{
	"id": "61e1ea5d-67fb-46db-b672-108e0d2067e8",
	"created_at": "2026-04-06T00:18:19.556463Z",
	"updated_at": "2026-04-10T03:20:20.60284Z",
	"deleted_at": null,
	"sha1_hash": "a59727015ddd8774a7b20eeefd6874bdd0c3a35a",
	"title": "DanaBot updated with new C\u0026C communication",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 624429,
	"plain_text": "DanaBot updated with new C\u0026C communication\r\nBy ESET Research\r\nArchived: 2026-04-05 16:23:34 UTC\r\nESET Research\r\nESET researchers have discovered new versions of the DanaBot Trojan, updated with a more complicated\r\nprotocol for C\u0026C communication and slight modifications to architecture and campaign IDs\r\n07 Feb 2019  •  , 5 min. read\r\nThe fast-evolving, modular Trojan DanaBot has undergone further changes, with the latest version featuring an\r\nentirely new communication protocol. The protocol, introduced to DanaBot at the end of January 2019, adds\r\nseveral layers of encryption to DanaBot’s C\u0026C communication.\r\nBesides the changes in communication, DanaBot’s architecture and campaign IDs have also been modified.\r\nThe evolution of DanaBot\r\nAfter being discovered in May 2018 as part of Australia-targeted spam campaigns, DanaBot has had an eventful\r\ntime since, appearing in malspam campaigns in Poland, Italy, Germany, Austria and Ukraine, as well as in the\r\nhttps://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/\r\nPage 1 of 9\n\nUnited States. The European campaigns have seen the Trojan expanding its capabilities with new plugins and\r\nspam-sending features.\r\nIn ESET telemetry on January 25, 2019, we noticed unusual DanaBot-related executables. Upon further\r\ninspection, these binaries were, indeed, revealed to be DanaBot variants, but using a different communication\r\nprotocol to communicate with the C\u0026C server. Starting January 26, 2019, DanaBot operators stopped building\r\nbinaries with the old protocol.\r\nAt the time of writing, the new version is being distributed under two scenarios:\r\nAs “updates” delivered to existing DanaBot victims\r\nVia malspam in Poland\r\nThe new communication protocol\r\nIn the communication protocol used before January 25, packets were not encrypted in any way, as seen in\r\nFigure 1.\r\nFigure 1 – Packet capture showing the old protocol with data in plaintext\r\nFollowing the latest changes, DanaBot uses the AES and RSA encryption algorithms in its C\u0026C communication.\r\nThe new communication protocol is complicated, with several encryption layers being used, as seen in Figure 2.\r\nhttps://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/\r\nPage 2 of 9\n\nFigure 2 – A diagram of DanaBot’s new communication protocol\r\nThese changes break existing network-based signatures and make it more difficult to write new rules for Intrusion\r\nDetection and Prevention Systems. Also, without access to the corresponding RSA keys, it is impossible to decode\r\nsent or received packets; thus PCAP files from cloud-based analysis systems (such as ANY.RUN) become\r\nunusable for researchers.\r\nhttps://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/\r\nPage 3 of 9\n\nFigure 3 – Packet capture with the new communication protocol in place\r\nEach packet sent by the client has a 24 (0x18)-byte header:\r\nOffset Size (bytes) Meaning\r\n0x0 0x8 Size of the data after this header\r\n0x8 0x8 Random value\r\n0x10 0x8 Sum of first two fields\r\nFor each packet, the header is followed by AES-encrypted packet data, then a 4-byte value indicating AES\r\npadding size, and finally the RSA-encrypted AES key. Each packet is encrypted with a different AES key.\r\nServer responses use the same format. Unlike in previous versions, packet data in server responses does not follow\r\nany specific layout (with some exceptions).\r\nPacket data layout\r\nFormer packet data layout was detailed by Proofpoint in October 2018. In the latest version of DanaBot, the\r\nlayout is slightly modified, as seen in Figure 4.\r\nhttps://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/\r\nPage 4 of 9\n\nFigure 4 – Comparison of packet data layout in DanaBot’s previous and latest version\r\nChanges in DanaBot architecture\r\nBesides the changed communication protocol, DanaBot has also undergone some changes in architecture. The\r\nprevious versions of DanaBot included a component that downloaded and executed the main module. The main\r\nmodule then downloaded and executed plugins and configurations.\r\nThe latest version shifts both these responsibilities to a new loader component, which is used to download all\r\nplugins along with the main module. Persistence is achieved by registering the loader component as a service.\r\nhttps://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/\r\nPage 5 of 9\n\nFigure 5 – Comparison of architecture in DanaBot’s previous and latest version\r\nCommands\r\nAccording to our analysis, the loader component uses the following commands:\r\n0x12C - Hello. First command sent by client to server\r\n0x12D - Download 32/64-bit launcher component\r\n0x12E - Request list of plugins and configuration files\r\n0x12F - Download plugin/configuration files\r\nDownloaded plugins and configuration files are encrypted using an AES key derived from the Client ID. In\r\naddition to that, plugins are compressed in ZIP format using LZMA compression, whereas configuration files are\r\ncompressed using zlib.\r\nCommands with ID numbers 0x130 - 0x134 are sent by the main module:\r\n0x130 - Upload collected information to C\u0026C server (e.g., screenshot of a victim’s computer; system\r\ninformation)\r\n0x131 - Upload collected information to C\u0026C server (e.g., list of files on the victim’s hard disk)\r\n0x132 - Ask C\u0026C server for further commands; there are around 30 available commands typical of\r\nbackdoors, including launching plugins, gathering detailed system information and modifying files on\r\nclient system\r\n0x133 – Update C\u0026C server list via Tor proxy\r\n0x134 - Exact purpose unknown; most likely used for communication between plugins and C\u0026C\r\nChanges in campaign IDs\r\nPrevious research has suggested that DanaBot is distributed under various “affiliate” or “campaign” IDs.\r\nhttps://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/\r\nPage 6 of 9\n\nIn the previous version of DanaBot, almost 20 different campaign IDs were used. In the latest version, campaign\r\nIDs have changed slightly. As of February 5, 2019, we are seeing the following IDs in the wild:\r\nID=2 appears to be a test version, serving a limited number of configuration files and no webinjects\r\nID=3 is being actively spread, targeting users in both Poland and Italy, serving all configuration files and\r\nwebinjects for both Polish and Italian targets\r\nID=5 serves configuration files for Australian targets\r\nID=7 is being spread only in Poland, serving webinjects for Polish targets\r\nID=9 appears to be another test version, with limited spread and no specific targeting, serving a limited\r\nnumber of configuration files and no webinjects\r\nConclusion\r\nIn 2018, we observed DanaBot expanding in both distribution and functionality. The beginning of 2019 has seen\r\nthe Trojan undergo “internal” changes, indicating active development by its authors. The latest updates suggest the\r\nauthors are making an effort to evade detection at the network level, and possibly paying attention to published\r\nresearch and making changes to stay ahead of defenders.\r\nESET systems detect and block all DanaBot components and plugins under detection names listed in the IoCs\r\nsection.\r\nThis research was carried out by Kaspars Osis, Tomáš Procházka and Michal Kolář.\r\nIndicators of Compromise (IoCs)\r\nC\u0026C servers used by the new version of DanaBot\r\n84.54.37[.]102\r\n89.144.25[.]243\r\n89.144.25[.]104\r\n178.209.51[.]211\r\n185.92.222[.]238\r\n192.71.249[.]51\r\nWebinject and redirect servers\r\n47.74.249[.]106\r\n95.179.227[.]160\r\n185.158.249[.]144\r\nExample hashes\r\nNote that since new builds of DanaBot’s components are released regularly, we provide just a sampling of hashes.\r\nhttps://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/\r\nPage 7 of 9\n\nComponent SHA-1 ESET detection name\r\nDropper 98C70361EA611BA33EE3A79816A88B2500ED7844 Win32/TrojanDropper.Danabot.O\r\nLoader\r\n(x86),\r\ncampaign\r\nID=3\r\n0DF17562844B7A0A0170C9830921C3442D59C73C Win32/Spy.Danabot.L\r\nLoader\r\n(x64),\r\ncampaign\r\nID=3\r\nB816E90E9B71C85539EA3BB897E4F234A0422F85 Win64/Spy.Danabot.G\r\nLoader\r\n(x86),\r\ncampaign\r\nID=9\r\n5F085B19657D2511A89F3172B7887CE29FC70792 Win32/Spy.Danabot.I\r\nLoader\r\n(x64),\r\ncampaign\r\nID=9\r\n4075375A08273E65C223116ECD2CEF903BA97B1E Win64/Spy.Danabot.F\r\nMain\r\nmodule\r\n(x86)\r\n28139782562B0E4CAB7F7885ECA75DFCA5E1D570 Win32/Spy.Danabot.K\r\nMain\r\nmodule\r\n(x64)\r\nB1FF7285B49F36FE8D65E7B896FCCDB1618EAA4B Win64/Spy.Danabot.C\r\nPlugins\r\nPlugin SHA-1 ESET detection name\r\nRDPWrap 890B5473B419057F89802E0B6DA011B315F3EF94 Win32/Spy.Danabot.H\r\nStealer (x86) E50A03D12DDAC6EA626718286650B9BB858B2E69 Win32/Spy.Danabot.C\r\nStealer (x64) 9B0EC454401023DF6D3D4903735301BA669AADD1 Win64/Spy.Danabot.E\r\nSniffer DBFD8553C66275694FC4B32F9DF16ADEA74145E6 Win32/Spy.Danabot.B\r\nVNC E0880DCFCB1724790DFEB7DFE01A5D54B33D80B6 Win32/Spy.Danabot.D\r\nTOR 73A5B0BEE8C9FB4703A206608ED277A06AA1E384 Win32/Spy.Danabot.G\r\nhttps://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/\r\nPage 8 of 9\n\nSource: https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/\r\nhttps://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/"
	],
	"report_names": [
		"danabot-updated-new-cc-communication"
	],
	"threat_actors": [],
	"ts_created_at": 1775434699,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a59727015ddd8774a7b20eeefd6874bdd0c3a35a.pdf",
		"text": "https://archive.orkl.eu/a59727015ddd8774a7b20eeefd6874bdd0c3a35a.txt",
		"img": "https://archive.orkl.eu/a59727015ddd8774a7b20eeefd6874bdd0c3a35a.jpg"
	}
}