SYMBOLCOMMON_NAMEaka. SYNONYMS
win.danbot (Back to overview)

danbot


Danbot is a backdoor malware that is originally written in C#. Recent versions of Danbot are written in C++. Danbot is capable of giving a remote attacker remote access features such as running a cmd command, upload and download files, move and copy files. The backdoor commands are transmitted by either using HTTP or DNS protocols. The commands are encapsulated in an XML file that gets stored in disk. Danbot's backdoor component picks up the XML file where it decodes and decrypts the commands.

References
2021-10-07KasperskyAseel Kayal, Mark Lechtik, Paul Rascagnères
@techreport{kayal:20211007:lyceum:395a41f, author = {Aseel Kayal and Mark Lechtik and Paul Rascagnères}, title = {{LYCEUM Reborn: Counterintelligence in the Middle East}}, date = {2021-10-07}, institution = {Kaspersky}, url = {https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf}, language = {English}, urldate = {2021-10-25} } LYCEUM Reborn: Counterintelligence in the Middle East
danbot LYCEUM
2021-08-17ClearSkyClearSky
@techreport{clearsky:20210817:new:573e4e4, author = {ClearSky}, title = {{New Iranian Espionage Campaign By “Siamesekitten” - Lyceum}}, date = {2021-08-17}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf}, language = {English}, urldate = {2021-08-25} } New Iranian Espionage Campaign By “Siamesekitten” - Lyceum
danbot Milan Shark
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
@online{mokbel:20200721:vopcde:26d48d0, author = {Mohamad Mokbel}, title = {{vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)}}, date = {2020-07-21}, organization = {YouTube ( OPCDE with Matt Suiche)}, url = {https://www.youtube.com/watch?v=FttiysUZmDw}, language = {English}, urldate = {2021-10-24} } vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2020-01-15CyberXOri Perez
@online{perez:20200115:deep:7a467be, author = {Ori Perez}, title = {{Deep Dive into the Lyceum Danbot Malware}}, date = {2020-01-15}, organization = {CyberX}, url = {https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/}, language = {English}, urldate = {2020-02-02} } Deep Dive into the Lyceum Danbot Malware
danbot
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:1a61198, author = {SecureWorks}, title = {{COBALT LYCEUM}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-lyceum}, language = {English}, urldate = {2020-05-23} } COBALT LYCEUM
danbot RGDoor LYCEUM
2019-08-01AlienVault OTXAlienVault
@online{alienvault:20190801:hexane:3d63fd0, author = {AlienVault}, title = {{Hexane Targeting Oil and Gas}}, date = {2019-08-01}, organization = {AlienVault OTX}, url = {https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f}, language = {English}, urldate = {2019-11-28} } Hexane Targeting Oil and Gas
danbot
Yara Rules
[TLP:WHITE] win_danbot_auto (20220808 | Detects win.danbot.)
rule win_danbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.danbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 018fdc1b0000 4c8b55e0 8bc8 448b4558 448b4d48 4c8b5de8 c1e908 }
            // n = 7, score = 200
            //   018fdc1b0000         | dec                 ecx
            //   4c8b55e0             | mov                 dword ptr [ebx - 0x80], ebx
            //   8bc8                 | dec                 eax
            //   448b4558             | mov                 eax, dword ptr [esp + 0x230]
            //   448b4d48             | dec                 eax
            //   4c8b5de8             | mov                 dword ptr [esp + 0x58], eax
            //   c1e908               | dec                 eax

        $sequence_1 = { e8???????? 48837c244808 488d4c2430 895c2428 4c8d442450 480f434c2430 4533c9 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   48837c244808         | jne                 0xfe1
            //   488d4c2430           | dec                 eax
            //   895c2428             | lea                 eax, [esp + 0x50]
            //   4c8d442450           | dec                 eax
            //   480f434c2430         | mov                 dword ptr [esp + 0x38], eax
            //   4533c9               | dec                 eax

        $sequence_2 = { eb09 4d3916 0f85d7050000 488d55c0 488b742438 488bce e8???????? }
            // n = 7, score = 200
            //   eb09                 | mov                 eax, 3
            //   4d3916               | mov                 edx, 0x20
            //   0f85d7050000         | dec                 eax
            //   488d55c0             | lea                 ecx, [ebp + 0x140]
            //   488b742438           | dec                 eax
            //   488bce               | add                 esp, 0x20
            //   e8????????           |                     

        $sequence_3 = { 7418 0fb702 0fb74c45ef 664589144f 0fb702 6644016445ef 33c0 }
            // n = 7, score = 200
            //   7418                 | mov                 byte ptr [ebp + 0xb8], 0
            //   0fb702               | dec                 eax
            //   0fb74c45ef           | mov                 edx, dword ptr [ebp + 0xf0]
            //   664589144f           | dec                 eax
            //   0fb702               | cmp                 edx, 0x10
            //   6644016445ef         | dec                 eax
            //   33c0                 | and                 dword ptr [ebp + 0x1c8], 0

        $sequence_4 = { 8bd1 3bc8 0f47d0 eb06 418d4805 8bd1 }
            // n = 6, score = 200
            //   8bd1                 | dec                 ecx
            //   3bc8                 | mov                 dword ptr [esp + 0x20], eax
            //   0f47d0               | mov                 dword ptr [edi], 0x1d
            //   eb06                 | dec                 eax
            //   418d4805             | lea                 eax, [0x6d09d]
            //   8bd1                 | dec                 ecx

        $sequence_5 = { eb07 8bc8 e8???????? 4885db 7402 893b 488bce }
            // n = 7, score = 200
            //   eb07                 | dec                 eax
            //   8bc8                 | add                 ebx, 0x20
            //   e8????????           |                     
            //   4885db               | dec                 ecx
            //   7402                 | cmp                 ebx, edi
            //   893b                 | inc                 ecx
            //   488bce               | mov                 eax, 2

        $sequence_6 = { 4889542430 4c89742428 488d4597 4889442420 4c8bce 488d5760 41ff5238 }
            // n = 7, score = 200
            //   4889542430           | dec                 eax
            //   4c89742428           | mov                 edi, dword ptr [esp + 0x70]
            //   488d4597             | dec                 eax
            //   4889442420           | lea                 edx, [0x6728e]
            //   4c8bce               | jmp                 0x1fd9
            //   488d5760             | dec                 eax
            //   41ff5238             | mov                 edx, dword ptr [eax + 0x28]

        $sequence_7 = { e8???????? 48899c2490010000 4889b42498010000 889c2480010000 488d4c2430 e8???????? }
            // n = 6, score = 200
            //   e8????????           |                     
            //   48899c2490010000     | xor                 eax, eax
            //   4889b42498010000     | dec                 ebp
            //   889c2480010000       | test                eax, eax
            //   488d4c2430           | je                  0x61b
            //   e8????????           |                     

        $sequence_8 = { 488d8424a0010000 4c89b424b0010000 4889b424b8010000 4488b424a0010000 4983c9ff 4533c0 }
            // n = 6, score = 200
            //   488d8424a0010000     | mov                 eax, ebx
            //   4c89b424b0010000     | dec                 eax
            //   4889b424b8010000     | mov                 ebx, dword ptr [esp + 0x40]
            //   4488b424a0010000     | mov                 eax, 0xffff
            //   4983c9ff             | dec                 eax
            //   4533c0               | mov                 dword ptr [edi + 0x54], eax

        $sequence_9 = { e8???????? 488d4301 443820 480f4ec3 488bd8 80387f 75cb }
            // n = 7, score = 200
            //   e8????????           |                     
            //   488d4301             | je                  0x3eb
            //   443820               | dec                 eax
            //   480f4ec3             | mov                 edx, dword ptr [edi]
            //   488bd8               | dec                 eax
            //   80387f               | mov                 ebx, dword ptr [edx + 0x10]
            //   75cb                 | dec                 eax

    condition:
        7 of them and filesize < 1492992
}
Download all Yara Rules