                     

        $sequence_18 = { e8???????? 2bd8 81fbf41f0000 7e09 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   2bd8                 | sub                 ebx, eax
            //   81fbf41f0000         | cmp                 ebx, 0x1ff4
            //   7e09                 | jle                 0xb

        $sequence_19 = { 83bdb400000001 0f8d8d000000 8385b400000001 8b8580000000 81e8a7020000 898588000000 }
            // n = 6, score = 100
            //   83bdb400000001       | cmp                 dword ptr [ebp + 0xb4], 1
            //   0f8d8d000000         | jge                 0x93
            //   8385b400000001       | add                 dword ptr [ebp + 0xb4], 1
            //   8b8580000000         | mov                 eax, dword ptr [ebp + 0x80]
            //   81e8a7020000         | sub                 eax, 0x2a7
            //   898588000000         | mov                 dword ptr [ebp + 0x88], eax

        $sequence_20 = { 894524 8b4520 81e886020000 894524 }
            // n = 4, score = 100
            //   894524               | dec                 eax
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x1d0]
            //   81e886020000         | inc                 esp
            //   894524               | mov                 ecx, dword ptr [eax + 0x18]

        $sequence_21 = { 83c004 f20f2ac0 e8???????? 894550 8b4544 81e854020000 894548 }
            // n = 7, score = 100
            //   83c004               | dec                 eax
            //   f20f2ac0             | lea                 ecx, [ebp + 0x90]
            //   e8????????           |                     
            //   894550               | mov                 edx, 2
            //   8b4544               | dec                 eax
            //   81e854020000         | mov                 eax, dword ptr [ebp + 0x30]
            //   894548               | dec                 eax

        $sequence_22 = { eb68 4885d2 7505 8b40fc eb5e }
            // n = 5, score = 100
            //   eb68                 | lea                 esp, [ebp + 0xa8]
            //   4885d2               | add                 eax, 4
            //   7505                 | cvtsi2sd            xmm0, eax
            //   8b40fc               | mov                 dword ptr [ebp + 0x50], eax
            //   eb5e                 | mov                 eax, dword ptr [ebp + 0x44]

        $sequence_23 = { 488d8d90000000 c7c202000000 e8???????? 488b4530 488da5a8000000 }
            // n = 5, score = 100
            //   488d8d90000000       | mov                 dword ptr [ebp + 0x24], eax
            //   c7c202000000         | mov                 eax, dword ptr [ebp + 0x20]
            //   e8????????           |                     
            //   488b4530             | sub                 eax, 0x286
            //   488da5a8000000       | mov                 dword ptr [ebp + 0x24], eax

        $sequence_24 = { 488d8da0010000 488b15???????? 41c7c001000000 488b85d0010000 448b4818 }
            // n = 5, score = 100
            //   488d8da0010000       | dec                 eax
            //   488b15????????       |                     
            //   41c7c001000000       | lea                 ecx, [ebp + 0x1a0]
            //   488b85d0010000       | inc                 ecx
            //   448b4818             | mov                 eax, 1

        $sequence_25 = { 894548 8b4550 03454c 8b4d48 }
            // n = 4, score = 100
            //   894548               | sub                 eax, 0x254
            //   8b4550               | mov                 dword ptr [ebp + 0x48], eax
            //   03454c               | jmp                 0x79
            //   8b4d48               | dec                 eax

    condition:
        7 of them and filesize < 3342336
}
Download all Yara Rules