{
	"id": "707c43c4-61d7-44b0-bf69-14819f8b250d",
	"created_at": "2026-04-06T00:08:43.239257Z",
	"updated_at": "2026-04-10T13:12:15.193534Z",
	"deleted_at": null,
	"sha1_hash": "b0ef2464a2e4eb053cd78b8aeaa5c5992ab95181",
	"title": "DanaBot control panel revealed | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1893311,
	"plain_text": "DanaBot control panel revealed | Proofpoint US\r\nBy March 13, 2019 Dennis Schwarz and Proofpoint Threat Insight Team\r\nPublished: 2019-03-13 · Archived: 2026-04-02 10:37:37 UTC\r\nOverview\r\nProofpoint researchers discovered and reported on the DanaBot banking malware in May 2018 [1]. In our October\r\n2018 update [2], we speculated that DanaBot may be set up as a “malware as a service” in which one threat actor\r\ncontrols a global command and control (C\u0026C) panel and infrastructure system and then sells access to other threat\r\nactors known as affiliates. Affiliates then target and distribute DanaBot malware as they see fit. While analyzing a\r\ncomponent of this infrastructure, we discovered an interesting graphical client application that we believe to be a\r\ncontrol panel used by affiliates to access the global C\u0026C system. Once logged on to the system, they can configure\r\nand build their DanaBot malware; access infected devices; and sift through any stolen data including credentials,\r\nfinancial account information, and more.\r\nControl Panel Application\r\nOur current theory is that when an affiliate buys access to the DanaBot system, they are given the control panel\r\napplication described here and a user account to the global C\u0026C system.\r\nLike the malware, the control panel is written in the Delphi programming language. It has a compilation date of\r\n“2019-02-04 22:33:42” and an internal name of “Client.exe”. The application is mostly a graphical frontend in\r\nwhich inputs are formatted as commands that are sent to a backend C\u0026C server for processing. Once processed, the\r\nC\u0026C server sends back the results, which are then displayed by the application.\r\nFigures 1 through 6 give a tour of the main components of the control panel. While a valid login is required to send\r\nand receive data to and from the backend C\u0026C server, the figures still illustrate some of the potential actions a\r\nDanaBot affiliate can execute via the control panel:\r\nLogin to a backend C\u0026C server (Figure 1)\r\nBuild new DanaBot malware (Figure 2)\r\nSee various statistics from infected devices (Figure 3)\r\nConfigure various aspects of the malware (e.g., video recording of the screen, keylogging, and webinjects)\r\n(Figure 4)\r\nSearch and view stolen information (e.g., credentials and financial account information) (Figure 5)\r\nOperate on infected devices (e.g., search for files, download files, execute commands, take a screenshot, and\r\nopen a VNC session) (Figure 6)\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed\r\nPage 1 of 10\n\nFigure 1: Control panel “Connect” tab\r\nFigure 2: Control panel “Builds” button\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed\r\nPage 2 of 10\n\nFigure 3: Control panel “Stats” tab\r\nFigure 4: Control panel “Config” tab\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed\r\nPage 3 of 10\n\nFigure 5: Control panel “Logs” tab\r\nFigure 6: Control panel “Online” tab\r\nAssociation with DanaBot Malware\r\nIn addition to finding the control panel application on infrastructure closely tied to DanaBot, two other significant\r\npieces of evidence tie this control panel application to the DanaBot malware:\r\nC\u0026C protocol overlap\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed\r\nPage 4 of 10\n\nShared RSA public key\r\nIn February 2019, a new version of the DanaBot malware was spotted in the wild that contained a new C\u0026C\r\nprotocol. ESET researchers were the first to notice the update and published a blog post [3] detailing the changes.\r\nSince then all of the DanaBot affiliates into which we have visibility have switched to this new version.\r\nUsing ESET’s post as background, we can compare and contrast the network communications used in the control\r\npanel application (traffic generated when trying to login to a C\u0026C server - Figure 7) and the C\u0026C protocol used in\r\nthe malware (initial beacon - Figure 8).\r\nFigure 7: Control panel “login” request\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed\r\nPage 5 of 10\n\nFigure 8: DanaBot malware “initial beacon”\r\nIn both figures we can see two sets of communications each containing a 24-byte header (highlighted in red)\r\nfollowed by encrypted data (highlighted in blue).\r\nThe header contains:\r\nOffset 0x0: length of data (QWORD)\r\nOffset 0x8: random value (QWORD)\r\nOffset 0x10: random value + length of data (QWORD)\r\nThe encrypted data sections are composed of 3 pieces:\r\nAES-256 encrypted data using a randomly generated key\r\nPadding length (DWORD)\r\nThe randomly generated AES key that has been RSA encrypted using an embedded RSA public key\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed\r\nPage 6 of 10\n\nIn the first set of communications, the AES encrypted data contains a second RSA public key that is generated by\r\nthe control panel application and malware. This second RSA key is used to decrypt data sent back from the C\u0026C\r\nserver.\r\nThe second set of communications contains the initial commands “login command” for the control panel\r\napplication and “initial beacon” for the malware. Both commands use a 167-byte structure and share many\r\ncommon fields as shown in Table 1. Some fields that only appear to apply to the malware such as architecture and\r\nprocess integrity are set to zero in the control panel.\r\nField Control Panel Application DanaBot Malware\r\nLength 167 167\r\nRandom value 8931 8499\r\nRandom value +\r\nlength\r\n9098 8666\r\nAffiliate ID 0 5\r\nCommand 101 300\r\nArgument 1006* 0\r\nRandom value 2 35786 14697\r\nUnknown 0 0\r\nArchitecture 0 64\r\nWindows version 0 610760110\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed\r\nPage 7 of 10\n\nUnknown 0 0\r\nIs admin 0 1\r\nProcess integrity 0 12288\r\nUnknown 0 1\r\nUnknown 0 0\r\nUsername/archive\r\nkey**\r\ntest_user BB0B8678649F818C3A8F360098FD8874\r\nPassword/nonce\r\n1***\r\ntest_pass 9AA088954D476D58590AC5B40543AF3C\r\nnonce***/nonce\r\n2***\r\n701011CE5A3BBBC4A5901A19BF19A706 AF9DE6B708E347F5A8F77E2EAF29E75F\r\n* Control panel version\r\n** A key used to decrypt an archive of components sent from the C\u0026C server to the malware\r\n*** The malware and control panel use something we call “nonces”. They can also be considered a type of\r\nchecksum. In general they are MD5 hash values of various fields and hard coded constants added together.\r\nTable 1: Control panel “login” command vs. DanaBot malware “initial beacon” command\r\nThe second major feature that the control panel application and malware have in common is an embedded RSA\r\npublic key used for encrypting AES session keys in the C\u0026C protocol:\r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyJo2aXOQNP+KeAnWlpOiuMk5W\r\nl1An5GorPHqEyFAlRyv6sEylQDjAuSLGsy2LCvKmuzx2AFQ+3IMfqFf3JacY1HmY\r\nWuiL1V+R910TohM+6hnLnWx7JNbfzB3S7D1JC/WNUwlVv5NnIIX1i+zIW5BTanU1\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed\r\nPage 8 of 10\n\nyQ97xjvokjvZHCHe2wIDAQAB\r\n-----END PUBLIC KEY-----\r\nThis RSA public key has actually been used in all of the DanaBot malware samples we have observed since the\r\nupgrade in February. It is part of the reason we suspect that there is a single global C\u0026C panel with which all\r\naffiliate malware communicates.\r\nIn addition to the overlapping C\u0026C protocol and shared RSA key, the code in both the control panel and the\r\nmalware share the same structure and style.\r\nConclusion\r\nA stand-alone binary application through which affiliates access malware control panels is unusual, with malware\r\ndevelopers generally opting for web-based control panels. Several factors, however, suggest that the application\r\ndescribed here is used by DanaBot affiliates to build and configure their malware and then to access victim devices.\r\nIn either case, it is usually a careless OPSEC mistake by a threat actor or an intentional “leak” of the malware that\r\nexposes the control panel. Once exposed, however, they tend to provide useful insights into malware campaigns\r\nand a perspective usually hidden to defenders.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\n[2] https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns\r\n[3] https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nd7ef48545457cbe791ed23c178551e4b17f0964a9e9ef7d0badda9f3e8c594f3 SHA256\r\nDanaBot Control\r\nPanel\r\n8327931a5d2430526862d789b9654c9c8da7bc64519d210a93e4720aac7ccaa0 SHA256\r\nDanaBot\r\nMalware\r\n(Affiliate 5) used\r\nfor comparison\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed\r\nPage 9 of 10\n\nSource: https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed\r\nhttps://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed"
	],
	"report_names": [
		"danabot-control-panel-revealed"
	],
	"threat_actors": [],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b0ef2464a2e4eb053cd78b8aeaa5c5992ab95181.pdf",
		"text": "https://archive.orkl.eu/b0ef2464a2e4eb053cd78b8aeaa5c5992ab95181.txt",
		"img": "https://archive.orkl.eu/b0ef2464a2e4eb053cd78b8aeaa5c5992ab95181.jpg"
	}
}