SYMBOLCOMMON_NAMEaka. SYNONYMS
win.danbot (Back to overview)

danbot


Danbot is a backdoor malware that is originally written in C#. Recent versions of Danbot are written in C++. Danbot is capable of giving a remote attacker remote access features such as running a cmd command, upload and download files, move and copy files. The backdoor commands are transmitted by either using HTTP or DNS protocols. The commands are encapsulated in an XML file that gets stored in disk. Danbot's backdoor component picks up the XML file where it decodes and decrypts the commands.

References
2021-10-07KasperskyAseel Kayal, Mark Lechtik, Paul Rascagnères
@techreport{kayal:20211007:lyceum:395a41f, author = {Aseel Kayal and Mark Lechtik and Paul Rascagnères}, title = {{LYCEUM Reborn: Counterintelligence in the Middle East}}, date = {2021-10-07}, institution = {Kaspersky}, url = {https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf}, language = {English}, urldate = {2021-10-25} } LYCEUM Reborn: Counterintelligence in the Middle East
danbot LYCEUM
2021-08-17ClearSkyClearSky
@techreport{clearsky:20210817:new:573e4e4, author = {ClearSky}, title = {{New Iranian Espionage Campaign By “Siamesekitten” - Lyceum}}, date = {2021-08-17}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf}, language = {English}, urldate = {2021-08-25} } New Iranian Espionage Campaign By “Siamesekitten” - Lyceum
danbot Milan Shark
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2020-01-15CyberXOri Perez
@online{perez:20200115:deep:7a467be, author = {Ori Perez}, title = {{Deep Dive into the Lyceum Danbot Malware}}, date = {2020-01-15}, organization = {CyberX}, url = {https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/}, language = {English}, urldate = {2020-02-02} } Deep Dive into the Lyceum Danbot Malware
danbot
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:1a61198, author = {SecureWorks}, title = {{COBALT LYCEUM}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-lyceum}, language = {English}, urldate = {2020-05-23} } COBALT LYCEUM
danbot RGDoor LYCEUM
2019-08-01AlienVault OTXAlienVault
@online{alienvault:20190801:hexane:3d63fd0, author = {AlienVault}, title = {{Hexane Targeting Oil and Gas}}, date = {2019-08-01}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f}, language = {English}, urldate = {2019-11-28} } Hexane Targeting Oil and Gas
danbot
Yara Rules
[TLP:WHITE] win_danbot_auto (20230125 | Detects win.danbot.)
rule win_danbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.danbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85c0 7920 e8???????? 8b08 e8???????? 83cbff 4c8bc0 }
            // n = 7, score = 200
            //   85c0                 | dec                 ecx
            //   7920                 | or                  ecx, 0xffffffff
            //   e8????????           |                     
            //   8b08                 | inc                 ebp
            //   e8????????           |                     
            //   83cbff               | xor                 eax, eax
            //   4c8bc0               | dec                 eax

        $sequence_1 = { 0f104810 0f118c24a8000000 48895810 4c897018 8818 488b9424f0000000 4883fa10 }
            // n = 7, score = 200
            //   0f104810             | dec                 esp
            //   0f118c24a8000000     | mov                 eax, edi
            //   48895810             | dec                 eax
            //   4c897018             | lea                 edx, [0x80282]
            //   8818                 | dec                 eax
            //   488b9424f0000000     | lea                 ecx, [esp + 0x78]
            //   4883fa10             | dec                 eax

        $sequence_2 = { 48895818 488b05???????? 4833c4 488945f8 418bd8 488bf9 488d4dd8 }
            // n = 7, score = 200
            //   48895818             | dec                 esp
            //   488b05????????       |                     
            //   4833c4               | lea                 eax, [0x89365]
            //   488945f8             | dec                 eax
            //   418bd8               | mov                 edx, eax
            //   488bf9               | dec                 eax
            //   488d4dd8             | lea                 ecx, [esp + 0x100]

        $sequence_3 = { cc 48837b1810 7205 4c8b0b eb03 }
            // n = 5, score = 200
            //   cc                   | mov                 eax, edi
            //   48837b1810           | jmp                 0x1b0b
            //   7205                 | dec                 eax
            //   4c8b0b               | mov                 edx, dword ptr [esp + 0x140]
            //   eb03                 | dec                 eax

        $sequence_4 = { e8???????? eb17 4d895510 49837d1810 7206 498b4500 eb03 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   eb17                 | add                 dword ptr [ebx + 0x28], ebp
            //   4d895510             | cmp                 dword ptr [ebx + 0x94], edi
            //   49837d1810           | je                  0x10e5
            //   7206                 | inc                 esp
            //   498b4500             | movzx               eax, word ptr [esi + 0x4e]
            //   eb03                 | mov                 ecx, dword ptr [ebx + 0x28]

        $sequence_5 = { 488d5008 4c8975c7 be07000000 488975cf 66448975b7 4983c9ff 4533c0 }
            // n = 7, score = 200
            //   488d5008             | dec                 eax
            //   4c8975c7             | cmp                 dword ptr [esp + 0xb8], 4
            //   be07000000           | jb                  0x17d9
            //   488975cf             | dec                 eax
            //   66448975b7           | lea                 edx, [esp + 0xa8]
            //   4983c9ff             | dec                 ebp
            //   4533c0               | mov                 eax, esi

        $sequence_6 = { 41b801000000 488b8c2438010000 e8???????? 48899c2448010000 4c89a42450010000 889c2438010000 488b5718 }
            // n = 7, score = 200
            //   41b801000000         | dec                 eax
            //   488b8c2438010000     | mov                 eax, ebx
            //   e8????????           |                     
            //   48899c2448010000     | jmp                 0x204
            //   4c89a42450010000     | dec                 eax
            //   889c2438010000       | lea                 edx, [0x8e365]
            //   488b5718             | dec                 eax

        $sequence_7 = { 83f8ff 7504 41887d00 410f104500 }
            // n = 4, score = 200
            //   83f8ff               | inc                 esp
            //   7504                 | or                  ebp, ebx
            //   41887d00             | dec                 eax
            //   410f104500           | lea                 ecx, [esp + 0xe0]

        $sequence_8 = { 7205 488b03 eb03 488bc3 66448938 eb6b 48397318 }
            // n = 7, score = 200
            //   7205                 | cmp                 dword ptr [eax + eax*2], edi
            //   488b03               | jne                 0x1c04
            //   eb03                 | int3                
            //   488bc3               | dec                 eax
            //   66448938             | shl                 eax, 4
            //   eb6b                 | dec                 eax
            //   48397318             | add                 eax, dword ptr [esp + 0x38]

        $sequence_9 = { 4585c9 0f84d0000000 8a4748 418803 49ffc3 41ffc9 4c895de8 }
            // n = 7, score = 200
            //   4585c9               | mov                 ebp, edx
            //   0f84d0000000         | dec                 esp
            //   8a4748               | arpl                ax, sp
            //   418803               | xor                 esi, esi
            //   49ffc3               | dec                 ebp
            //   41ffc9               | mov                 edi, esp
            //   4c895de8             | dec                 eax

    condition:
        7 of them and filesize < 1492992
}
Download all Yara Rules