Deobfuscating DanaBot’s API Hashing

Sha256 at bottom of article
#danabot #malware #deobfuscation #obfuscation #apihashing #malware analysis #reverseengineering #windows #trojan #pefile #peformat #bankingtrojan #reversing #cybersecurity #itsec #blogging

malwareandstuff.com/deobfuscating-…

Come work with us @Proofpoint. We're looking for an eCrime expert who ❤️'s  #Zloader , #Qbot , #Dridex , #Trick , #Danabot , #BazaLoader , #Ursnif and much more. #Hiring #InfoSec #FullRemote proofpoint.wd5.myworkdayjobs.com/ProofpointCare…

#RigEK -> #danabot (DLL version)
app.any.run/tasks/5757bc84…

#RigEK -> #SmokeLoader -> #danabot + #SystemBC + #KPOT + #Predator + #Quasar RAT + #HVNC + #SmokeLoader + Unknown malwares...
app.any.run/tasks/03749e15…

The case of #DarkGate dropping #DanaBot 🤖

esentire.com/blog/from-dark…

eSentire Threat Intel

Great work by CrowdStrike, mapping the cybercrime eco-system. All high-end affiliate groups connected in one way or another. Trickbot, Emotet, QakBot, BokBot (IcedID), DanaBot, Ryuk, GandCrab, REvil, DoppelPaymer, Dridex, BitPaymer, and more:

Breakdown of a Targeted #DanaBot Attack
fortinet.com/blog/threat-re… #Banking #Trojan #Malware

#RigEK -> #SmokeLoader -> #Danabot + #SystemBC + #Vidar (v13.1) + #Quasar RAT + #CrySis Ransomware + #Predator + #SmokeLoader
app.any.run/tasks/086e4aa9…

Over the last day, I've noticed DanaBot dropping a malicious DLL file into the following directory during two separate incidents Huntress:

C:\Users\<>\AppData\Roaming\Umbrella Roaming Client

#danabot C&Cs:

182.228.147.14
13.235.40.27
65.85.130.111
128.56.19.172
209.250.243.55
63.132.164.195
246.229.180.16
207.148.83.108
52.88.31.117
27.232.139.21

Sample: tria.ge/reports/191122…

For more IOCS: tria.ge/reports/public

Hatching

Potential #DanaBot Loader - De-Obfuscation using CyberChef and Python.

Sample: bazaar.abuse.ch/sample/80aad66…

C2: 0/90 VT
Script: 5/59 VT

[1/5] 👇

#Regex #python #cyberchef #malware

#Danabot source url still active
urlhaus.abuse.ch/url/363052/
Xls and Dll samples
app.any.run/tasks/73149b24…
MalwareHunterTeam Vitali Kremez James JayTHL Arkbird

DanaBot banking trojan hits Germany again, with new targets
h3collective.io/review-of-a-da…
#Danabot #Banking #Trojan #Malware

2021 yılının en popüler 10 Finansal kötü amaçlı yazılım listesi şöyle oldu:
* Zbot,
* CliptoShuffler,
* SpyEye,
* Trickster,
* RTM,
* Nimnul,
* Danabot,
* Cridet,
* Nymaim ve
* Neurevt

#siberguvenlik #cybersecurity #finance #finans

#danabot 🇵🇱
Att: dokumentacja_69789.html with base64
download dokumentacja_69789.zip with vbe file
Communication: /zaratoons.info :443 ip:212.73.150.207
Creation Date: 2019-04-22
and another: /piosnoksld.info - the same date
app.any.run/tasks/a86516d1…

JAMESWT James

Ice Ice Baby 🧊 #DanaBot dropping IcedID?
Check out my writeup on the recent #IcedID sample we saw at eSentire Threat Intel

esentire.com/blog/danabots-…

🤖Check out Zscaler ThreatLabz technical analysis of #DanaBot 's code obfuscation techniques: zscaler.com/blogs/security…

🛠️IDA scripts to assist with DanaBot code deobfuscation are available in our GitHub repository: github.com/threatlabz/too…

Example before & after screenshots:

#DanaBot #Malware from #malspam targeting #Poland
h/t abuse.ch

hxxps://post-990094.at/3/prc.dll

c2:
23.82.]140.201
45.147.]228.92
192.99.]219.207
192.236.]179.73
172.81.]129.196
51.255.]134.130
54.38.]22.65

JAMESWT James Vitali Kremez MalwareHunterTeam

#infosec

#danabot dealers switched again to #brushaloader with a new trick to hide the dropurl (see image)

#brushaloader c2: https://traderserviceinfo[.]info

Certego Anna Miaśkiewicz Kafeine Andrea De Pasquale JAMESWT

The malicious #DLL seems to be #DanaBot

virustotal.com/gui/file/26451…

Communicate with 185[.]117[.]90[.]36

virustotal.com/gui/ip-address…