SYMBOLCOMMON_NAMEaka. SYNONYMS
win.danabot (Back to overview)

DanaBot

Actor(s): SCULLY SPIDER

URLhaus    

Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

References
2022-09-26KasperskyHaim Zigel, Oleg Kupreev, Artem Ushkov
@online{zigel:20220926:nullmixer:c623b01, author = {Haim Zigel and Oleg Kupreev and Artem Ushkov}, title = {{NullMixer: oodles of Trojans in a single dropper}}, date = {2022-09-26}, organization = {Kaspersky}, url = {https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/}, language = {English}, urldate = {2022-10-05} } NullMixer: oodles of Trojans in a single dropper
ColdStealer DanaBot GCleaner PrivateLoader PseudoManuscrypt RedLine Stealer SmokeLoader Vidar
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-07Malversegreenplan
@online{greenplan:20220807:config:db5873e, author = {greenplan}, title = {{Config Extractor per DanaBot (PARTE 1)}}, date = {2022-08-07}, organization = {Malverse}, url = {https://malverse.it/costruiamo-un-config-extractor-per-danabot-parte-1}, language = {English}, urldate = {2022-08-31} } Config Extractor per DanaBot (PARTE 1)
DanaBot
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-03-15Security Soup BlogRyan Campbell
@online{campbell:20220315:decoding:507512a, author = {Ryan Campbell}, title = {{Decoding a DanaBot Downloader}}, date = {2022-03-15}, organization = {Security Soup Blog}, url = {https://security-soup.net/decoding-a-danabot-downloader/}, language = {English}, urldate = {2022-03-28} } Decoding a DanaBot Downloader
DanaBot
2022-03-02ZscalerDennis Schwarz, Brett Stone-Gross
@online{schwarz:20220302:danabot:b734fd3, author = {Dennis Schwarz and Brett Stone-Gross}, title = {{DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense}}, date = {2022-03-02}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense}, language = {English}, urldate = {2022-03-04} } DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense
DanaBot
2022-03VirusTotalVirusTotal
@techreport{virustotal:202203:virustotals:c6af9c1, author = {VirusTotal}, title = {{VirusTotal's 2021 Malware Trends Report}}, date = {2022-03}, institution = {VirusTotal}, url = {https://assets.virustotal.com/reports/2021trends.pdf}, language = {English}, urldate = {2022-04-13} } VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT
2022-01-03AhnLabASEC Analysis Team
@online{team:20220103:distribution:6b19c5a, author = {ASEC Analysis Team}, title = {{Distribution of Redline Stealer Disguised as Software Crack}}, date = {2022-01-03}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/30445/}, language = {English}, urldate = {2022-01-25} } Distribution of Redline Stealer Disguised as Software Crack
DanaBot RedLine Stealer Vidar
2021-12-15MandiantAlessandro Parilli, James Maclachlan
@online{parilli:20211215:no:b7a3405, author = {Alessandro Parilli and James Maclachlan}, title = {{No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages (UNC3379)}}, date = {2021-12-15}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/supply-chain-node-js}, language = {English}, urldate = {2021-12-31} } No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages (UNC3379)
DanaBot
2021-11-18BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211118:threat:7fd07f8, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: DanaBot’s Evolution from Bank Fraud to DDos Attacks}}, date = {2021-11-18}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/threat-thursday-danabot-malware-as-a-service}, language = {English}, urldate = {2021-11-25} } Threat Thursday: DanaBot’s Evolution from Bank Fraud to DDos Attacks
DanaBot
2021-11-14Twitter (@f0wlsec)Marius Genheimer
@online{genheimer:20211114:static:944e6c7, author = {Marius Genheimer}, title = {{A static config extractor for the main component of DanaBot}}, date = {2021-11-14}, organization = {Twitter (@f0wlsec)}, url = {https://twitter.com/f0wlsec/status/1459892481760411649}, language = {English}, urldate = {2021-11-19} } A static config extractor for the main component of DanaBot
DanaBot
2021-11-08BitdefenderSilviu Stahie
@online{stahie:20211108:popular:8222961, author = {Silviu Stahie}, title = {{Popular NPM Repositories Compromised in Man-in-the-Middle Attack}}, date = {2021-11-08}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack/}, language = {English}, urldate = {2021-11-09} } Popular NPM Repositories Compromised in Man-in-the-Middle Attack
DanaBot
2021-11-05ZscalerDennis Schwarz
@online{schwarz:20211105:spike:f47ffcd, author = {Dennis Schwarz}, title = {{Spike in DanaBot Malware Activity}}, date = {2021-11-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity}, language = {English}, urldate = {2021-11-08} } Spike in DanaBot Malware Activity
DanaBot
2021-10-24SophosSean Gallagher
@online{gallagher:20211024:node:3619389, author = {Sean Gallagher}, title = {{Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor}}, date = {2021-10-24}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor}, language = {English}, urldate = {2021-11-02} } Node poisoning: hijacked package delivers coin miner and credential-stealing backdoor
DanaBot Monero Miner
2021-09-20LexfoLexfo
@online{lexfo:20210920:danabot:1f9e842, author = {Lexfo}, title = {{DanaBot Communications Update}}, date = {2021-09-20}, organization = {Lexfo}, url = {https://blog.lexfo.fr/danabot-malware.html}, language = {English}, urldate = {2021-09-28} } DanaBot Communications Update
DanaBot
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-02CRONUPGermán Fernández
@online{fernndez:20210202:de:6ff4f3a, author = {Germán Fernández}, title = {{De ataque con Malware a incidente de Ransomware}}, date = {2021-02-02}, organization = {CRONUP}, url = {https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware}, language = {Spanish}, urldate = {2021-03-02} } De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-26ProofpointDennis Schwarz, Axel F., Brandon Murphy
@online{schwarz:20210126:new:2eefe69, author = {Dennis Schwarz and Axel F. and Brandon Murphy}, title = {{New Year, New Version of DanaBot}}, date = {2021-01-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot}, language = {English}, urldate = {2021-01-27} } New Year, New Version of DanaBot
DanaBot
2021-01-09Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210109:command:d720b27, author = {Marco Ramilli}, title = {{Command and Control Traffic Patterns}}, date = {2021-01-09}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/}, language = {English}, urldate = {2021-05-17} } Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-12Malware and StuffAndreas Klopsch
@online{klopsch:20200712:deobfuscating:a374688, author = {Andreas Klopsch}, title = {{Deobfuscating DanaBot’s API Hashing}}, date = {2020-07-12}, organization = {Malware and Stuff}, url = {https://malwareandstuff.com/deobfuscating-danabots-api-hashing/}, language = {English}, urldate = {2020-07-15} } Deobfuscating DanaBot’s API Hashing
DanaBot
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
@online{haughom:20200602:evolution:3286d87, author = {James Haughom and Stefano Ortolani}, title = {{Evolution of Excel 4.0 Macro Weaponization}}, date = {2020-06-02}, organization = {Lastline Labs}, url = {https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/}, language = {English}, urldate = {2020-06-03} } Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-21MalwarebytesMalwarebytes Labs
@techreport{labs:20200521:cybercrime:d38d2da, author = {Malwarebytes Labs}, title = {{Cybercrime tactics and techniques}}, date = {2020-05-21}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf}, language = {English}, urldate = {2020-06-03} } Cybercrime tactics and techniques
Ave Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2019-06-20Check PointYaroslav Harakhavik, Aliaksandr Chailytko
@online{harakhavik:20190620:danabot:238fce9, author = {Yaroslav Harakhavik and Aliaksandr Chailytko}, title = {{DanaBot Demands a Ransom Payment}}, date = {2019-06-20}, organization = {Check Point}, url = {https://research.checkpoint.com/danabot-demands-a-ransom-payment/}, language = {English}, urldate = {2020-01-07} } DanaBot Demands a Ransom Payment
DanaBot
2019-05-09G DataG-Data
@online{gdata:20190509:strange:2e58aae, author = {G-Data}, title = {{Strange Bits: HTML Smuggling and GitHub Hosted Malware}}, date = {2019-05-09}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github}, language = {English}, urldate = {2019-12-10} } Strange Bits: HTML Smuggling and GitHub Hosted Malware
DanaBot
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2019-03-13ProofpointDennis Schwarz, Proofpoint Threat Insight Team
@online{schwarz:20190313:danabot:a6b3c02, author = {Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{DanaBot control panel revealed}}, date = {2019-03-13}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed}, language = {English}, urldate = {2019-12-20} } DanaBot control panel revealed
DanaBot
2019-03-01FortinetFortiGuard SE Team
@online{team:20190301:breakdown:fbb8608, author = {FortiGuard SE Team}, title = {{Breakdown of a Targeted DanaBot Attack}}, date = {2019-03-01}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html}, language = {English}, urldate = {2019-11-26} } Breakdown of a Targeted DanaBot Attack
DanaBot
2019-02-07ESET ResearchESET Research
@online{research:20190207:danabot:6346e2b, author = {ESET Research}, title = {{DanaBot updated with new C&C communication}}, date = {2019-02-07}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/}, language = {English}, urldate = {2019-11-14} } DanaBot updated with new C&C communication
DanaBot
2018-12-20YoroiDavide Testa, Luigi Martire, Antonio Pirozzi, Luca Mella
@online{testa:20181220:dissecting:e9c16fb, author = {Davide Testa and Luigi Martire and Antonio Pirozzi and Luca Mella}, title = {{Dissecting the Danabot Payload Targeting Italy}}, date = {2018-12-20}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/}, language = {English}, urldate = {2022-02-02} } Dissecting the Danabot Payload Targeting Italy
DanaBot
2018-12-06ESET ResearchESET Research
@online{research:20181206:danabot:dd22bc3, author = {ESET Research}, title = {{DanaBot evolves beyond banking Trojan with new spam‑sending capability}}, date = {2018-12-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/}, language = {English}, urldate = {2019-11-14} } DanaBot evolves beyond banking Trojan with new spam‑sending capability
DanaBot
2018-10-02ProofpointProofpoint Staff
@online{staff:20181002:danabot:b7282b9, author = {Proofpoint Staff}, title = {{DanaBot Gains Popularity and Targets US Organizations in Large Campaigns}}, date = {2018-10-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns}, language = {English}, urldate = {2019-12-20} } DanaBot Gains Popularity and Targets US Organizations in Large Campaigns
DanaBot
2018-09-21ESET ResearchESET Research
@online{research:20180921:danabot:a939e5f, author = {ESET Research}, title = {{DanaBot shifts its targeting to Europe, adds new features}}, date = {2018-09-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/}, language = {English}, urldate = {2019-11-14} } DanaBot shifts its targeting to Europe, adds new features
DanaBot
2018-07-16SpiderLabs BlogFahim Abbasi
@online{abbasi:20180716:danabot:08d5942, author = {Fahim Abbasi}, title = {{DanaBot Riding Fake MYOB Invoice Emails}}, date = {2018-07-16}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/}, language = {English}, urldate = {2020-01-10} } DanaBot Riding Fake MYOB Invoice Emails
DanaBot
2018-05-31ProofpointProofpoint Staff
@online{staff:20180531:danabot:b1b2487, author = {Proofpoint Staff}, title = {{DanaBot - A new banking Trojan surfaces Down Under}}, date = {2018-05-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0}, language = {English}, urldate = {2019-12-20} } DanaBot - A new banking Trojan surfaces Down Under
DanaBot
Yara Rules
[TLP:WHITE] win_danabot_auto (20221125 | Detects win.danabot.)
rule win_danabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.danabot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b00 8bd0 4a 8bc6 33c9 e8???????? 33c0 }
            // n = 7, score = 400
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8bd0                 | mov                 edx, eax
            //   4a                   | dec                 edx
            //   8bc6                 | mov                 eax, esi
            //   33c9                 | xor                 ecx, ecx
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { e8???????? 8b0424 8b13 0110 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   8b0424               | mov                 eax, dword ptr [esp]
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   0110                 | add                 dword ptr [eax], edx

        $sequence_2 = { 8b44241c 50 6a0b 68fa27a1ea }
            // n = 4, score = 400
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   50                   | push                eax
            //   6a0b                 | push                0xb
            //   68fa27a1ea           | push                0xeaa127fa

        $sequence_3 = { 6a15 68a111084e 8bc6 8b4d00 8b17 e8???????? 8b4500 }
            // n = 7, score = 400
            //   6a15                 | push                0x15
            //   68a111084e           | push                0x4e0811a1
            //   8bc6                 | mov                 eax, esi
            //   8b4d00               | mov                 ecx, dword ptr [ebp]
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   e8????????           |                     
            //   8b4500               | mov                 eax, dword ptr [ebp]

        $sequence_4 = { 8b16 e8???????? 8b07 50 8b442428 50 6a0a }
            // n = 7, score = 400
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   e8????????           |                     
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   50                   | push                eax
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   50                   | push                eax
            //   6a0a                 | push                0xa

        $sequence_5 = { 7e18 8b45fc 50 8b45fc 8b00 b913000000 ba01000000 }
            // n = 7, score = 400
            //   7e18                 | jle                 0x1a
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   b913000000           | mov                 ecx, 0x13
            //   ba01000000           | mov                 edx, 1

        $sequence_6 = { 8b03 50 8b442438 50 6a16 68019546fd 8bc6 }
            // n = 7, score = 400
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   50                   | push                eax
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   50                   | push                eax
            //   6a16                 | push                0x16
            //   68019546fd           | push                0xfd469501
            //   8bc6                 | mov                 eax, esi

        $sequence_7 = { ff75f0 68???????? 68???????? 8d45d8 50 }
            // n = 5, score = 400
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   68????????           |                     
            //   68????????           |                     
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax

        $sequence_8 = { 8b0f 8b16 e8???????? 8b07 50 8b442454 50 }
            // n = 7, score = 400
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   e8????????           |                     
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   50                   | push                eax
            //   8b442454             | mov                 eax, dword ptr [esp + 0x54]
            //   50                   | push                eax

        $sequence_9 = { 56 57 8bf1 8955f8 8945fc 8d45fc }
            // n = 6, score = 400
            //   56                   | push                esi
            //   57                   | push                edi
            //   8bf1                 | mov                 esi, ecx
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d45fc               | lea                 eax, [ebp - 4]

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules