win.danabot (Back to overview)

DanaBot

URLhaus    

Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

References
https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/
https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns
https://asert.arbornetworks.com/danabots-travels-a-global-perspective/
https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/
https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html
https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0
https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed
https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/
https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/
https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/
https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/
https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github
Yara Rules
[TLP:WHITE] win_danabot_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_danabot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { cd03 0f1f00 bb40000000 2bda }
            // n = 4, score = 2000
            //   cd03                 | int                 3
            //   0f1f00               | nop                 dword ptr [eax]
            //   bb40000000           | mov                 ebx, 0x40
            //   2bda                 | sub                 ebx, edx

        $sequence_1 = { 40 42 3d94000000 75f4 }
            // n = 4, score = 2000
            //   40                   | inc                 eax
            //   42                   | inc                 edx
            //   3d94000000           | cmp                 eax, 0x94
            //   75f4                 | jne                 0x719fdd

        $sequence_2 = { 64ff30 648920 bb00040000 c745f864000000 }
            // n = 4, score = 2000
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   bb00040000           | mov                 ebx, 0x400
            //   c745f864000000       | mov                 dword ptr [ebp - 8], 0x64

        $sequence_3 = { 50 e809faffff 817c241400000100 7570 }
            // n = 4, score = 2000
            //   50                   | push                eax
            //   e809faffff           | call                0x7110c0
            //   817c241400000100     | cmp                 dword ptr [esp + 0x14], 0x10000
            //   7570                 | jne                 0x711731

        $sequence_4 = { 24ff 88041f 8b44b500 c1e808 }
            // n = 4, score = 2000
            //   24ff                 | and                 al, 0xff
            //   88041f               | mov                 byte ptr [edi + ebx], al
            //   8b44b500             | mov                 eax, dword ptr [ebp + esi*4]
            //   c1e808               | shr                 eax, 8

        $sequence_5 = { 8b55f8 8902 6a00 8d45f4 }
            // n = 4, score = 2000
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8902                 | mov                 dword ptr [edx], eax
            //   6a00                 | push                0
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]

        $sequence_6 = { 8b44b500 c1e810 24ff 88441f02 }
            // n = 4, score = 2000
            //   8b44b500             | mov                 eax, dword ptr [ebp + esi*4]
            //   c1e810               | shr                 eax, 0x10
            //   24ff                 | and                 al, 0xff
            //   88441f02             | mov                 byte ptr [edi + ebx + 2], al

        $sequence_7 = { c1e208 0bc2 0fb6541e02 c1e210 }
            // n = 4, score = 2000
            //   c1e208               | shl                 edx, 8
            //   0bc2                 | or                  eax, edx
            //   0fb6541e02           | movzx               edx, byte ptr [esi + ebx + 2]
            //   c1e210               | shl                 edx, 0x10

        $sequence_8 = { 8b42fc e87cfbffff 89c2 58 }
            // n = 4, score = 2000
            //   8b42fc               | mov                 eax, dword ptr [edx - 4]
            //   e87cfbffff           | call                0x713990
            //   89c2                 | mov                 edx, eax
            //   58                   | pop                 eax

        $sequence_9 = { 8bf0 85f6 750c 8bc7 }
            // n = 4, score = 2000
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   750c                 | jne                 0x718482
            //   8bc7                 | mov                 eax, edi

    condition:
        7 of them
}
Download all Yara Rules