{
	"id": "71f33831-6f28-4165-9ba4-d3fb1bc79697",
	"created_at": "2026-04-06T00:08:24.213895Z",
	"updated_at": "2026-04-10T03:22:08.779539Z",
	"deleted_at": null,
	"sha1_hash": "eed8e07563a0dcaa100d53fcd0c10dfb5743919e",
	"title": "DanaBot's Latest Move: Deploying Latrodectus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1004095,
	"plain_text": "DanaBot's Latest Move: Deploying Latrodectus\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 22:20:04 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn December 2023, this blog post was revised based on insights from Proofpoint's researcher, known as\r\n@Myrtus0x0. The malware under investigation has been identified as 'Latrodectus', which is believed to have\r\nbeen developed by the creators of IcedID.\r\nIn early November 2023, the eSentire Threat Response Unit (TRU) detected the presence of DanaBot, a\r\nsophisticated banking Trojan renowned for its ability to pilfer banking credentials, personal information, and\r\nhVNC (hidden Virtual Network Computing) feature (Figure 1).\r\nThis malware was being employed to deliver IcedID, a banking Trojan that has been active since 2017 and is\r\nwidely recognized for its various capabilities. Notably, since 2020, IcedID has been linked to ransomware attacks,\r\nincluding those involving Egregor, Maze, and Conti.\r\nhttps://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nPage 1 of 11\n\nFigure 1: DanaBot advertisement on a Russian hacking forum\r\nIn a recent case, we assess with high confidence that the initial infection for DanaBot occurred via a drive-by\r\ndownload. The user was likely searching for a Webex installer and visited an imposter website serving the\r\npayload. The archive payload is named Webex.zip (MD5: 4be85751a07081de31f52329c2e2ddc8).\r\nThe archive contains the following files:\r\nrash.docx (IDAT Loader encrypted file), MD5: 34b87976172e911e3e2ed6007252e7dc\r\nsqlite3.dll – malicious side-loaded DLL, MD5: 4ca6db064effc1730299a0f20531e49c\r\nwebex.exe – legitimate binary, MD5: 1f166f5c76eb155d44dd1bf160f37a6a\r\nUpon execution of webex.exe, it will side-load the malicious DLL (sqlite3.dll), decrypt and decompress the\r\ncontents of rash.docx file, perform injection into explorer.exe via Process Doppelgänging, and decrypt and run the\r\nhttps://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nPage 2 of 11\n\nfinal payload. In our case, it’s DanaBot (MD5: 6ad1d4e1ca3f1784840364700f5a8a14).\r\nWe have observed DanaBot dropping the following files on the infected system under %TEMP% folder:\r\n10608194856200.exe (MD5: 0d0c437a39787127fc0fbf19efc747ab), the file is, what we assess, an IcedID\r\nVNC module\r\nc5cfe172.dll, IcedID loader (MD5: 350915536540a76d44ce12dc03450424)\r\nUpon execution of the IDAT loader, two folders are created under %AppData%:\r\nDownloadWordpadISR (folder that contains rash.docx and sqlite3.dll)\r\nCustom_update (folder that contains IcedID payloads Update_* (for example, Update_88d58563) and\r\nupdate_data.dat)\r\nThe persistence for DanaBot is created via Startup folder (T1547.001) for webex.exe binary.\r\nIcedID Technical Analysis\r\nAfter the IcedID payload decryption, it creates a copy of itself under “%AppData%\\ Custom_update\\ Update_{8-\r\nhexidecimal-characters}”. The 8 hexadecimal characters are determined by the function in Figure 2.\r\nFigure 2: Hexadecimal value generation\r\nThe payload retrieves the volume serial number of the infected machine via GetVolumeInformationW API and\r\nmultiplies the result with the seed value 0x19660D. The returned result is then used as a part of the DLL filename\r\nappended after “Update_” as 8 hexadecimal characters.\r\nThe function then proceeds and enters the loop where it performs the multiplication with the seed value with the\r\nresult of each seeded value returned from the mw_seed function; it then grabs the first byte from each calculated\r\nresult and builds a 14-byte unique HWID string that is sent to C2.\r\nIcedID uses a CRC-32 hashing algorithm to calculate the hashes for the APIs used in the binary (Figures 3-4).\r\nhttps://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nPage 3 of 11\n\nFigure 3: CRC-32 API hashing function\r\nFigure 4: CRC-32 calculated API hashes\r\nThe string decryption (Figure 5) is performed based on the following algorithm:\r\nThe function initializes using the first 4 bytes derived from the encrypted string.\r\nWithin prng_gen function, it generates a series of pseudo-random values based on the first 4-bytes derived\r\nfrom the encrypted string.\r\nFor each byte in a certain range, it performs a bitwise XOR with the pseudo-random value and a byte from\r\nthe offset location in the encrypted string.\r\nhttps://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nPage 4 of 11\n\nFigure 5: String decryption function\r\nWe wrote the script to decrypt the strings with IDAPython.\r\nThe decrypted strings can be accessed here.\r\nIcedID creates the hardcoded mutex “runnung\". If the payload fails to create a mutex or if the mutex already exists\r\n(indicated by the error code 183, which typically means ERROR_ALREADY_EXISTS), then the payload enters\r\nan infinite loop delay using NtDelayExecution (1000 milliseconds of delay) (Figure 6).\r\nThis prevents multiple instances of infections on the same infected machine.\r\nFigure 6: IcedID enters an infinite loop of delays if the mutex already exists\r\nThe campaign ID is generated using the hardcoded string in the binary; in our binary, it’s “Novik”, and FNV\r\nhashing algorithm.\r\nFigure 7: FNV hashing algorithm\r\nhttps://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nPage 5 of 11\n\nHere is the implementation of the algorithm in Python:\r\ndef mw_fnv(input_str):\r\n v3 = 0x811C9DC5\r\n for char in input_str:\r\n v3 = (v3 ^ ord(char)) * 0x1000193\r\n v3 \u0026= 0xFFFFFFFF\r\n return v3\r\nfnv_hash = mw_fnv(\"Novik\") # input your hardcoded string here\r\nprint(fnv_hash)\r\nUpon successful infection, IcedID runs the following reconnaissance commands on the infected host:\r\nC:\\Windows\\System32\\cmd.exe /c ipconfig /all\r\nC:\\Windows\\System32\\cmd.exe /c systeminfo\r\nC:\\Windows\\System32\\cmd.exe /c nltest /domain_trusts\r\nC:\\Windows\\System32\\cmd.exe /c nltest /domain_trusts /all_trusts\r\nC:\\Windows\\System32\\cmd.exe /c net view /all /domain\r\nC:\\Windows\\System32\\cmd.exe /c net view /all\r\nC:\\Windows\\System32\\cmd.exe /c net group \"Domain Admin”\r\nC:\\Windows\\System32\\wbem\\wmic.exe /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path\r\nAntiVirusProduct Get * /Format:List\r\nC:\\Windows\\System32\\cmd.exe /c net config workstation\r\nC:\\Windows\\System32\\cmd.exe /c wmic.exe /node:localhost /namespace:\\\\root\\SecurityCenter2 path\r\nAntiVirusProduct Get DisplayName | findstr /V /B /C:dis\r\nC:\\Windows\\System32\\cmd.exe /c whoami /groups\r\nC:\\Windows\\System32\\cmd.exe\r\nC:\\Windows\\System32\\cmd.exe\r\nThe results then are converted into base64-encoded strings and appended to the following tags accordingly:\r\n\u0026ipconfig=\r\n\u0026systeminfo=\r\n\u0026domain_trusts=\r\n\u0026domain_trusts_all=\r\n\u0026net_view_all_domain=\r\n\u0026net_view_all=\r\n\u0026net_group=\r\n\u0026net_config_ws=\r\n\u0026net_wmic_av=\r\n\u0026whoami_group=\r\nFigure 8 shows the function responsible for the following:\r\nDecrypts and sets HTTP headers (Content-Type: application/x-www-form-urlencoded).\r\nhttps://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nPage 6 of 11\n\nDetermines the request method (POST or GET) based on the input parameter a2, decrypts the relevant\r\nmethod string, and prepares it for use.\r\nCalls HttpOpenRequestA with parameters including the request method, URL, and other settings. The\r\nrequest is opened using a handle provided by InternetOpenW.\r\nChecks if HttpOpenRequestA successfully created a request handle.\r\nIf it's a POST request, it calculates the length of the request data and headers, then sends the HTTP\r\nrequest with HttpSendRequestA using these lengths and the base64-encoded data.\r\nIf it's a GET request, it sends the request without additional data.\r\nFigure 8: HTTP Request Handler Function\r\nThe payload enumerates through the list of running processes using APIs such as CreateToolhelp32Snapshot,\r\nProcess32First, and Process32Next and appends the results to the following tags:\r\n\u0026proclist=\r\n“pid\":\r\n\"proc\":\r\n\"subproc\":\r\nThe persistence is achieved via the scheduled task named “Updater”. The task runs at every log on with the\r\nfollowing command:\r\nrundll32.exe \"C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Custom_update\\Update_88d58563.dll\", scab\r\nPreviously, we mentioned IcedID deploying the VNC module. There are a few interesting strings in the payload\r\nthat we observed:\r\n{%0.8X-%0.4X-%0.4X-%0.4X-%0.4X%0.8X}\r\n%ProgramFiles%\\\r\ngw@SET TO TOP\r\n%ProgramData%\\\r\n%LOCALAPPDATA%\\\r\nhttps://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nPage 7 of 11\n\n{\"dev\":[\r\n%sProfile %u\\\r\nFOREGRAUND\r\n%APPDATA%\\\r\n%ProgramFiles(x86)%\\\r\n/NOUACCHECK\r\nxpChrome_WidgetWin_\r\nNEW FOREGRAUND\r\naaa_11.02_mmm\r\nhdesk\r\nWhat did we do?\r\nOur team of 24/7 SOC Cyber Analysts detected malicious network connections originating from the rundll32.exe\r\nprocess, isolated the affected machine, and informed the impacted customer.\r\nWhat can you learn from this TRU Positive?\r\nThe use of drive-by downloads for initial infection shows the effectiveness of this method for deploying\r\nmalware, emphasizing the risk associated with unverified downloads.\r\nThe execution of a legitimate binary to side-load a malicious DLL highlights advanced techniques used by\r\nattackers to evade detection.\r\nIcedID's approach to preventing multiple infections on the same machine using a hardcoded mutex and\r\nentering an infinite loop if the mutex exists showcases a method to avoid detection and potential\r\ninterference with other malware.\r\nThe use of the FNV hashing algorithm to generate campaign IDs based on hardcoded strings.\r\nThe execution of various system commands post-infection for reconnaissance purposes underlines the\r\nimportance of monitoring command line activity on endpoints.Top of Form\r\nRecommendations from our Threat Response Unit (TRU) Team:\r\nPrioritize application installations from your organization’s library of approved applications (if\r\nimplemented).\r\nTreat files downloaded from the Internet with the same vigilance as those delivered through email. Assume\r\nfiles are potentially hostile regardless of the path that got you there. Remember, a website hosting software\r\nadvertised on a trusted search engine does not inherit that trust.\r\nEncouraging good cybersecurity hygiene among your users by using Phishing and Security Awareness\r\nTraining (PSAT) when downloading software from the Internet.\r\nProtect endpoints against malware by:\r\nEnsuring antivirus signatures are up-to-date.\r\nUsing a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and\r\ncontain threats.\r\nhttps://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nPage 8 of 11\n\nIndicators of Compromise\r\nName Indicator\r\nWebex.zip 4be85751a07081de31f52329c2e2ddc8).\r\nrash.docx 34b87976172e911e3e2ed6007252e7dc\r\nsqlite3.dll 4ca6db064effc1730299a0f20531e49c\r\n10608194856200.exe 0d0c437a39787127fc0fbf19efc747ab),\r\nc5cfe172.dll 350915536540a76d44ce12dc03450424)\r\nDanaBot 6ad1d4e1ca3f1784840364700f5a8a14).\r\nIcedID C2 arsimonopa[.]com/live\r\nIcedID C2 lemonimonakio[.]com/live\r\nIcedID VNC C2 178.208.87[.]21\r\nDanaBot C2 77.91.73[.][187\r\nDanaBot C2 74.119.193[.]200\r\nReference\r\nhttps://learn.microsoft.com/en-us/windows/win32/api/\r\nhttps://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/\r\nhttps://github.com/esThreatIntelligence/iocs/blob/main/IcedID/icedid_decrypted_strings.txt\r\nhttps://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nPage 9 of 11\n\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nhttps://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nPage 10 of 11\n\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nSource: https://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nhttps://www.esentire.com/blog/danabots-latest-move-deploying-icedid\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/danabots-latest-move-deploying-icedid"
	],
	"report_names": [
		"danabots-latest-move-deploying-icedid"
	],
	"threat_actors": [],
	"ts_created_at": 1775434104,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eed8e07563a0dcaa100d53fcd0c10dfb5743919e.pdf",
		"text": "https://archive.orkl.eu/eed8e07563a0dcaa100d53fcd0c10dfb5743919e.txt",
		"img": "https://archive.orkl.eu/eed8e07563a0dcaa100d53fcd0c10dfb5743919e.jpg"
	}
}