Full Report
2025-05-22 • ESET Research • Tomáš Procházka • win.danabot Open article on Malpedia
Analysis Summary
# Tool/Technique: Danabot
## Overview
Danabot is a modular banking trojan that has evolved over time, capable of stealing credentials, deploying ransomware, and performing other malicious activities. It is characterized by its modularity and wide range of banking fraud capabilities.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Windows
- Capabilities: Credential theft (banking focus), keylogging, form grabbing, deploying secondary payloads (e.g., ransomware), network traffic interception.
- First Seen: Information not explicitly detailed in the provided context, but context implies a mature/fallen malware empire.
## MITRE ATT&CK Mapping
- *Note: Specific T-IDs are not provided in the context, so mapping is based on general capabilities of banking trojans like Danabot.*
- [TA0001 - Initial Access]
- [TA0003 - Persistence]
- [TA0005 - Defense Evasion]
- [TA0008 - Lateral Movement]
- [TA0010 - Exfiltration]
## Functionality
### Core Capabilities
- Stealing credentials from various applications, particularly banking targets.
- Keylogging activity.
- Form grabbing capabilities targeting sensitive web inputs.
### Advanced Features
- Modularity allowing for the download and execution of secondary payloads, including ransomware.
- Potential network interception capabilities for traffic analysis or modification (common for banking malware).
## Indicators of Compromise
- File Hashes: [N/A in context]
- File Names: [N/A in context]
- Registry Keys: [N/A in context]
- Network Indicators: [N/A in context - Requires defanging if found]
- Behavioral Indicators: [Injecting into processes, hooking browser processes, establishing communication channels for exfiltration]
## Associated Threat Actors
- [Threat actor information not explicitly named in the context snippet, only authors/organization analyzing it (ESET Research)]
## Detection Methods
- Signature-based detection (file hashes, specific strings/APIs).
- Behavioral detection (monitoring for hooking, credential scraping attempts, or communication with known C2 infrastructure).
- YARA rules targeting unique code sections or structures of Danabot executables.
## Mitigation Strategies
- Employing rigorous email filtering and user training to prevent initial delivery (often via phishing).
- Running endpoint detection and response (EDR) solutions capable of detecting process injection and credential theft attempts.
- Keeping operating systems and applications patched to prevent exploitation used for initial execution.
## Related Tools/Techniques
- Other banking trojans with modular capabilities (e.g., Dridex, TrickBot).