SYMBOLCOMMON_NAMEaka. SYNONYMS
win.danbot (Back to overview)

danbot

VTCollection    

Danbot is a backdoor malware that is originally written in C#. Recent versions of Danbot are written in C++. Danbot is capable of giving a remote attacker remote access features such as running a cmd command, upload and download files, move and copy files. The backdoor commands are transmitted by either using HTTP or DNS protocols. The commands are encapsulated in an XML file that gets stored in disk. Danbot's backdoor component picks up the XML file where it decodes and decrypts the commands.

References
2021-10-07KasperskyAseel Kayal, Mark Lechtik, Paul Rascagnères
LYCEUM Reborn: Counterintelligence in the Middle East
danbot LYCEUM
2021-08-17ClearSkyClearSky
New Iranian Espionage Campaign By “Siamesekitten” - Lyceum
danbot Milan Shark
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2020-01-15CyberXOri Perez
Deep Dive into the Lyceum Danbot Malware
danbot
2020-01-01SecureworksSecureWorks
COBALT LYCEUM
danbot RGDoor LYCEUM
2019-08-01AlienVault OTXAlienVault
Hexane Targeting Oil and Gas
danbot
Yara Rules
[TLP:WHITE] win_danbot_auto (20260504 | Detects win.danbot.)
rule win_danbot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.danbot."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8965d8 66448975c0 488b5518 4883fa10 720f 48ffc2 4c8bc6 }
            // n = 7, score = 200
            //   4c8965d8             | je                  0x2ef7
            //   66448975c0           | dec                 esp
            //   488b5518             | lea                 eax, [esp + 0xb8]
            //   4883fa10             | dec                 eax
            //   720f                 | lea                 edx, [esp + 0x158]
            //   48ffc2               | dec                 eax
            //   4c8bc6               | lea                 ecx, [esp + 0xf8]

        $sequence_1 = { 488b457f 48894587 4883ceff 488bcb f7431800400000 0f8435010000 488d542440 }
            // n = 7, score = 200
            //   488b457f             | dec                 eax
            //   48894587             | inc                 edx
            //   4883ceff             | dec                 ebp
            //   488bcb               | mov                 eax, esp
            //   f7431800400000       | dec                 eax
            //   0f8435010000         | mov                 ecx, dword ptr [esp + 0xe0]
            //   488d542440           | test                bl, bl

        $sequence_2 = { 48895818 48896820 4c8bf2 488bf1 4533ff 4c8939 4c897908 }
            // n = 7, score = 200
            //   48895818             | lea                 ecx, [esp + 0x1f0]
            //   48896820             | dec                 eax
            //   4c8bf2               | mov                 dword ptr [esp + 0x20], ecx
            //   488bf1               | dec                 ebp
            //   4533ff               | mov                 ecx, esi
            //   4c8939               | dec                 esp
            //   4c897908             | mov                 eax, edi

        $sequence_3 = { 488bc8 ff15???????? 33c9 85c0 7508 ff15???????? 8bc8 }
            // n = 7, score = 200
            //   488bc8               | mov                 byte ptr [eax + edi + 0x3c], cl
            //   ff15????????         |                     
            //   33c9                 | jmp                 0x3c7
            //   85c0                 | inc                 sp
            //   7508                 | cmp                 dword ptr [esp + 0x80], ecx
            //   ff15????????         |                     
            //   8bc8                 | jne                 0x42e

        $sequence_4 = { 0f94c0 84c0 0f8503040000 83ff03 0f94c0 84c0 0f84b6000000 }
            // n = 7, score = 200
            //   0f94c0               | arpl                word ptr [eax + 4], cx
            //   84c0                 | dec                 eax
            //   0f8503040000         | lea                 eax, [0x72a0a]
            //   83ff03               | dec                 eax
            //   0f94c0               | mov                 dword ptr [ecx + ebx - 0xa8], eax
            //   84c0                 | dec                 eax
            //   0f84b6000000         | mov                 eax, dword ptr [ebx - 0xa8]

        $sequence_5 = { 413bc1 7d03 418bd2 8b4b28 488b4310 881401 }
            // n = 6, score = 200
            //   413bc1               | mov                 dword ptr [esp + 0x128], ebx
            //   7d03                 | dec                 eax
            //   418bd2               | inc                 edx
            //   8b4b28               | dec                 ecx
            //   488b4310             | cmp                 edx, edx
            //   881401               | jb                  0x57f

        $sequence_6 = { 48897b58 66897b48 488b5340 4883fa08 7210 488b4b28 448d4702 }
            // n = 7, score = 200
            //   48897b58             | mov                 dword ptr [esp + 0x78], eax
            //   66897b48             | dec                 eax
            //   488b5340             | lea                 ecx, [esp + 0x150]
            //   4883fa08             | dec                 eax
            //   7210                 | cmp                 ecx, eax
            //   488b4b28             | je                  0x29d
            //   448d4702             | dec                 eax

        $sequence_7 = { 7214 48ffc2 4d8bc4 488b8c2498000000 e8???????? 90 }
            // n = 6, score = 200
            //   7214                 | add                 ecx, ecx
            //   48ffc2               | dec                 eax
            //   4d8bc4               | lea                 ecx, [0x1e9b1]
            //   488b8c2498000000     | inc                 ecx
            //   e8????????           |                     
            //   90                   | imul                ecx

        $sequence_8 = { 66448933 488b5507 4883fa08 7225 48ffc2 4d8bc4 488b4def }
            // n = 7, score = 200
            //   66448933             | lea                 eax, [0x6cdfe]
            //   488b5507             | dec                 esp
            //   4883fa08             | mov                 edx, dword ptr [ebp - 0x20]
            //   7225                 | movzx               ecx, al
            //   48ffc2               | test                al, 0xf0
            //   4d8bc4               | jne                 0x1bf
            //   488b4def             | inc                 esp

        $sequence_9 = { 442bdd 49ffc1 49ffc0 418a01 418800 83c1ff 75ef }
            // n = 7, score = 200
            //   442bdd               | dec                 ebp
            //   49ffc1               | mov                 edi, esi
            //   49ffc0               | dec                 esp
            //   418a01               | lea                 eax, [0x30489]
            //   418800               | dec                 eax
            //   83c1ff               | mov                 ebx, eax
            //   75ef                 | dec                 eax

    condition:
        7 of them and filesize < 1492992
}
Download all Yara Rules