SYMBOLCOMMON_NAMEaka. SYNONYMS
win.danbot (Back to overview)

danbot

Danbot is a backdoor malware that is originally written in C#. Recent versions of Danbot are written in C++. Danbot is capable of giving a remote attacker remote access features such as running a cmd command, upload and download files, move and copy files. The backdoor commands are transmitted by either using HTTP or DNS protocols. The commands are encapsulated in an XML file that gets stored in disk. Danbot's backdoor component picks up the XML file where it decodes and decrypts the commands.

References
2021-10-07KasperskyAseel Kayal, Mark Lechtik, Paul Rascagnères
@techreport{kayal:20211007:lyceum:395a41f, author = {Aseel Kayal and Mark Lechtik and Paul Rascagnères}, title = {{LYCEUM Reborn: Counterintelligence in the Middle East}}, date = {2021-10-07}, institution = {Kaspersky}, url = {https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf}, language = {English}, urldate = {2021-10-25} } LYCEUM Reborn: Counterintelligence in the Middle East
danbot LYCEUM
2021-08-17ClearSkyClearSky
@techreport{clearsky:20210817:new:573e4e4, author = {ClearSky}, title = {{New Iranian Espionage Campaign By “Siamesekitten” - Lyceum}}, date = {2021-08-17}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf}, language = {English}, urldate = {2021-08-25} } New Iranian Espionage Campaign By “Siamesekitten” - Lyceum
danbot Milan Shark
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2020-01-15CyberXOri Perez
@online{perez:20200115:deep:7a467be, author = {Ori Perez}, title = {{Deep Dive into the Lyceum Danbot Malware}}, date = {2020-01-15}, organization = {CyberX}, url = {https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/}, language = {English}, urldate = {2020-02-02} } Deep Dive into the Lyceum Danbot Malware
danbot
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:1a61198, author = {SecureWorks}, title = {{COBALT LYCEUM}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-lyceum}, language = {English}, urldate = {2020-05-23} } COBALT LYCEUM
danbot RGDoor LYCEUM
2019-08-01AlienVault OTXAlienVault
@online{alienvault:20190801:hexane:3d63fd0, author = {AlienVault}, title = {{Hexane Targeting Oil and Gas}}, date = {2019-08-01}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f}, language = {English}, urldate = {2019-11-28} } Hexane Targeting Oil and Gas
danbot
Yara Rules
[TLP:WHITE] win_danbot_auto (20230407 | Detects win.danbot.)
rule win_danbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.danbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 48891d???????? 48893d???????? 881d???????? 410f1007 0f1105???????? 410f104f10 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   48891d????????       |                     
            //   48893d????????       |                     
            //   881d????????         |                     
            //   410f1007             | mov                 ecx, dword ptr [edi]
            //   0f1105????????       |                     
            //   410f104f10           | jmp                 0x17d

        $sequence_1 = { 7507 4d3916 742f eb05 4d3916 7528 44385708 }
            // n = 7, score = 200
            //   7507                 | nop                 
            //   4d3916               | dec                 eax
            //   742f                 | lea                 eax, [esp + 0x1b0]
            //   eb05                 | dec                 eax
            //   4d3916               | mov                 dword ptr [esp + 0x48], eax
            //   7528                 | dec                 eax
            //   44385708             | lea                 eax, [esp + 0x1d0]

        $sequence_2 = { 498bd7 488bcf e8???????? 84c0 75ca 4c8b6c2448 488b4c2428 }
            // n = 7, score = 200
            //   498bd7               | movups              xmmword ptr [esp + 0xb8], xmm1
            //   488bcf               | dec                 ecx
            //   e8????????           |                     
            //   84c0                 | mov                 dword ptr [esp + 0x10], ebx
            //   75ca                 | mov                 byte ptr [esp + 0xa8], bl
            //   4c8b6c2448           | inc                 esp
            //   488b4c2428           | lea                 eax, [ebx + 3]

        $sequence_3 = { ba01000000 488d4df0 e8???????? 0f1000 f3410f7f06 488b742468 8ac3 }
            // n = 7, score = 200
            //   ba01000000           | mov                 eax, edx
            //   488d4df0             | dec                 eax
            //   e8????????           |                     
            //   0f1000               | lea                 ecx, [0x51a4d]
            //   f3410f7f06           | dec                 eax
            //   488b742468           | mov                 dword ptr [ebx], ecx
            //   8ac3                 | dec                 eax

        $sequence_4 = { e8???????? ba01000000 488bce ffd3 90 488365cf00 48c745d70f000000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   ba01000000           | mov                 eax, dword ptr [ebx + 0x9c]
            //   488bce               | cmp                 eax, 0x106
            //   ffd3                 | jae                 0x13a3
            //   90                   | inc                 esp
            //   488365cf00           | mov                 esi, edx
            //   48c745d70f000000     | dec                 eax

        $sequence_5 = { 48ffc2 4d8bc6 488b4de0 e8???????? 4885db 0f8446fbffff 488d55e0 }
            // n = 7, score = 200
            //   48ffc2               | jne                 0xae1
            //   4d8bc6               | dec                 eax
            //   488b4de0             | add                 eax, 2
            //   e8????????           |                     
            //   4885db               | dec                 ecx
            //   0f8446fbffff         | mov                 dword ptr [esi], eax
            //   488d55e0             | or                  eax, 4

        $sequence_6 = { 747d 48837b1808 7205 488b03 eb03 488bc3 488b4b10 }
            // n = 7, score = 200
            //   747d                 | nop                 
            //   48837b1808           | dec                 eax
            //   7205                 | mov                 edx, dword ptr [esp + 0x198]
            //   488b03               | dec                 eax
            //   eb03                 | cmp                 edx, 0x10
            //   488bc3               | jb                  0x1bd
            //   488b4b10             | dec                 eax

        $sequence_7 = { eb09 8b4748 498bd3 482bd1 8bc8 413bc9 410f47c9 }
            // n = 7, score = 200
            //   eb09                 | arpl                word ptr [eax + 4], cx
            //   8b4748               | jne                 0x12dc
            //   498bd3               | dec                 esp
            //   482bd1               | lea                 ecx, [esp + 0x60]
            //   8bc8                 | dec                 ecx
            //   413bc9               | add                 ecx, ecx
            //   410f47c9             | inc                 ebp

        $sequence_8 = { 8d43d5 a8fd 750f 488b07 8a18 48ffc0 }
            // n = 6, score = 200
            //   8d43d5               | dec                 eax
            //   a8fd                 | or                  eax, 0xffffffff
            //   750f                 | dec                 eax
            //   488b07               | cmp                 dword ptr [esp + 0x28], 3
            //   8a18                 | jne                 0x8df
            //   48ffc0               | dec                 esp

        $sequence_9 = { e9???????? 8b4b48 c1e10c 81e900780000 44398bb0000000 7d22 8b93ac000000 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   8b4b48               | mov                 edx, esp
            //   c1e10c               | dec                 eax
            //   81e900780000         | mov                 ecx, esi
            //   44398bb0000000       | nop                 
            //   7d22                 | dec                 eax
            //   8b93ac000000         | lea                 eax, [0x423a7]

    condition:
        7 of them and filesize < 1492992
}
Download all Yara Rules