DanaBot Infrastructure
A high-level overview of domains & IPs.
I was perusing malware samples on a lazy Tuesday afternoon, when I stumbled upon DanaBot. Since most of the samples were a couple of days old I figured I could have a look and try to identify current infrastructure.
DanaBot is a Delphi based banking Trojan and backdoor that has been actively involved in various campaigns. First reports of the malware date back to May 2018. The malware primarily targets financial institutions and has been linked to multiple threat actors, it's being distributed through phishing techniques, particularly via malicious advertisements and social engineering tactics like the ClickFix method (tricks users into downloading malware under the guise of fixing issues with document display)
Capabilities
Credential theft
Lateral movement using RDP
Network traffic manipulation targeting financial data
Analysis
I reviewed many samples but for brevity I will only share a few hashes, you can use the link to search for every submitted sample.
https://bazaar.abuse.ch/browse.php?search=tag%3Adanabot
Samples by submission date
19/11/2024
e45cea2b718902c03ce22deb7c483cdd250ea73adec3ca4191434fa147086777
8004d45da037b7cf301d00832b731acc7e7290a70aa858f81eade63166323519
7c74da5310051d5e8998b9ae20148c0c1cdf4b397aa652d9dc20030b4c5a5567
6a09ee5350e638bf610c55fa482291da4f40e1ffb4d2b4ff09308ffc2ab64586
a75f0ee7a2d908811e20d66b2bb8f7849676901e6448ad4f12b2a7b299fd006f
03/11/2024
bff61b3d082561847f3503d4a5e35f9fbffedf58a8e697708fba34fe1348b942
f4be28ff3ca6e36a4b6844cde7898e15bd66e9014b50933947e94e132f737d1c
Infrastructure
Went through most of the sandbox executions and it seems that the prevalent C2 infrastructure are the IPs found below.
All of the above samples point to the same C2 servers. Specifically, to the 185.117.90.36 IP.
Looking at the certs. There is an existing SSL certificate for the IP, issued for srv51934[.]yourbestnetwork.net
Reviewing additional samples from 01/10/2024 pointed to another IP, 23.95.182.47
Another sample with completely separate infrastructure, points to the domain found below, which in turn (currently) redirects to an error page.
15/11/2024
4ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4
https://altraonline[.]com/SKOblik.exe
Since the samples are pretty recent, it seems like the operation is active, I created a couple of alerting rules so I will keep an eye on the activity and update the post if anything new comes up.
If you have any good sources or writeups please send them my way. Thanks!
IOC
Hashes
e45cea2b718902c03ce22deb7c483cdd250ea73adec3ca4191434fa1470867778004d45da037b7cf301d00832b731acc7e7290a70aa858f81eade631663235197c74da5310051d5e8998b9ae20148c0c1cdf4b397aa652d9dc20030b4c5a55676a09ee5350e638bf610c55fa482291da4f40e1ffb4d2b4ff09308ffc2ab64586bff61b3d082561847f3503d4a5e35f9fbffedf58a8e697708fba34fe1348b942f4be28ff3ca6e36a4b6844cde7898e15bd66e9014b50933947e94e132f737d1cIPs
185.117.90.36
193.42.36.59
193.56.146.53
185.106.123.228
23.95.182.47Domains
https://altraonline[.]com/SKOblik.exe