SYMBOLCOMMON_NAMEaka. SYNONYMS
win.danabot (Back to overview)

DanaBot

Actor(s): SCULLY SPIDER

URLhaus    

Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

References
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-07-12Malware and StuffAndreas Klopsch
@online{klopsch:20200712:deobfuscating:a374688, author = {Andreas Klopsch}, title = {{Deobfuscating DanaBot’s API Hashing}}, date = {2020-07-12}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/deobfuscating-danabots-api-hashing/}, language = {English}, urldate = {2020-07-15} } Deobfuscating DanaBot’s API Hashing
DanaBot
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2019-06-20Check PointYaroslav Harakhavik, Aliaksandr Chailytko
@online{harakhavik:20190620:danabot:238fce9, author = {Yaroslav Harakhavik and Aliaksandr Chailytko}, title = {{DanaBot Demands a Ransom Payment}}, date = {2019-06-20}, organization = {Check Point}, url = {https://research.checkpoint.com/danabot-demands-a-ransom-payment/}, language = {English}, urldate = {2020-01-07} } DanaBot Demands a Ransom Payment
DanaBot
2019-05-09G DataG-Data
@online{gdata:20190509:strange:2e58aae, author = {G-Data}, title = {{Strange Bits: HTML Smuggling and GitHub Hosted Malware}}, date = {2019-05-09}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github}, language = {English}, urldate = {2019-12-10} } Strange Bits: HTML Smuggling and GitHub Hosted Malware
DanaBot
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2019-03-13ProofpointDennis Schwarz, Proofpoint Threat Insight Team
@online{schwarz:20190313:danabot:a6b3c02, author = {Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{DanaBot control panel revealed}}, date = {2019-03-13}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed}, language = {English}, urldate = {2019-12-20} } DanaBot control panel revealed
DanaBot
2019-03-01FortinetFortiGuard SE Team
@online{team:20190301:breakdown:fbb8608, author = {FortiGuard SE Team}, title = {{Breakdown of a Targeted DanaBot Attack}}, date = {2019-03-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html}, language = {English}, urldate = {2019-11-26} } Breakdown of a Targeted DanaBot Attack
DanaBot
2019-02-07ESET ResearchESET Research
@online{research:20190207:danabot:6346e2b, author = {ESET Research}, title = {{DanaBot updated with new C&C communication}}, date = {2019-02-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/}, language = {English}, urldate = {2019-11-14} } DanaBot updated with new C&C communication
DanaBot
2018-12-20YoroiZLAB-Yoroi
@online{zlabyoroi:20181220:dissecting:e9c16fb, author = {ZLAB-Yoroi}, title = {{Dissecting the Danabot Payload Targeting Italy}}, date = {2018-12-20}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/}, language = {English}, urldate = {2020-01-10} } Dissecting the Danabot Payload Targeting Italy
DanaBot
2018-12-06ESET ResearchESET Research
@online{research:20181206:danabot:dd22bc3, author = {ESET Research}, title = {{DanaBot evolves beyond banking Trojan with new spam‑sending capability}}, date = {2018-12-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/}, language = {English}, urldate = {2019-11-14} } DanaBot evolves beyond banking Trojan with new spam‑sending capability
DanaBot
2018-10-02ProofpointProofpoint Staff
@online{staff:20181002:danabot:b7282b9, author = {Proofpoint Staff}, title = {{DanaBot Gains Popularity and Targets US Organizations in Large Campaigns}}, date = {2018-10-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns}, language = {English}, urldate = {2019-12-20} } DanaBot Gains Popularity and Targets US Organizations in Large Campaigns
DanaBot
2018-09-21ESET ResearchESET Research
@online{research:20180921:danabot:a939e5f, author = {ESET Research}, title = {{DanaBot shifts its targeting to Europe, adds new features}}, date = {2018-09-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/}, language = {English}, urldate = {2019-11-14} } DanaBot shifts its targeting to Europe, adds new features
DanaBot
2018-07-16SpiderLabs BlogFahim Abbasi
@online{abbasi:20180716:danabot:08d5942, author = {Fahim Abbasi}, title = {{DanaBot Riding Fake MYOB Invoice Emails}}, date = {2018-07-16}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/}, language = {English}, urldate = {2020-01-10} } DanaBot Riding Fake MYOB Invoice Emails
DanaBot
2018-05-31ProofpointProofpoint Staff
@online{staff:20180531:danabot:b1b2487, author = {Proofpoint Staff}, title = {{DanaBot - A new banking Trojan surfaces Down Under}}, date = {2018-05-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0}, language = {English}, urldate = {2019-12-20} } DanaBot - A new banking Trojan surfaces Down Under
DanaBot
Yara Rules
[TLP:WHITE] win_danabot_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_danabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 6a00 6a00 6803800000 8b45f4 }
            // n = 5, score = 1700
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6803800000           | push                0x8003
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_1 = { 6a00 8d45ec 50 6a00 6a02 8b45f0 }
            // n = 6, score = 1400
            //   6a00                 | push                0
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_2 = { 6803800000 8b45f4 50 ff15???????? }
            // n = 4, score = 1300
            //   6803800000           | push                0x8003
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { 8b45d4 e8???????? 50 ff15???????? }
            // n = 4, score = 1200
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]
            //   e8????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_4 = { b814000000 85c0 741f e8???????? a3???????? e8???????? }
            // n = 6, score = 1200
            //   b814000000           | mov                 eax, 0x14
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   e8????????           |                     
            //   a3????????           |                     
            //   e8????????           |                     

        $sequence_5 = { e8???????? 8b45e0 8b55e4 52 50 }
            // n = 5, score = 1200
            //   e8????????           |                     
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_6 = { b814000000 85c0 742b 833d????????ff 7422 a1???????? 50 }
            // n = 7, score = 1200
            //   b814000000           | mov                 eax, 0x14
            //   85c0                 | test                eax, eax
            //   742b                 | je                  0x2d
            //   833d????????ff       |                     
            //   7422                 | je                  0x24
            //   a1????????           |                     
            //   50                   | push                eax

        $sequence_7 = { 64ff30 648920 68000000f0 6a18 6a00 }
            // n = 5, score = 1200
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   68000000f0           | push                0xf0000000
            //   6a18                 | push                0x18
            //   6a00                 | push                0

        $sequence_8 = { b814000000 85c0 7419 e8???????? }
            // n = 4, score = 1200
            //   b814000000           | mov                 eax, 0x14
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b
            //   e8????????           |                     

        $sequence_9 = { 50 e8???????? 5b c3 b814000000 85c0 741f }
            // n = 7, score = 1200
            //   50                   | push                eax
            //   e8????????           |                     
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   b814000000           | mov                 eax, 0x14
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21

        $sequence_10 = { 8b45ec 8b4018 48 85c0 }
            // n = 4, score = 1000
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8b4018               | mov                 eax, dword ptr [eax + 0x18]
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax

        $sequence_11 = { 6aff 6a00 8b45ec 50 ff15???????? 85c0 }
            // n = 6, score = 900
            //   6aff                 | push                -1
            //   6a00                 | push                0
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_12 = { 6810660000 8b45f0 50 ff15???????? }
            // n = 4, score = 900
            //   6810660000           | push                0x6610
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_13 = { a1???????? a3???????? a1???????? a3???????? 33c0 5a 59 }
            // n = 7, score = 900
            //   a1????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     
            //   a3????????           |                     
            //   33c0                 | xor                 eax, eax
            //   5a                   | pop                 edx
            //   59                   | pop                 ecx

        $sequence_14 = { e8???????? 8b45a4 8d4da8 33d2 e8???????? }
            // n = 5, score = 900
            //   e8????????           |                     
            //   8b45a4               | mov                 eax, dword ptr [ebp - 0x5c]
            //   8d4da8               | lea                 ecx, [ebp - 0x58]
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     

        $sequence_15 = { 55 68???????? 64ff30 648920 a1???????? a3???????? }
            // n = 6, score = 800
            //   55                   | push                ebp
            //   68????????           |                     
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   a1????????           |                     
            //   a3????????           |                     

        $sequence_16 = { 0305???????? 8b15???????? 0315???????? 3bc2 7e0a a1???????? a3???????? }
            // n = 7, score = 800
            //   0305????????         |                     
            //   8b15????????         |                     
            //   0315????????         |                     
            //   3bc2                 | cmp                 eax, edx
            //   7e0a                 | jle                 0xc
            //   a1????????           |                     
            //   a3????????           |                     

        $sequence_17 = { a3???????? a1???????? 3b05???????? 740a a1???????? a3???????? a1???????? }
            // n = 7, score = 800
            //   a3????????           |                     
            //   a1????????           |                     
            //   3b05????????         |                     
            //   740a                 | pop                 edx
            //   a1????????           |                     
            //   a3????????           |                     
            //   a1????????           |                     

        $sequence_18 = { e8???????? 2bd8 81fbf41f0000 7e09 }
            // n = 4, score = 500
            //   e8????????           |                     
            //   2bd8                 | sub                 ebx, eax
            //   81fbf41f0000         | cmp                 ebx, 0x1ff4
            //   7e09                 | jle                 0xb

        $sequence_19 = { 894558 8b4560 034558 3b859c000000 7e0c 8b455c }
            // n = 6, score = 100
            //   894558               | mov                 ebp, dword ptr [ebp]
            //   8b4560               | dec                 eax
            //   034558               | mov                 eax, dword ptr [eax - 8]
            //   3b859c000000         | dec                 ebp
            //   7e0c                 | xor                 eax, eax
            //   8b455c               | dec                 esp

        $sequence_20 = { 83e21f 4863d2 f20f5e04d0 c1e905 }
            // n = 4, score = 100
            //   83e21f               | inc                 ecx
            //   4863d2               | mov                 eax, 0x105
            //   f20f5e04d0           | jmp                 0x27
            //   c1e905               | and                 edx, 0x1f

        $sequence_21 = { 85c0 7423 4d8b6d88 4d85ed 7406 4d8b6d00 }
            // n = 6, score = 100
            //   85c0                 | dec                 eax
            //   7423                 | arpl                dx, dx
            //   4d8b6d88             | divsd               xmm0, qword ptr [eax + edx*8]
            //   4d85ed               | shr                 ecx, 5
            //   7406                 | test                eax, eax
            //   4d8b6d00             | je                  0x27

        $sequence_22 = { 488b40f8 4d33c0 4c8d48ff 4489c0 413bc1 7f30 }
            // n = 6, score = 100
            //   488b40f8             | dec                 ebp
            //   4d33c0               | mov                 ebp, dword ptr [ebp - 0x78]
            //   4c8d48ff             | dec                 ebp
            //   4489c0               | test                ebp, ebp
            //   413bc1               | je                  0xf
            //   7f30                 | dec                 ebp

        $sequence_23 = { 448b4d3c e8???????? c7c053000000 2b453c 81f8ec000000 }
            // n = 5, score = 100
            //   448b4d3c             | inc                 ecx
            //   e8????????           |                     
            //   c7c053000000         | cmp                 eax, ecx
            //   2b453c               | jg                  0x3c
            //   81f8ec000000         | mov                 dword ptr [ebp + 0x58], eax

        $sequence_24 = { 488b9510010000 e8???????? 488d4d40 488b5538 e8???????? }
            // n = 5, score = 100
            //   488b9510010000       | lea                 ecx, [eax - 1]
            //   e8????????           |                     
            //   488d4d40             | inc                 esp
            //   488b5538             | mov                 eax, eax
            //   e8????????           |                     

        $sequence_25 = { 4883bd7802000000 7514 33c9 488d5546 41c7c005010000 e8???????? eb1e }
            // n = 7, score = 100
            //   4883bd7802000000     | dec                 eax
            //   7514                 | cmp                 dword ptr [ebp + 0x278], 0
            //   33c9                 | jne                 0x16
            //   488d5546             | xor                 ecx, ecx
            //   41c7c005010000       | dec                 eax
            //   e8????????           |                     
            //   eb1e                 | lea                 edx, [ebp + 0x46]

    condition:
        7 of them and filesize < 3342336
}
Download all Yara Rules