{
	"id": "a0f90201-033f-4dd7-ac63-75c23983041c",
	"created_at": "2026-04-06T00:15:36.593605Z",
	"updated_at": "2026-04-10T03:20:16.367917Z",
	"deleted_at": null,
	"sha1_hash": "5be31fd29153a29a4fc518b194047019230add4b",
	"title": "Breakdown of a Targeted DanaBot Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1192555,
	"plain_text": "Breakdown of a Targeted DanaBot Attack\r\nBy FortiGuard SE Team\r\nPublished: 2019-03-01 · Archived: 2026-04-05 16:56:40 UTC\r\nA FortiGuard SE Team Threat Analysis Report\r\nOn Feb 5th, 2019, the FortiGuard SE team discovered a targeted attack aimed at an unknown individual working\r\nfor a government department in Queensland State in Australia. Within a span of a few days, we had observed\r\nadditional activity targeting various members of this organization, specifically in the form of spearphishing\r\nattacks. We can safely surmise that it is very likely that this threat was specifically targeting this organization at\r\nthis time for reasons unknown to us.\r\nThe threat being delivered is known as DanaBot. It is a modular banking Trojan that has been historically linked\r\nto combining operations with other malware operators, such as those behind Gootkit. Other modules associated\r\nwith DanaBot include remote desktop through VNC, information stealing, and keylogging. While it appears that\r\nthis recent attack may be looking to establish a foothold in the network, the reasons behind this are currently\r\nunknown.\r\nFollowing the Attack Chain\r\nThe attack begins with a seemingly innocuous email:\r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 1 of 12\n\nAs can be seen, this email was sent in early February through a legitimate free email service available to everyone.\r\nIn addition, the sender has not been registered as a spam-related email address, which adds to the analysis that this\r\nis a specifically targeted attack.\r\nThe link in the email (hxxp://users.xxxx.com.au/soniamatas/9302030002_993.zip?33505757) also points to an ISP\r\nthat offers file hosting services. \r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 2 of 12\n\nBased on our telemetry for this server, the DanaBot authors’ method of operation appears to be concentrated in\r\nAustralia. In this most recent case, it is focused on a .gov.au email address, which coincides with this latest attack.\r\nThe link leads to a zip archive that contains a single .VBS file. Once deobfuscated, a shortcut link to a popular\r\nwebsite is created in the temp folder, and after that, the script downloads a file from\r\nhxxp://corp.invest.preferredweb.org/dMJbnufMVu.php into the same temp folder and names it as inv.exe.\r\nThis domain has seen a recent surge in activity:\r\nAlso, most of the visitors come from Australia.\r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 3 of 12\n\nThe domain itself was recently registered (February 03), as can be observed in the screenshot below.\r\nData shows that while the server was registered through a registrar in the United States, it was ultimately hosted\r\nby what appears to be a Russian webhosting service, as evidenced by the Russian name servers.\r\nIt’s clear that the DanaBot authors also follow basic operational security practices, as indicated by their low visitor\r\nnumbers. Aside from sending targeted emails, they also prevent anyone outside of Australia from downloading the\r\nmalware. This may be in hopes of preventing security researchers, law enforcement agencies, and other curious\r\nonlookers from finding their campaigns.\r\nIn addition, the threat first contacts certain IP addresses to check for a valid Internet connection. This is a failsafe\r\nsystem for the malware in the very case of it’s being analyzed (i.e. sandbox/isolated network) to avoid and thwart\r\nfurther analysis. If there is no connection, the threat will not continue to run.\r\nUpon initiation, Danabot connects to a variety of benign IP addresses belonging to seemingly randomly-selected\r\norganizations to see if it is online. Other IP addresses not known to be Danabot C2 were not investigated due to\r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 4 of 12\n\ntime constraints, as well the difficulty of analyzing banking Trojans in the allocated timeframe before publication.\r\nA New Attack?\r\nDuring the time of our initial analysis, as early as in the first week of February, the threat itself was completely\r\nnew. Interestingly, the recorded compilation time of the threat was actually ahead of the time it was downloaded.\r\nThis suggests that it is most likely because the threat was compiled in a time zone ahead of the United States.\r\nThe threat can also create a service for persistence purposes, as well as build custom directories and files to hold\r\ncollect data. The threat can also inject malware into other processes, such as winlogon.exe, explorer.exe, and\r\nsvchost.exe. Functionality on older systems include rootkit capabilities, including the ability to hide newly created\r\nservices along with the directories the threat uses.\r\nUsing a custom tool to reveal hidden services yields the following.\r\nAs mentioned, because of the embedded rootkit, browsing the folder does not reveal anything.\r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 5 of 12\n\nHowever, if the folder name is known, it is possible to manually navigate to the DanaBot directory.\r\nDanaBot Modularity\r\nBecause of its modularity, DanaBot is known to install different modules, such as a remote desktop through VNC,\r\ninformation stealing, keylogging, and as expected, injecting malware into banking web pages, which ultimately\r\nmakes it one of the more advanced and evolved banking Trojans.\r\nTechnical Details\r\nOverview\r\n9302030002_993.zip (detected as: VBS/Agent.QQN!tr.dldr )\r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 6 of 12\n\n- Size: 2135 bytes\r\n- MD5: B827896DCA0E874A976595D027E27D0E\r\n- SHA256: CE96E325F79BA07871489DB205E9ACA9FAC5AB3C15BDCA60E562CBAB65CC6447\r\n9302030002_993.vbs (detected as: VBS/Agent.QQN!tr.dldr )\r\n- Size: 5294 bytes\r\n- MD5: 1E0E503EF61BCF30CED17777FFD263DE\r\n- SHA256: 4D542B11FF7B3DFAB52D4C9E64AE209EF9AFBDFCEA1910CA24815EEC54944F21\r\ninv.exe (detected as: W32/Generic.AC.4399AE!tr )\r\n- Size: 455168 bytes\r\n- MD5: 75FD221DEA39A4AEA27998F4FB071041\r\n- SHA256: 1991548C135E4653CD18F969102A3225661AE70102AC7C3D5FF8A69E75FFB644\r\n- creates %temp%\\inv.dll\r\ninv.dll (detected as: W32/Danabot.I!tr )\r\n- Size: 286224 bytes\r\n- MD5: AB2C3D293C442C351A0B04CE9F4DEA3F\r\n- SHA256: F2EA70B5131E88D8B9B354D618E03B35A2B3FFE980CF6B871E1BE3A88625BFE9\r\nMITRE ATT\u0026CK – Tactics and Techniques\r\nThis analysis shows how DanaBot functionality maps to the MITRE ATT\u0026CK model.\r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 7 of 12\n\nATT\u0026CK TTP Summary\r\nInitial Access\r\nSpearphishing – a link is provided in the email that points to an archive containing a malicious VBS script to\r\ncontinue on to the next stage of infection.\r\nExecution\r\nRegsvr32 – DanaBot file\r\nRundll32 – DanaBot file\r\nScripting – VBS file\r\nService Execution – custom startup service\r\nUser Execution – phishing link, unzipping archive, executing VBS file\r\nPersistence\r\nHidden Files and Directories – DanaBot files\r\nNew Service – execute on startup\r\nPrivilege Escalation\r\nNew Service – rootkit\r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 8 of 12\n\nDefense Evasion\r\nHidden Files and Directories – Danabot files\r\nObfuscated Files or Information – data files, keylogging file\r\nProcess Injection – explorer, winlogon, services, browser\r\nRootkit – hiding files, directories, custom service\r\nRundll32 – launching DanaBot dll\r\nScripting - VBS\r\nDiscovery\r\nProcess Discovery – For injection\r\nExfiltration\r\nData Encrypted – SSL + custom\r\nExfiltration over Command and Control Channel – SSL port 443\r\nCommand and Control\r\nCommonly Used Port – TCP port 443\r\nStandard Application Layer Protocol – HTTPS\r\nKnown Defenses and Mitigations\r\nInitial Access: FortiMail or other mail solutions can be used to block specific file types. FortiMail can also be\r\nconfigured to send attachments to the FortiSandbox solution (ATP) either on-premise or in the cloud to determine\r\nif a file displays malicious behavior. FortiGate firewalls with Anti-Virus enabled alongside a valid subscription\r\nwill detect and block this threat if configured to do so.\r\nExecution: User Awareness Training – Since it has been observed that this threat has been delivered via\r\nspearphishing distribution mechanisms, it is crucial that end users within an organization are made aware of\r\nvarious types of attacks delivered via this method. This can be accomplished through regularly occurring training\r\nsessions and impromptu tests using predetermined templates by internal security departments within an\r\norganization. Simple user awareness training on how to spot emails with malicious attachments or links could stop\r\nthe initial access into the network. If user awareness training fails, and the user opens the attachment or link,\r\nFortiClient running with the latest up to date virus signatures will detect and block files associated with this threat.\r\nThe files analyzed in this report are detected as VBS/Agent.QQN!tr.dldr, W32/Generic.AC.4399AE!tr,\r\nW32/Danabot.I!tr.\r\nExfiltration \u0026 C\u0026C: FortiGates located in all your ingress and egress points with the Web Filtering service\r\nenabled and up-to-date definitions and or Botnet Security will detect and block any observable outbound\r\nconnections if configured correctly.\r\nIt is important to note that attacks continue to become more sophisticated and can sometimes circumvent your\r\nsecurity defenses for a number of reasons. This is why it is important to ensure you have the ability to detect\r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 9 of 12\n\nanomalous activity that could be malicious. Lastly, our Enterprise Bundle will address this attack as well as others.\r\nOur Enterprise Bundle consolidates all the cyber security services you need to protect and defend against all the\r\ncyber-attack channels from the endpoint to the cloud, including IoT devices, providing you the integrated defense\r\nto tackle today’s advanced threats. Including the technologies needed to address today's challenging risk,\r\ncompliance, management, and visibility and Operational Security (OT) concerns.\r\nIndicators Of Compromise (IOCs)\r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 10 of 12\n\nDanaBot only contacts the IP addresses listed below to determine its online status. These addresses appear to\r\nhave been selected randomly, and it is important to emphasize that there is no indication of any vulnerabilities or\r\nexploits associated with these addresses or the DanaBot malware whatsoever. However, by identifying some or all\r\nof this list of addresses in your outbound records, you could potentially validate whether or not your organization\r\nhave been infected by this malware. \r\n91.112.46.201:443     \r\n52.245.17.2:443 \r\n61.165.173.178:443   \r\n26.64.30.13:443\r\n38.229.153.189:443  \r\n61.184.194.124:443 \r\n89.144.25.243:443    \r\n93.145.247.149:443    \r\n140.155.223.170:443\r\n147.28.140.161:443   \r\n171.16.126.45:443 \r\n178.209.51.211:443  \r\n192.71.249.51:443  \r\n226.188.219.5:443     \r\n234.53.54.120:443    \r\nNOTE: The FortiGuard Labs team has shared our findings, including file samples and indicators of compromise,\r\nin this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly\r\ndeploy protections to their customers and to systematically disrupt malicious cyber actors.  For more information\r\non the Cyber Threat Alliance, visit cyberthreatalliance.org.\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief. \r\nKnow your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can\r\nhelp you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and\r\nPerformance.\r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 11 of 12\n\nSource: https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nhttps://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html"
	],
	"report_names": [
		"breakdown-of-a-targeted-danabot-attack.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434536,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5be31fd29153a29a4fc518b194047019230add4b.pdf",
		"text": "https://archive.orkl.eu/5be31fd29153a29a4fc518b194047019230add4b.txt",
		"img": "https://archive.orkl.eu/5be31fd29153a29a4fc518b194047019230add4b.jpg"
	}
}