DanaBot Banking Trojan

The DanaBot Banking Trojan was first observed in May 2018, DanaBot is a Delphi-based modular banking trojan. It was initially seen targeting Australian organisations, but has now begun appearing through Western Europe.

DanaBot includes a significant amount of junk code including extra instructions, conditional statements, and loops. When combined with the use of Delphi, these features dramatically impair reverse engineering. In addition, DanaBot uses Windows API function hashing and encrypted strings to prevent analysts and automated tools from easily determining the code’s purpose.

DanaBot is distributed using malicious RAR and ZIP files delivered via spam campaigns. The files contain a combination of VBS and PowerShell scripts, collectively referred to as Brushaloader, that acts as a dropper for the final payload.

Once installed on an affected device, DanaBot will install four modules:

  • VNC – used to allow the attacker to connect to and control the device.
  • Sniffer – performs script injection on banking sites visited by the user.
  • Stealer – collects user credentials from browsers, chat and email clients, FTP and VPN applications and online poker applications.
  • TOR – installs a Tor proxy for communication with a command and control server.

Newer versions will also include an RDP module to provide a second means of control if the VNC module is unable to connect.

Danabot follows in a long line of malware from one particular group. This family began with ransomware, to which stealer functionality was added in Reveton. The evolution continued with CryptXXX ransomware and now with a banking Trojan with Stealer and remote access functionality added in Danabot.

Further technical details can be found here

Indicators Of Compromise (URL’s And IP’s)

45[.]77[.]51[.]69
45[.]77[.]54[.]180
45[.]77[.]231[.]138
45[.]77[.]96[.]198
178[.]209[.]51[.]227
37[.]235[.]53[.]232
149[.]154[.]157[.]220
95[.]179[.]151[.]252
95[.]216[.]148[.]25
95[.]216[.]171[.]131
159[.]69[.]113[.]47
159[.]69[.]83[.]214
159[.]69[.]115[.]225
176[.]119[.]1[.]102
176[.]119[.]1[.]103
176[.]119[.]1[.]104
176[.]119[.]1[.]109
176[.]119[.]1[.]110
176[.]119[.]1[.]111
176[.]119[.]1[.]112
176[.]119[.]1[.]114
176[.]119[.]1[.]116
176[.]119[.]1[.]117
104[.]238[.]174[.]105
144[.]202[.]61[.]204
149[.]154[.]152[.]64
158[.]255[.]215[.]31

genesislouisville[.]com
genesisofdallas[.]com
genesisoflouisville[.]com
genesisofportland[.]com
kccmanufacturing[.]com
louisvillegenesis[.]com
louisvilleride[.]com
motionscent[.]com
oxmoorautomall[.]com
ridesharelouisville[.]com
tontheckcatan[.]ru/4/forum[.]php
onthethatsed[.]ru/4/forum[.]php
kitezona[.]ru/wp-content/plugins/redirection/modules/1
xn--hllo-bpa[.]com/guestlist/1
music-open[.]com/1
allnicolerichie[.]com/wp-content/plugins/ubh/1
mpressmedia[.]net/wp-content/plugins/ubh/1
bwc[.]ianbell[.]com/wp-content/plugins/ubh/1
kitezona[.]ru/wp-content/plugins/redirection/modules/2
xn--hllo-bpa[.]com/guestlist/2
music-open[.]com/2
allnicolerichie[.]com/wp-content/plugins/ubh/2
mpressmedia[.]net/wp-content/plugins/ubh/2
bwc[.]ianbell[.]com/wp-content/plugins/ubh/2
kitezona[.]ru/wp-content/plugins/redirection/modules/4
xn--hllo-bpa[.]com/guestlist/4
music-open[.]com/4
allnicolerichie[.]com/wp-content/plugins/ubh/4
mpressmedia[.]net/wp-content/plugins/ubh/4
bwc[.]ianbell[.]com/wp-content/plugins/ubh/4
tontheckcatan[.]ru/mlu/forum[.]php
onthethatsed[.]ru/mlu/forum[.]php
tontheckcatan[.]ru/d2/about[.]php
onthethatsed[.]ru/d2/about[.]php

SHA1

782ADCF9EF6E479DEB31FCBD37918C5F74CE3CAE
79F1408BC9F1F2AB43FA633C9EA8EA00BA8D15E8
70F9F030BA20E219CF0C92CAEC9CB56596F21D50
AB0182423DB78212194EE773D812A5F8523D9FFD
EA3651668F5D14A2F5CECC0071CEB85AD775872C
47DC9803B9F6D58CF06BDB49139C7CEE037655FE
C31B02882F5B8A9526496B06B66A5789EBD476BE
3F893854EC2907AA45A48FEDD32EE92671C80E8D
B93455B1D7A8C57F68A83F893A4B12796B1E636C
DBFD8553C66275694FC4B32F9DF16ADEA74145E6
EBB1507138E28A451945CEE1D18AEDF96B5E1BB2
73A5B0BEE8C9FB4703A206608ED277A06AA1E384

SHA256

6dcf41dd62e909876e9ef10bd376ea3a6765c2ecb281844fc4bebd70bfebeb27
c82081823ba468ad2d10c4beca700a7bf0ba82b371bc57286cc721e271019080
7cac2bdc44415c6737149bda8fc4e53adfab7d35cac3de94ced9d6675f1c5db
1184c7936c82f1718f9e547be4a8eeaa1c16c2f16790e2b5ae66a870a17b7454
288615e28672e1326231186230f2bc74ea84191745cc40369d49bf385bf9669b
9a816d9626f870617400df384d653b02a15ad940701b4fb2296e1abe04d3777f




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: