SYMBOLCOMMON_NAMEaka. SYNONYMS
win.danabot (Back to overview)

DanaBot

Actor(s): SCULLY SPIDER

URLhaus    

Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

References
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2019-06-20Check PointYaroslav Harakhavik, Aliaksandr Chailytko
@online{harakhavik:20190620:danabot:238fce9, author = {Yaroslav Harakhavik and Aliaksandr Chailytko}, title = {{DanaBot Demands a Ransom Payment}}, date = {2019-06-20}, organization = {Check Point}, url = {https://research.checkpoint.com/danabot-demands-a-ransom-payment/}, language = {English}, urldate = {2020-01-07} } DanaBot Demands a Ransom Payment
DanaBot
2019-05-09G DataG-Data
@online{gdata:20190509:strange:2e58aae, author = {G-Data}, title = {{Strange Bits: HTML Smuggling and GitHub Hosted Malware}}, date = {2019-05-09}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github}, language = {English}, urldate = {2019-12-10} } Strange Bits: HTML Smuggling and GitHub Hosted Malware
DanaBot
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam Unidentified 062 (Lazarus/RAT)
2019-03-13ProofpointDennis Schwarz, Proofpoint Threat Insight Team
@online{schwarz:20190313:danabot:a6b3c02, author = {Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{DanaBot control panel revealed}}, date = {2019-03-13}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed}, language = {English}, urldate = {2019-12-20} } DanaBot control panel revealed
DanaBot
2019-03-01FortinetFortiGuard SE Team
@online{team:20190301:breakdown:fbb8608, author = {FortiGuard SE Team}, title = {{Breakdown of a Targeted DanaBot Attack}}, date = {2019-03-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html}, language = {English}, urldate = {2019-11-26} } Breakdown of a Targeted DanaBot Attack
DanaBot
2019-02-07ESET ResearchESET Research
@online{research:20190207:danabot:6346e2b, author = {ESET Research}, title = {{DanaBot updated with new C&C communication}}, date = {2019-02-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/}, language = {English}, urldate = {2019-11-14} } DanaBot updated with new C&C communication
DanaBot
2018-12-20YoroiZLAB-Yoroi
@online{zlabyoroi:20181220:dissecting:e9c16fb, author = {ZLAB-Yoroi}, title = {{Dissecting the Danabot Payload Targeting Italy}}, date = {2018-12-20}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/}, language = {English}, urldate = {2020-01-10} } Dissecting the Danabot Payload Targeting Italy
DanaBot
2018-12-06ESET ResearchESET Research
@online{research:20181206:danabot:dd22bc3, author = {ESET Research}, title = {{DanaBot evolves beyond banking Trojan with new spam‑sending capability}}, date = {2018-12-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/}, language = {English}, urldate = {2019-11-14} } DanaBot evolves beyond banking Trojan with new spam‑sending capability
DanaBot
2018-10-02ProofpointProofpoint Staff
@online{staff:20181002:danabot:b7282b9, author = {Proofpoint Staff}, title = {{DanaBot Gains Popularity and Targets US Organizations in Large Campaigns}}, date = {2018-10-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns}, language = {English}, urldate = {2019-12-20} } DanaBot Gains Popularity and Targets US Organizations in Large Campaigns
DanaBot
2018-09-21ESET ResearchESET Research
@online{research:20180921:danabot:a939e5f, author = {ESET Research}, title = {{DanaBot shifts its targeting to Europe, adds new features}}, date = {2018-09-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/}, language = {English}, urldate = {2019-11-14} } DanaBot shifts its targeting to Europe, adds new features
DanaBot
2018-07-16SpiderLabs BlogFahim Abbasi
@online{abbasi:20180716:danabot:08d5942, author = {Fahim Abbasi}, title = {{DanaBot Riding Fake MYOB Invoice Emails}}, date = {2018-07-16}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/}, language = {English}, urldate = {2020-01-10} } DanaBot Riding Fake MYOB Invoice Emails
DanaBot
2018-05-31ProofpointProofpoint Staff
@online{staff:20180531:danabot:b1b2487, author = {Proofpoint Staff}, title = {{DanaBot - A new banking Trojan surfaces Down Under}}, date = {2018-05-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0}, language = {English}, urldate = {2019-12-20} } DanaBot - A new banking Trojan surfaces Down Under
DanaBot
Yara Rules
[TLP:WHITE] win_danabot_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_danabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6803800000 8b45f4 50 }
            // n = 4, score = 1900
            // 
            //   6803800000           | push                0x8003
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   50                   | push                eax

        $sequence_1 = { 68000000f0 6a01 6a00 6a00 8d45e8 50 }
            // n = 6, score = 1800
            //   68000000f0           | push                0xf0000000
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax

        $sequence_2 = { 8d45ec 50 6a00 6a02 8b45f0 50 }
            // n = 6, score = 1600
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   50                   | push                eax

        $sequence_3 = { 8d45f0 50 6a00 6a00 6803800000 }
            // n = 5, score = 1600
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6803800000           | push                0x8003

        $sequence_4 = { b814000000 85c0 7419 e8???????? }
            // n = 4, score = 1300
            //   b814000000           | mov                 eax, 0x14
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b
            //   e8????????           |                     

        $sequence_5 = { 6a00 6a00 6aff 6a00 8b45ec }
            // n = 5, score = 1300
            //   6a00                 | push                eax
            //   6a00                 | push                0
            //   6aff                 | push                0
            //   6a00                 | push                0x8003
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_6 = { 50 a1???????? 50 e8???????? 5b c3 b814000000 }
            // n = 7, score = 1300
            //   50                   | push                eax
            //   a1????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   b814000000           | mov                 eax, 0x14

        $sequence_7 = { c3 b814000000 85c0 741f e8???????? a3???????? }
            // n = 6, score = 1300
            //   c3                   | ret                 
            //   b814000000           | mov                 eax, 0x14
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   e8????????           |                     
            //   a3????????           |                     

        $sequence_8 = { b814000000 85c0 742b 833d????????ff 7422 a1???????? 50 }
            // n = 7, score = 1300
            //   b814000000           | mov                 eax, 0x14
            //   85c0                 | test                eax, eax
            //   742b                 | je                  0x2d
            //   833d????????ff       |                     
            //   7422                 | je                  0x24
            //   a1????????           |                     
            //   50                   | push                eax

        $sequence_9 = { 837dec00 750a 837de800 7504 }
            // n = 4, score = 1300
            //   837dec00             | push                2
            //   750a                 | mov                 eax, dword ptr [ebp - 0x10]
            //   837de800             | push                0
            //   7504                 | push                0

        $sequence_10 = { e8???????? 8b45a4 8d4da8 33d2 e8???????? }
            // n = 5, score = 1100
            //   e8????????           |                     
            //   8b45a4               | mov                 eax, dword ptr [ebp - 0x5c]
            //   8d4da8               | lea                 ecx, [ebp - 0x58]
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     

        $sequence_11 = { a3???????? a1???????? a3???????? 33c0 5a }
            // n = 5, score = 1100
            //   a3????????           |                     
            //   a1????????           |                     
            //   a3????????           |                     
            //   33c0                 | xor                 eax, eax
            //   5a                   | pop                 edx

        $sequence_12 = { 8b45d4 e8???????? 50 ff15???????? }
            // n = 4, score = 1100
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   e8????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_13 = { 740a a1???????? a3???????? e8???????? }
            // n = 4, score = 1000
            //   740a                 | je                  0xc
            //   a1????????           |                     
            //   a3????????           |                     
            //   e8????????           |                     

        $sequence_14 = { a3???????? a1???????? 3b05???????? 740a a1???????? }
            // n = 5, score = 1000
            //   a3????????           |                     
            //   a1????????           |                     
            //   3b05????????         |                     
            //   740a                 | je                  0xc
            //   a1????????           |                     

        $sequence_15 = { 0305???????? 8b15???????? 0315???????? 3bc2 7e0a a1???????? }
            // n = 6, score = 1000
            //   0305????????         |                     
            //   8b15????????         |                     
            //   0315????????         |                     
            //   3bc2                 | cmp                 eax, edx
            //   7e0a                 | jle                 0xc
            //   a1????????           |                     

        $sequence_16 = { 3bc2 7d0a a1???????? a3???????? }
            // n = 4, score = 1000
            //   3bc2                 | cmp                 eax, edx
            //   7d0a                 | jge                 0xc
            //   a1????????           |                     
            //   a3????????           |                     

        $sequence_17 = { 68???????? 64ff30 648920 a1???????? a3???????? a1???????? 0305???????? }
            // n = 7, score = 1000
            //   68????????           |                     
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   a1????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   0305????????         |                     

        $sequence_18 = { e8???????? 2bd8 81fbf41f0000 7e09 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   2bd8                 | sub                 ebx, eax
            //   81fbf41f0000         | cmp                 ebx, 0x1ff4
            //   7e09                 | jle                 0xb

        $sequence_19 = { 81c077020000 89858c000000 8b8584000000 81e87b020000 89858c000000 488b0d???????? c7c22bc07b00 }
            // n = 7, score = 100
            //   81c077020000         | inc                 esp
            //   89858c000000         | mov                 eax, dword ptr [ebp + 0x3a4]
            //   8b8584000000         | inc                 esp
            //   81e87b020000         | mov                 ecx, dword ptr [ebp + 0x3a4]
            //   89858c000000         | mov                 eax, dword ptr [ebp + 0x3a4]
            //   488b0d????????       |                     
            //   c7c22bc07b00         | add                 eax, 0x277

        $sequence_20 = { 480fb74550 6683e801 6683f8ff 7410 6685c0 7413 }
            // n = 6, score = 100
            //   480fb74550           | jg                  0x23
            //   6683e801             | dec                 eax
            //   6683f8ff             | mov                 ecx, dword ptr [0xffff6c61]
            //   7410                 | mov                 dl, 1
            //   6685c0               | dec                 eax
            //   7413                 | lea                 eax, [0x371b8]

        $sequence_21 = { 7f21 488b0d616cffff b201 488d05b8710300 4863db }
            // n = 5, score = 100
            //   7f21                 | mov                 dword ptr [ebp + 0x8c], eax
            //   488b0d616cffff       | mov                 eax, dword ptr [ebp + 0x84]
            //   b201                 | sub                 eax, 0x27b
            //   488d05b8710300       | mov                 dword ptr [ebp + 0x8c], eax
            //   4863db               | mov                 edx, 0x7bc02b

        $sequence_22 = { 448b85a4030000 448b8da4030000 e8???????? 8b85a4030000 }
            // n = 4, score = 100
            //   448b85a4030000       | mov                 edx, 0xe99439
            //   448b8da4030000       | mov                 dword ptr [ebp + 0xac], 0
            //   e8????????           |                     
            //   8b85a4030000         | mov                 eax, dword ptr [ebp + 0x80]

        $sequence_23 = { 3bc1 7d07 488b4550 83002c }
            // n = 4, score = 100
            //   3bc1                 | dec                 eax
            //   7d07                 | mov                 ecx, eax
            //   488b4550             | cmp                 eax, ecx
            //   83002c               | jge                 9

        $sequence_24 = { 488b4d48 e8???????? 4889c1 ff15???????? 488905???????? }
            // n = 5, score = 100
            //   488b4d48             | dec                 eax
            //   e8????????           |                     
            //   4889c1               | mov                 ecx, dword ptr [ebp + 0x48]
            //   ff15????????         |                     
            //   488905????????       |                     

        $sequence_25 = { c7c23994e900 e8???????? 488905???????? c785ac00000000000000 8b8580000000 }
            // n = 5, score = 100
            //   c7c23994e900         | dec                 eax
            //   e8????????           |                     
            //   488905????????       |                     
            //   c785ac00000000000000     | mov    eax, dword ptr [ebp + 0x50]
            //   8b8580000000         | add                 dword ptr [eax], 0x2c

    condition:
        7 of them and filesize < 3342336
}
Download all Yara Rules