{
	"id": "4b9b7e9c-6c0a-46f9-836a-f1e0f33ae318",
	"created_at": "2026-04-06T00:10:26.30369Z",
	"updated_at": "2026-04-10T03:20:31.421544Z",
	"deleted_at": null,
	"sha1_hash": "08feb630f4816ccbc5cdca8d38762fd1f805d62b",
	"title": "DanaBot Gains Popularity and Targets US Organizations in Large Campaigns | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1825301,
	"plain_text": "DanaBot Gains Popularity and Targets US Organizations in Large\r\nCampaigns | Proofpoint US\r\nBy October 02, 2018 Proofpoint Staff\r\nPublished: 2018-10-02 · Archived: 2026-04-05 19:53:18 UTC\r\nOverview\r\nProofpoint researchers first discovered DanaBot in May of 2018 [1], describing its use by a single actor targeting\r\nAustralian organizations. As we predicted at the time, other threat actors targeting Europe and North America have\r\nsince adopted the banking Trojan, increasing its footprint and taking advantage of its extensive anti-analysis\r\nfeatures. In this blog we describe a campaign affecting organizations in the United States and present new reverse\r\nengineering analysis of DanaBot.\r\nRecent DanaBot Campaigns\r\nOur colleagues at ESET recently blogged about DanaBot campaigns and described the latest expansion of targeted\r\ncountries to include Poland, Italy, Germany, and Austria [2]. We have also observed several campaigns since May\r\ntargeting Australia. Finally, at the end of September, an actor that typically targets the United States with daily\r\ncampaigns distributing the Panda banking Trojan switched to delivering DanaBot for a day.\r\nHancitor Campaign\r\nOn September 26, Proofpoint researchers observed a campaign with hundreds of thousands of email messages\r\ntargeting US recipients. The emails used an eFax lure (Figure 1) and contained a URL linking to the download of\r\na document containing malicious macros (Figure 2). The macros, if enabled by the user, executed the embedded\r\nHancitor malware [3], which, in turn, received tasks to download two versions of Pony stealer and the DanaBot\r\nbanking malware. You can find a more in-depth analysis of the recent macros used by this actor in a post written\r\nby 0verfl0w [4].\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 1 of 20\n\nFigure 1: Message example with URLs linking to the download of a document containing macros that download\r\nthe Hancitor payload\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 2 of 20\n\nFigure 2: Macro document that contains the Hancitor payload\r\nMalware Analysis (v2.003)\r\nAs previously described, DanaBot is a banking malware written in the Delphi programming language. This\r\nsection continues our analysis of DanaBot by examining details of version 2.003. This is the latest version that we\r\nhave seen in the wild, first appearing in early September. The version number is based on a version string (Figure\r\n3) that is sometimes transmitted when the malware sends data to the command and control (C\u0026C) server.\r\nFigure 3: DanaBot’s version string being sent to the C\u0026C server along with system information\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 3 of 20\n\nDanaBot is composed of three components:\r\n1. Loader: downloads and loads main component\r\n2. Main component: downloads, configures, and loads modules\r\n3. Modules: various malware functionality\r\nAnti-analysis\r\nDanaBot includes a significant amount of junk code including extra instructions, conditional statements, and\r\nloops. When combined with the use of Delphi, these features dramatically impair reverse engineering. In addition,\r\nDanaBot uses Windows API function hashing and encrypted strings to prevent analysts and automated tools from\r\neasily determining the code’s purpose.\r\nA version of the API hashing algorithm written in Python [7], a list of the resolved Windows API functions used in\r\nthe loader [8] and the main component [9] are available on Github.\r\nThe characters of the encrypted strings are stored as an array of DWORDs and are decrypted using a key and a\r\nbasic substitution cipher. An IDA Pro Python script [10] and a list of decrypted strings used in the loader [11] and\r\nthe main [12] component are available on Github.\r\nCommand \u0026 Control IPs\r\nIn both the loader and main components there is a list of 10 C\u0026C IP addresses stored as DWORDs. Figure 4\r\nshows an example from a memory dump of a loader component:\r\nFigure 4: Example of C\u0026C IP addresses in a memory dump of DanaBot’s loader component\r\nNote: Please see the “C\u0026C Infrastructure” section for a potential caveat about these hard-coded IP addresses.\r\nC\u0026C Communications\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 4 of 20\n\nIn the previous versions we analyzed, DanaBot’s loader component used HTTP for communications and its main\r\ncomponent used a binary protocol. In version 2.003, both components use a binary protocol over TCP port 443.\r\nDespite the port number, it does not use TLS.\r\nThe protocol has some quirks, but in general consists of a 183-byte header followed by optional payload data.\r\nMost of the header values in a request are echoed back in the response header. If there is payload data, the format\r\ndepends on the particular command.\r\nBinary Protocol Header\r\nAn example of the header is shown in Figure 5.\r\nFigure 5: Example 183-byte header used in DanaBot’s binary protocol\r\nIt can be broken down into the following fields:\r\nOffset 0: random values (stack junk) (DWORD)\r\nOffset 4: hardcoded -1 (DWORD)\r\nOffset 8: command (DWORD)\r\nOffset 0xc: affiliate ID (DWORD)\r\nOffset 0x10: hardcoded 1 (DWORD)\r\nOffset 0x14: random value based on a linear congruential generator (DWORD)\r\nOffset 0x18: unknown counter variable (DWORD)\r\nOffset 0x1c: system architecture (DWORD)\r\nOffset 0x20: Windows version information (DWORD)\r\nOffset 0x24: command argument (DWORD)\r\nOffset 0x28: admin status (DWORD)\r\nOffset 0x2c: process integrity level (DWORD)\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 5 of 20\n\nOffset 0x30: payload length (QWORD)\r\nDepending on the command, this can contain random values (stack junk) instead\r\nOffset 0x38: length of next field (BYTE)\r\nOffset 0x39: bot ID (32 bytes)\r\nMD5 hex digest of various system information\r\nOffset 0x59: length of next field (BYTE)\r\nOffset 0x5a: command-dependent (32 bytes)\r\nCan be used as part of an encryption key; in this case, it would be the MD5 hex digest of the bot ID\r\n(offset 0x39)\r\nCan be used as a module identifier when requesting a module\r\nOffset 0x7a: length of next field (BYTE)\r\nOffset 0x7b: a nonce (32 bytes)\r\nOffset 0x9b - end of header: random values (stack junk)\r\nCommands\r\nWe have identified and analyzed the following commands. The first command is performed by the loader, while\r\nthe rest are performed by the main component.\r\nCommand 0x454 (1108): “Request main component”\r\nThis command is used by the loader to request the main component from the C\u0026C server. The command argument\r\n(offset 0x24 in the header) will contain the integer “32” or “64” to request either the x86 version or x64 version of\r\nthe component. The response payload contains encrypted data and an encrypted 128-byte RSA signature block\r\nused to verify the data. A decryption key is generated by the CryptDeriveKey Windows API function where it is\r\ninitialized by taking the MD5 digest of the value at offset 0x5a in the header. Data is AES-256-CBC-encrypted\r\nusing an initialization vector (IV) of 16 null (\\x00) bytes. The decrypted data is the main component DLL which\r\nwill be executed by rundll32.exe.\r\nCommand 0x453 (1107): “Initial beacon”\r\nThis is the first command sent by the main component to the C\u0026C server. There is no data in the request or the\r\nresponse, so we believe this is just an initial beacon.\r\nCommand 0x44c (1100): “Request module identifiers”\r\nThis command is used by the malware to request a list of module identifiers from the C\u0026C server. Figure 6 shows\r\nan example response listing these 6 module identifiers:\r\n759CBB3E1B883BDCA23E9052462F641E\r\nE0FBBC92DB9927BFC474A64DF4F9C22F\r\nD0C851FBCA030928B535FAF3188DAFBA\r\nA5BBBAB3A17BA2119F47F0E4316EE5BF\r\n4F06D71C93E4105307339704D21C49A3\r\n8C59B6C9985F983E248E27CC0BF98A2D\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 6 of 20\n\nFigure 6: Command 0x44c response payload data containing a list of module identifiers\r\nCommand 0x44d (1101): “Request module”\r\nThis command is used to request a module from the C\u0026C server. To indicate what module to download, field at\r\noffset 0x5a in the header will contain a module identifier (received via command 0x44c). The response payload\r\ndata will contain a 1699-byte subheader, encrypted data, and a encrypted 128-byte RSA signature block used to\r\nverify the data. Figure 7 shows an example subheader:\r\nFigure 7: Command 0x44d response payload data containing 1699-byte subheader\r\nThe following fields have been identified in this subheader:\r\nOffset 0: total length of subheader and data (QWORD)\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 7 of 20\n\nOffset 8: hardcoded -1 (DWORD)\r\nOffset 0x10: module name (520-byte wide string)\r\nOffset 0x218: module filename (520-byte wide string)\r\nOffset 0x649: length of next field (BYTE)\r\nOffset 0x64a: module identifier (32 bytes)\r\nOffset 0x682: module architecture (DWORD)\r\nOffset 0x686: module type (DWORD)\r\nOffset 0x68e: data is ZLIB-compressed flag (DWORD)\r\nOffset 0x692: length of encrypted data (QWORD)\r\nA decryption key (used to decrypt the module) is generated by the CryptDeriveKey Windows API function where\r\nit is initialized by the following process:\r\n1. Copying the 1699-byte subheader into a buffer and zeroing the following fields:\r\n1. Offset 0: total length of subheader and data (QWORD)\r\n2. Offset 0x692: length of encrypted data (QWORD)\r\n2. The buffer is MD5 hashed\r\n3. The uppercase hex digest of the hash is itself MD5 hashed\r\nData is AES-256-CBC-encrypted using an initialization vector (IV) of 16 null (\\x00) bytes. The decrypted data is\r\noptionally ZLIB compressed and once decompressed contains a module DLL that will be executed by\r\nrundll32.exe\r\nTable 1: List of modules typically seen\r\nModule identifier Name\r\nOld\r\nname\r\nFunctionality\r\n759CBB3E1B883BDCA23E9052462F641E FF1 Sniffer Proxy\r\nE0FBBC92DB9927BFC474A64DF4F9C22F FF2 Stealer Stealer module\r\nD0C851FBCA030928B535FAF3188DAFBA FF3 NA\r\n64-bit version of Stealer module\r\n(new)\r\n8C59B6C9985F983E248E27CC0BF98A2D FF4 NA RDP module (new)\r\nA5BBBAB3A17BA2119F47F0E4316EE5BF FF5 TOR TOR proxy\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 8 of 20\n\n4F06D71C93E4105307339704D21C49A3 FF6 VNC VNC\r\nCommand 0x44f (1103): “Get configuration files”\r\nThis command is used by the malware to request configuration files from the C\u0026C. It has a quirk where after the\r\nmalware receives the 183-byte response header, the malware sends “\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff” before the\r\nC\u0026C server responds with the response payload data. The payload data is formatted and encrypted like a module,\r\nbut multiple configuration files are sent (multiple 1699-byte subheader, encrypted data, and signature packages).\r\nTable 2: Configuration files typically seen\r\nConfig\r\nfilename\r\nVariants Purpose Comments\r\nBitVideo VVie Processes to watch\r\nFor screenshots/video recording\r\nperhaps\r\nKeyBit BitKey, VKey Processes to watch For keylogging possibly\r\nBitFiles Vfiles, VBit\r\nCryptocurrency wallet files to\r\nsteal\r\nPosWtFilter\r\nPostWFilter,\r\nVFilter\r\nList of websites for which to\r\nsteal requests\r\nPosWtFilter may be a typo (in\r\naffiliate IDs 3 and 9)\r\nwebinj33 uabanks Proxying config Incrementing versions\r\ninj25\r\nInjectZZ,\r\nInjectSW\r\nWebinjects\r\nIncrementing versions; Zeus-style\r\ninjects\r\nThis command is used by the malware to send data to the C\u0026C such as the system information (Figure 3 above) or\r\na screenshot. The request payload data contains a 656-byte subheader, encrypted data, and encrypted session key\r\n(Figure 8 shows an example subheader):Command 0x44e (1102): “Send data to C\u0026C”\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 9 of 20\n\nFigure 8: Command 0x44e request payload data containing 656-byte subheader\r\nThe following fields have been identified in the subheader:\r\nOffset 0: total length (QWORD)\r\nOffset 8: hardcoded -1 (DWORD)\r\nOffset 0xc: affiliate ID (DWORD)\r\nOffset 0x17: length of next field (BYTE)\r\nOffset 0x18: bot ID (32 bytes)\r\nOffset 0x38: length of next field (BYTE)\r\nOffset 0x39: MD5 hex digest of plaintext data (32 bytes)\r\nOffset 0x5a: filename (520-byte wide string)\r\nOffset 0x264: data type (DWORD)\r\nOffset 0x270: system time (unknown format) (QWORD)\r\nOffset 0x280: timezone bias (DWORD)\r\nOffset 0x288: encrypted data length (QWORD)\r\nData can be ZLIB-compressed and AES-256-CBC-encrypted using an initialization vector (IV) of 16 null (\\x00)\r\nbytes. The encryption key is generated using the CryptDeriveKey Windows function and RSA-encrypted using an\r\nembedded RSA public key. The RSA-encrypted AES key is then appended to the end of the encrypted data.\r\nTable 3: Files typically seen sent\r\nFilename Comments\r\ndesktopscreen.bmp Screenshot\r\nCookies.txt Stored web browser cookies\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 10 of 20\n\n“System Info\" Various system information\r\nC\u0026C Infrastructure\r\nWhile we do not have specific visibility into DanaBot’s back-end infrastructure, we have observed some\r\nnoteworthy behavior that allows some speculation.\r\nAs noted above, DanaBot uses a loader to download its main component from a C\u0026C server. The main component\r\ncontains a list of 10 hardcoded C\u0026C IP addresses that are used for malware communications. Our first observation\r\nwas that the hardcoded C\u0026C lists changed approximately every hour when a main component was downloaded.\r\nWe downloaded the main component in hourly intervals for 24 hours and analyzed the C\u0026C lists. Each sample’s\r\nlist turned out to be different. Overall we ended up with 240 IP addresses (available on Github [13]) with 194\r\n(80%) of them being unique. The top 10 overlapping IPs were:\r\n158.255.215[.]31 (in 7 lists)\r\n149.154.152[.]64 (in 7 lists)\r\n37.235.53[.]232 (in 6 lists)\r\n95.179.151[.]252 (in 5 lists)\r\n178.209.51[.]227 (in 5 lists)\r\n149.154.157[.]220 (in 5 lists)\r\n45.77.54[.]180 (in 4 lists)\r\n45.77.96[.]198 (in 3 lists)\r\n45.77.51[.]69 (in 3 lists)\r\n45.77.231[.]138 (in 3 lists)\r\nOut of the total list of possible C\u0026C IPs, only the following 10 (4%) seemed responsive:\r\n149.154.152[.]64\r\n149.154.157[.]220\r\n158.255.215[.]31\r\n178.209.51[.]227\r\n37.235.53[.]232\r\n45.77.231[.]138\r\n45.77.51[.]69\r\n45.77.54[.]180\r\n45.77.96[.]198\r\n95.179.151[.]252\r\nInterestingly, these synced up with the overlapping IP list. We also noted that the overall IP list contained some\r\nunrouteable IPs such as:\r\n10.181.255[.]78\r\n225.100.146[.]224\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 11 of 20\n\n225.21.55[.]173\r\n226.181.243[.]104\r\n228.226.171[.]37\r\n234.106.187[.]114\r\n234.63.249[.]87\r\n234.97.12[.]178\r\n235.40.105[.]171\r\n238.87.111[.]55\r\nAs a result of these observations, we can speculate that the main component may contain only a few real C\u0026Cs\r\nwhile the rest are random decoys.\r\nAffiliate System\r\nBased on distribution methods and targeting, we have been grouping DanaBot activity using an “affiliate ID” that\r\nwe have observed in various part of the C\u0026C protocol (e.g., offset 0xc of the 183-byte binary protocol header). At\r\nthe time of publication, we observed the following affiliate IDs:\r\nAffiliate\r\nID\r\nTargeting Distribution\r\n3\r\nPoland, Austria, Germany,\r\nItaly\r\nZipped-VBS attachments in email campaigns\r\n4 Australia Links in email campaigns\r\n5 No webinjects unknown\r\n8 UK, Ukraine, and Canada Various email campaigns\r\n9 Same as affiliate ID 3 Fallout Exploit Kit\r\n11 US, No webinjects\r\nHancitor downloader malware from links in email\r\ncampaigns\r\n12 Australia unknown\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 12 of 20\n\n13 Germany unknown\r\n20 No webinjects unknown\r\nWe observed that DanaBot samples with different affiliate IDs seem to use some of the same C\u0026C IP addresses.\r\nAt this point we speculate that DanaBot may be set up as a “malware as a service” system in which one threat\r\nactor controls a global C\u0026C panel and infrastructure system and then sells access to other threat actors (affiliates)\r\nwho distribute and target DanaBot as they see fit.\r\nComparison with CryptXXX Ransomware\r\nProofpoint blogged about CryptXXX file-encrypting ransomware in 2016 [5] and noted that it shared many\r\nsimilarities with Reveton “police” ransomware. In particular, we noted that it was written in Delphi and used a\r\ncustom command and control protocol on TCP port 443.\r\nDanaBot’s C\u0026C traffic appears to be an evolution of this protocol, now using AES encryption in addition to the\r\nZlib compression. For example, in the traffic included in the Malware Traffic Analysis blog [6], the initial\r\nCryptXXX checkin format is:\r\nFigure 9: CryptXXX checkin format\r\nThe following fields are among those common to both CryptXXX and DanaBot:\r\nOffset 0: length of next field (BYTE)\r\nOffset 2: bot ID (32 bytes)\r\nOffset 0x34 : length of compressed buffer\r\nOffset 0x38: Zlib-compressed buffer (0x4e bytes)\r\nThe compressed buffer decodes to:\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 13 of 20\n\nFigure 10: Decoded payload buffer\r\nThe following fields have been identified in the decoded buffer:\r\nOffset 4: length of next field (BYTE)\r\nOffset 5: bot ID (32 bytes)\r\nOffset 0xce : length of next field (BYTE)\r\nOffset 0xcf : Affiliate ID (7 bytes)\r\nOffset 0xfc : length of next field (BYTE)\r\nOffset 0xfd : Version string (5 bytes)\r\netc\r\nLater on in the communication there is a (decoded) request to download a “Stealer” module “stiller.dll”:\r\nFigure 11: Decoded request to download the “Stealer” module\\\r\nThus it would seem that Danabot follows in a long line of malware from one particular group. This family began\r\nwith ransomware, to which stealer functionality was added in Reveton. The evolution continued with CryptXXX\r\nransomware and now with a banking Trojan with Stealer and remote access functionality added in Danabot.\r\nConclusion\r\nWhen we first discovered DanaBot, we predicted that it would likely be picked up by other actors. Distribution of\r\nthis malware has now extended well beyond Australia, with campaigns targeting Poland, Italy, Germany, Austria,\r\nand, more recently, the United States. DanaBot is a banking Trojan, meaning that it is necessarily geo-targeted to a\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 14 of 20\n\ndegree. Adoption by high-volume actors, though, as we saw in the US campaign, suggests active development,\r\ngeographic expansion, and ongoing threat actor interest in the malware. The malware itself contains a number of\r\nanti-analysis features, as well as updated stealer and remote control modules, further increasing its attractiveness\r\nand utility to threat actors.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\n[2] https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\n[3] https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear\r\n[4] https://0ffset.wordpress.com/2018/08/12/post-0x16-hancitor-stage-1/\r\n[5] https://www.proofpoint.com/us/threat-insight/post/cryptxxx-new-ransomware-actors-behind-reveton-dropping-angler\r\n[6] http://malware-traffic-analysis.net/2016/04/20/index.html\r\n[7] https://github.com/EmergingThreats/threatresearch/blob/master/danabot/func_hashes.py\r\n[8] https://github.com/EmergingThreats/threatresearch/blob/master/danabot/loader_func_hashes.txt\r\n[9] https://github.com/EmergingThreats/threatresearch/blob/master/danabot/main_func_hashes.txt\r\n[10] https://github.com/EmergingThreats/threatresearch/blob/master/danabot/decrypt_str_ida.py\r\n[11] https://github.com/EmergingThreats/threatresearch/blob/master/danabot/loader_strings.txt\r\n[12] https://github.com/EmergingThreats/threatresearch/blob/master/danabot/main_strings.txt\r\n[13] https://github.com/EmergingThreats/threatresearch/blob/master/danabot/24_hours_of_ips.txt\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n288615e28672e1326231186230f2bc74ea84191745cc40369d49bf385bf9669b SHA256\r\nDanaBot\r\nLoader (affiliate\r\nID 8)\r\n45.77.96.198\r\nIP\r\nAddress\r\nDanaBot\r\nLoader C\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 15 of 20\n\n57cac2bdc44415c6737149bda8fc4e53adfab7d35cac3de94ced9d6675f1c5db SHA256\r\nDanaBot Main\r\nx64 (affiliate ID\r\n8)\r\n1184c7936c82f1718f9e547be4a8eeaa1c16c2f16790e2b5ae66a870a17b7454 SHA256\r\nDanaBot Main\r\nx86 (affiliate ID\r\n8)\r\n149.154.152.64\r\nIP\r\nAddress\r\nDanaBot Main\r\nC\u0026C\r\n149.154.157.220\r\nIP\r\nAddress\r\nDanaBot Main\r\nC\u0026C\r\n158.255.215.31\r\nIP\r\nAddress\r\nDanaBot Main\r\nC\u0026C\r\n178.209.51.227\r\nIP\r\nAddress\r\nDanaBot Main\r\nC\u0026C\r\n37.235.53.232\r\nIP\r\nAddress\r\nDanaBot Main\r\nC\u0026C\r\n45.77.231.138\r\nIP\r\nAddress\r\nDanaBot Main\r\nC\u0026C\r\n45.77.51.69\r\nIP\r\nAddress\r\nDanaBot Main\r\nC\u0026C\r\n45.77.54.180\r\nIP\r\nAddress\r\nDanaBot Main\r\nC\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 16 of 20\n\n45.77.96.198\r\nIP\r\nAddress\r\nDanaBot Main\r\nC\u0026C\r\nHancitor Campaign IOCs:\r\ngenesislouisville[.]com Domain\r\nLink to macro\r\ndocument\r\ngenesisofdallas[.]com Domain\r\nLink to macro\r\ndocument\r\ngenesisoflouisville[.]com Domain\r\nLink to macro\r\ndocument\r\ngenesisofportland[.]com Domain\r\nLink to macro\r\ndocument\r\nkccmanufacturing[.]com Domain\r\nLink to macro\r\ndocument\r\nlouisvillegenesis[.]com Domain\r\nLink to macro\r\ndocument\r\nlouisvilleride[.]com Domain\r\nLink to macro\r\ndocument\r\nmotionscent[.]com Domain\r\nLink to macro\r\ndocument\r\noxmoorautomall[.]com Domain\r\nLink to macro\r\ndocument\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 17 of 20\n\nridesharelouisville[.]com Domain\r\nLink to macro\r\ndocument\r\n6dcf41dd62e909876e9ef10bd376ea3a6765c2ecb281844fc4bebd70bfebeb27 SHA256\r\nMacro\r\ndocument\r\nc82081823ba468ad2d10c4beca700a7bf0ba82b371bc57286cc721e271019080 SHA256 Hancitor\r\nhxxp://tontheckcatan[.]ru/4/forum[.]php URL Hancitor C\u0026C\r\nhxxp://onthethatsed[.]ru/4/forum[.]php URL Hancitor C\u0026C\r\nhxxp://kitezona[.]ru/wp-content/plugins/redirection/modules/1 URL Hancitor Task\r\nhxxp://xn--hllo-bpa[.]com/guestlist/1 URL Hancitor Task\r\nhxxp://music-open[.]com/1 URL Hancitor Task\r\nhxxp://allnicolerichie[.]com/wp-content/plugins/ubh/1 URL Hancitor Task\r\nhxxp://mpressmedia[.]net/wp-content/plugins/ubh/1 URL Hancitor Task\r\nhxxp://bwc[.]ianbell[.]com/wp-content/plugins/ubh/1 URL Hancitor Task\r\nhxxp://kitezona[.]ru/wp-content/plugins/redirection/modules/2 URL Hancitor Task\r\nhxxp://xn--hllo-bpa[.]com/guestlist/2 URL Hancitor Task\r\nhxxp://music-open[.]com/2 URL Hancitor Task\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 18 of 20\n\nhxxp://allnicolerichie[.]com/wp-content/plugins/ubh/2 URL Hancitor Task\r\nhxxp://mpressmedia[.]net/wp-content/plugins/ubh/2 URL Hancitor Task\r\nhxxp://bwc[.]ianbell[.]com/wp-content/plugins/ubh/2 URL Hancitor Task\r\nhxxp://kitezona[.]ru/wp-content/plugins/redirection/modules/4 URL Hancitor Task\r\nhxxp://xn--hllo-bpa[.]com/guestlist/4 URL Hancitor Task\r\nhxxp://music-open[.]com/4 URL Hancitor Task\r\nhxxp://allnicolerichie[.]com/wp-content/plugins/ubh/4 URL Hancitor Task\r\nhxxp://mpressmedia[.]net/wp-content/plugins/ubh/4 URL Hancitor Task\r\nhxxp://bwc[.]ianbell[.]com/wp-content/plugins/ubh/4 URL Hancitor Task\r\n9a816d9626f870617400df384d653b02a15ad940701b4fb2296e1abe04d3777f SHA256 DanaBot\r\nhxxp://tontheckcatan[.]ru/mlu/forum[.]php URL Pony C\u0026C\r\nhxxp://onthethatsed[.]ru/mlu/forum[.]php URL Pony C\u0026C\r\nhxxp://tontheckcatan[.]ru/d2/about[.]php URL Pony C\u0026C\r\nhxxp://onthethatsed[.]ru/d2/about[.]php URL Pony C\u0026C\r\nET and ETPRO Suricata/Snort Signatures\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 19 of 20\n\n2819978 | ETPRO TROJAN Tordal/Hancitor/Chanitor Checkin\r\n2014411 | ET TROJAN Fareit/Pony Downloader Checkin 2\r\n2831891 | ETPRO CURRENT_EVENTS Hancitor Encrypted Payload Jul 19\r\n2832816 | ETPRO TROJAN Win32/DanaBot CnC Checkin (affid 11)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns"
	],
	"report_names": [
		"danabot-gains-popularity-and-targets-us-organizations-large-campaigns"
	],
	"threat_actors": [],
	"ts_created_at": 1775434226,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08feb630f4816ccbc5cdca8d38762fd1f805d62b.pdf",
		"text": "https://archive.orkl.eu/08feb630f4816ccbc5cdca8d38762fd1f805d62b.txt",
		"img": "https://archive.orkl.eu/08feb630f4816ccbc5cdca8d38762fd1f805d62b.jpg"
	}
}