SYMBOLCOMMON_NAMEaka. SYNONYMS
win.danbot (Back to overview)

danbot


Danbot is a backdoor malware that is originally written in C#. Recent versions of Danbot are written in C++. Danbot is capable of giving a remote attacker remote access features such as running a cmd command, upload and download files, move and copy files. The backdoor commands are transmitted by either using HTTP or DNS protocols. The commands are encapsulated in an XML file that gets stored in disk. Danbot's backdoor component picks up the XML file where it decodes and decrypts the commands.

References
2021-10-07KasperskyAseel Kayal, Mark Lechtik, Paul Rascagnères
@techreport{kayal:20211007:lyceum:395a41f, author = {Aseel Kayal and Mark Lechtik and Paul Rascagnères}, title = {{LYCEUM Reborn: Counterintelligence in the Middle East}}, date = {2021-10-07}, institution = {Kaspersky}, url = {https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf}, language = {English}, urldate = {2021-10-25} } LYCEUM Reborn: Counterintelligence in the Middle East
danbot LYCEUM
2021-08-17ClearSkyClearSky
@techreport{clearsky:20210817:new:573e4e4, author = {ClearSky}, title = {{New Iranian Espionage Campaign By “Siamesekitten” - Lyceum}}, date = {2021-08-17}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf}, language = {English}, urldate = {2021-08-25} } New Iranian Espionage Campaign By “Siamesekitten” - Lyceum
danbot Milan Shark
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2020-01-15CyberXOri Perez
@online{perez:20200115:deep:7a467be, author = {Ori Perez}, title = {{Deep Dive into the Lyceum Danbot Malware}}, date = {2020-01-15}, organization = {CyberX}, url = {https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/}, language = {English}, urldate = {2020-02-02} } Deep Dive into the Lyceum Danbot Malware
danbot
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:1a61198, author = {SecureWorks}, title = {{COBALT LYCEUM}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-lyceum}, language = {English}, urldate = {2020-05-23} } COBALT LYCEUM
danbot RGDoor LYCEUM
2019-08-01AlienVault OTXAlienVault
@online{alienvault:20190801:hexane:3d63fd0, author = {AlienVault}, title = {{Hexane Targeting Oil and Gas}}, date = {2019-08-01}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f}, language = {English}, urldate = {2019-11-28} } Hexane Targeting Oil and Gas
danbot
Yara Rules
[TLP:WHITE] win_danbot_auto (20220411 | Detects win.danbot.)
rule win_danbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.danbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883c702 4983ed01 75d6 0f28442430 f3410f7f0424 0f29442430 4885db }
            // n = 7, score = 200
            //   4883c702             | lea                 ecx, dword ptr [esp + 0x150]
            //   4983ed01             | nop                 
            //   75d6                 | dec                 eax
            //   0f28442430           | lea                 ecx, dword ptr [esp + 0x350]
            //   f3410f7f0424         | dec                 eax
            //   0f29442430           | mov                 edx, eax
            //   4885db               | dec                 eax

        $sequence_1 = { e8???????? 4c8bc0 418bd7 e9???????? 33c0 837b1800 740e }
            // n = 7, score = 200
            //   e8????????           |                     
            //   4c8bc0               | mov                 dword ptr [esp + 0x80], eax
            //   418bd7               | mov                 ecx, 0xea60
            //   e9????????           |                     
            //   33c0                 | jmp                 0x1370
            //   837b1800             | dec                 ebp
            //   740e                 | test                esp, esp

        $sequence_2 = { 4885db 0f84c6090000 83fa05 0f87bd090000 48397910 0f84a8090000 }
            // n = 6, score = 200
            //   4885db               | and                 eax, 0xfffffffb
            //   0f84c6090000         | add                 eax, 7
            //   83fa05               | dec                 esp
            //   0f87bd090000         | mov                 dword ptr [edi], esi
            //   48397910             | inc                 ecx
            //   0f84a8090000         | mov                 cl, byte ptr [esi]

        $sequence_3 = { 720f 48ffc2 4d8bc6 488b4de0 e8???????? 4488742424 e9???????? }
            // n = 7, score = 200
            //   720f                 | lea                 ecx, dword ptr [esp + 0x108]
            //   48ffc2               | nop                 
            //   4d8bc6               | mov                 byte ptr [esp + 0x108], bl
            //   488b4de0             | inc                 esp
            //   e8????????           |                     
            //   4488742424           | lea                 eax, dword ptr [ebx + 3]
            //   e9????????           |                     

        $sequence_4 = { 4883601800 410f1006 0f1100 410f104e10 0f114810 4983661000 49c746180f000000 }
            // n = 7, score = 200
            //   4883601800           | mov                 ecx, ebx
            //   410f1006             | dec                 esp
            //   0f1100               | lea                 ecx, dword ptr [ebp - 9]
            //   410f104e10           | dec                 esp
            //   0f114810             | lea                 eax, dword ptr [0x50637]
            //   4983661000           | dec                 eax
            //   49c746180f000000     | lea                 edx, dword ptr [0x50621]

        $sequence_5 = { 7213 48ffc2 4d8bc6 488b8c2488020000 e8???????? 48899c2498020000 4889b424a0020000 }
            // n = 7, score = 200
            //   7213                 | lea                 ecx, dword ptr [esp + 0xd8]
            //   48ffc2               | nop                 
            //   4d8bc6               | mov                 byte ptr [esp + 0xd8], bl
            //   488b8c2488020000     | inc                 ebp
            //   e8????????           |                     
            //   48899c2498020000     | xor                 eax, eax
            //   4889b424a0020000     | dec                 eax

        $sequence_6 = { eb03 488bc3 420fb63420 8bce e8???????? 85c0 }
            // n = 6, score = 200
            //   eb03                 | dec                 eax
            //   488bc3               | mov                 ebp, edx
            //   420fb63420           | mov                 eax, dword ptr [ebp + 0x40]
            //   8bce                 | and                 eax, 0x80
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_7 = { 48896f08 488b6c2448 48897710 488b742450 4883c420 415f 415e }
            // n = 7, score = 200
            //   48896f08             | lea                 ecx, dword ptr [esp + 0x30]
            //   488b6c2448           | int3                
            //   48897710             | dec                 esp
            //   488b742450           | mov                 eax, eax
            //   4883c420             | dec                 eax
            //   415f                 | lea                 edx, dword ptr [0x9756c]
            //   415e                 | dec                 eax

        $sequence_8 = { 66443bf8 7504 408875a0 4883c302 482bfe 75da e9???????? }
            // n = 7, score = 200
            //   66443bf8             | cmp                 eax, esp
            //   7504                 | je                  0x1ad9
            //   408875a0             | lea                 edi, dword ptr [ebx + 1]
            //   4883c302             | inc                 esp
            //   482bfe               | mov                 dh, bh
            //   75da                 | test                cl, cl
            //   e9????????           |                     

        $sequence_9 = { 4d8bc6 488b4dbf e8???????? 33d2 488d4d9f e8???????? 488d55bf }
            // n = 7, score = 200
            //   4d8bc6               | mov                 ecx, esp
            //   488b4dbf             | cmp                 dword ptr [edi], 0x1d
            //   e8????????           |                     
            //   33d2                 | mov                 edx, 0
            //   488d4d9f             | inc                 esp
            //   e8????????           |                     
            //   488d55bf             | mov                 eax, dword ptr [ebp + 0x58]

    condition:
        7 of them and filesize < 1492992
}
Download all Yara Rules