SYMBOLCOMMON_NAMEaka. SYNONYMS
win.danbot (Back to overview)

danbot

VTCollection    

Danbot is a backdoor malware that is originally written in C#. Recent versions of Danbot are written in C++. Danbot is capable of giving a remote attacker remote access features such as running a cmd command, upload and download files, move and copy files. The backdoor commands are transmitted by either using HTTP or DNS protocols. The commands are encapsulated in an XML file that gets stored in disk. Danbot's backdoor component picks up the XML file where it decodes and decrypts the commands.

References
2021-10-07KasperskyAseel Kayal, Mark Lechtik, Paul Rascagnères
LYCEUM Reborn: Counterintelligence in the Middle East
danbot LYCEUM
2021-08-17ClearSkyClearSky
New Iranian Espionage Campaign By “Siamesekitten” - Lyceum
danbot Milan Shark
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2020-01-15CyberXOri Perez
Deep Dive into the Lyceum Danbot Malware
danbot
2020-01-01SecureworksSecureWorks
COBALT LYCEUM
danbot RGDoor LYCEUM
2019-08-01AlienVault OTXAlienVault
Hexane Targeting Oil and Gas
danbot
Yara Rules
[TLP:WHITE] win_danbot_auto (20230808 | Detects win.danbot.)
rule win_danbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.danbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66893c48 448b4374 488b4b68 41ffc8 4d03c0 e8???????? 48638bac000000 }
            // n = 7, score = 200
            //   66893c48             | cmp                 edx, 0x10
            //   448b4374             | jb                  0x1c3c
            //   488b4b68             | dec                 eax
            //   41ffc8               | inc                 edx
            //   4d03c0               | dec                 esp
            //   e8????????           |                     
            //   48638bac000000       | mov                 eax, edi

        $sequence_1 = { 8a4004 88040a 44016b28 8b5328 488b4330 488b4b10 8a4005 }
            // n = 7, score = 200
            //   8a4004               | dec                 eax
            //   88040a               | test                esi, esi
            //   44016b28             | je                  0xdc5
            //   8b5328               | dec                 esp
            //   488b4330             | mov                 esi, dword ptr [ebp - 0x48]
            //   488b4b10             | dec                 ebp
            //   8a4005               | test                esi, esi

        $sequence_2 = { 483bd7 7213 48ffc2 4c8bc3 488b8c2480030000 e8???????? 4c89b42490030000 }
            // n = 7, score = 200
            //   483bd7               | dec                 eax
            //   7213                 | lea                 edx, [0x5d7fa]
            //   48ffc2               | jmp                 0x553
            //   4c8bc3               | dec                 eax
            //   488b8c2480030000     | mov                 edx, dword ptr [eax + 0x28]
            //   e8????????           |                     
            //   4c89b42490030000     | dec                 eax

        $sequence_3 = { e9???????? 488b8a80000000 e9???????? 488b8a78000000 e9???????? 488b8a28000000 e9???????? }
            // n = 7, score = 200
            //   e9????????           |                     
            //   488b8a80000000       | inc                 ebp
            //   e9????????           |                     
            //   488b8a78000000       | xor                 eax, eax
            //   e9????????           |                     
            //   488b8a28000000       | dec                 eax
            //   e9????????           |                     

        $sequence_4 = { 4154 4155 4157 4881ec10060000 48c780a8fafffffeffffff 48895808 48897010 }
            // n = 7, score = 200
            //   4154                 | lea                 eax, [0x4802a]
            //   4155                 | dec                 eax
            //   4157                 | lea                 edx, [0x48006]
            //   4881ec10060000       | dec                 ecx
            //   48c780a8fafffffeffffff     | mov    ecx, edi
            //   48895808             | dec                 eax
            //   48897010             | mov                 ecx, ebx

        $sequence_5 = { 488b9424f0000000 4883fa10 7214 48ffc2 4d8bc4 488b8c24d8000000 e8???????? }
            // n = 7, score = 200
            //   488b9424f0000000     | dec                 eax
            //   4883fa10             | mov                 ecx, edi
            //   7214                 | dec                 esp
            //   48ffc2               | mov                 ebp, dword ptr [esp + 0x68]
            //   4d8bc4               | dec                 eax
            //   488b8c24d8000000     | lea                 esi, [0x4496c]
            //   e8????????           |                     

        $sequence_6 = { 48ffc2 4d8bc6 488b8c2428010000 e8???????? 48899c2438010000 4889bc2440010000 889c2428010000 }
            // n = 7, score = 200
            //   48ffc2               | je                  0xa74
            //   4d8bc6               | dec                 eax
            //   488b8c2428010000     | lea                 ecx, [esp + 0x30]
            //   e8????????           |                     
            //   48899c2438010000     | movsd               xmm0, qword ptr [eax]
            //   4889bc2440010000     | movsd               qword ptr [esp + 0x20], xmm0
            //   889c2428010000       | and                 ecx, 3

        $sequence_7 = { 488b55df 4883fa08 7212 48ffc2 41b802000000 488b4dc7 e8???????? }
            // n = 7, score = 200
            //   488b55df             | movups              xmm1, xmmword ptr [esi + 0x10]
            //   4883fa08             | dec                 esp
            //   7212                 | mov                 dword ptr [edi], edi
            //   48ffc2               | dec                 eax
            //   41b802000000         | dec                 dword ptr [edi]
            //   488b4dc7             | dec                 eax
            //   e8????????           |                     

        $sequence_8 = { 0fb6442420 84db 410f44c4 8ad8 895c2420 eb25 4c8b742460 }
            // n = 7, score = 200
            //   0fb6442420           | dec                 eax
            //   84db                 | lea                 edx, [esp + 0xa8]
            //   410f44c4             | dec                 eax
            //   8ad8                 | cmp                 dword ptr [esp + 0xc0], esi
            //   895c2420             | dec                 eax
            //   eb25                 | cmovae              edx, dword ptr [esp + 0xa8]
            //   4c8b742460           | mov                 ecx, 4

        $sequence_9 = { ffd3 99 33c2 2bc2 89442430 448be0 4c89642450 }
            // n = 7, score = 200
            //   ffd3                 | dec                 eax
            //   99                   | mov                 ebx, ecx
            //   33c2                 | dec                 eax
            //   2bc2                 | mov                 dword ptr [esp + 0x38], ecx
            //   89442430             | xor                 esi, esi
            //   448be0               | mov                 dword ptr [esp + 0x20], esi
            //   4c89642450           | dec                 eax

    condition:
        7 of them and filesize < 1492992
}
Download all Yara Rules