{
	"id": "913a46c3-2614-45bc-bb3c-d81c94b5f588",
	"created_at": "2026-04-06T00:11:41.99875Z",
	"updated_at": "2026-04-10T03:21:11.792116Z",
	"deleted_at": null,
	"sha1_hash": "feeb129a2f05c2d78456627752312bf287f6b039",
	"title": "DanaBot | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1409232,
	"plain_text": "DanaBot | ThreatLabz\r\nBy Dennis Schwarz\r\nPublished: 2022-12-06 · Archived: 2026-04-05 21:09:55 UTC\r\nKey Points\r\nDanaBot is a malware-as-a-service platform discovered in 2018 that is designed to steal sensitive\r\ninformation that may be used for wire fraud, conduct cryptocurrency theft, or perform espionage related\r\nactivities\r\nThe malware is heavily obfuscated which makes it very difficult and time consuming to reverse engineer\r\nand analyze\r\nZscaler ThreatLabz has reverse engineered the various obfuscation techniques used by DanaBot and\r\ndeveloped a set of tools using IDA Python scripts to assist with binary analysis\r\nDanaBot, first discovered in 2018, is a malware-as-a-service platform that threat actors use to steal usernames,\r\npasswords, session cookies, account numbers, and other personally identifiable information (PII). The threat\r\nactors may use this stolen information to commit banking fraud, steal cryptocurrency, or sell access to other threat\r\nactors.\r\nWhile DanaBot isn’t as prominent as it once was, the malware is still a formidable and active threat. Recently,\r\nversion 2646 of the malware was spotted in the wild and also a researcher tweeted screenshots of Danabot’s\r\nadvertisement website shown in Figure 1.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 1 of 15\n\nFigure 1: DanaBot’s advertisement website\r\nUnfortunately, the DanBot developers have done a very good job of obfuscating the malware code. Therefore, it is\r\nvery difficult and time consuming process to to reverse engineer and analyze. This is a companion blog post to a\r\nset of IDA Python scripts that Zscaler ThreatLabz is releasing on our Github page. The goal of the scripts is to\r\nhelp peel away some of the layers of DanaBot’s obfuscations and inspire additional research into not only the\r\nobfuscation techniques, but the malware itself.\r\nTechnical Analysis\r\nThe following sections summarize the numerous techniques that the DanaBot developers have implemented to\r\nobfuscate the malware binary code.\r\nJunk Byte Jumps\r\nOne of the first anti-analysis techniques that DanaBot employs is a “junk byte jump” instruction. This is an anti-disassembly technique where a jump instruction will always jump over a junk byte. The junk byte is skipped\r\nduring normal program execution, but causes IDA Pro to display an incorrect disassembly. An example of this\r\ntechnique is shown in Figure 2:\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 2 of 15\n\nFigure 2: An example of a junk byte jump\r\nThe 01_junk_byte_jump.py IDA Python script searches for junk byte jump patterns and patches them with NOP\r\ninstructions. This operation fixes IDA Pro’s disassembly as shown in Figure 3.\r\nFigure 3: An example of a patched junk byte jump\r\nDynamic Returns\r\nThe next anti-analysis technique is a “dynamic return” operation. This technique calculates a new return address at\r\nthe end of a function, causing a change in the program’s control flow. In DanaBot’s implementation, they are used\r\nto “extend” a function–exposing additional hidden code. An example of a dynamic return is shown in Figure 4.\r\nFigure 4: An example of a dynamic return\r\nUsing the 02_dynamic_return.py IDA Python script, these dynamic returns can be patched, the functions\r\nextended, and the hidden code exposed. An example of this is shown in Figure 5.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 3 of 15\n\nFigure 5: An example of a patched dynamic return\r\nStack String Deobfuscation Preparation and Code Re-analysis\r\nBefore moving on to additional DanaBot anti-analysis techniques, we’ve included three IDA Python scripts:\r\n03_uppercase_jumps.py\r\n04_letter_mapping.py\r\n05_reset_code.py\r\nThe first two scripts are preparation steps to help with stack string deobfuscation described in a later section. The\r\nfirst script patches out a code pattern that is used to uppercase letters (this removes a small function basic block\r\nthat interferes with stack string reconstruction) and the second script renames variables that store the letters used\r\nin stack strings.\r\nBefore running the third script, check that IDA Pro’s ”Options-\u003eCompiler…” is set to “Delphi” (see Figure 6.)\r\nFigure 6: IDA Pro’s Compiler options\r\nSince the previous scripts patched a lot of existing code and exposed a bunch of new code, the 05_reset_code.py\r\nscript helps reset and re-analyze the modified code in IDA Pro to get a cleaner IDB database. Once the script and\r\nanalysis completes, some manual clean up may be required. Our general method is:\r\nSearch → Sequence of bytes…\r\nSearch for the standard function prolog: 55 8B EC\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 4 of 15\n\nSort by Function\r\nFor each result without a defined function:\r\nRight click → Create function…\r\nLook for any addresses that are causing issues in the Output window\r\nRight click → Undefine\r\nRight click → Code\r\nJunk StrAsg and StrCopy Function Calls\r\nDanaBot adds a lot of junk code to slow down and complicate reverse engineering. One of the junk code patterns\r\nis adding extraneous StrAsg and StrCopy function calls. These functions are part of the standard Delphi library and\r\nare used to assign or copy data between variables. Figure 7 shows an example snippet of code with a number of\r\nthese calls. If we trace the variable arguments we can see that they are usually assigned to themselves or a small\r\nset of other variables that aren’t used in actual malware code.\r\nFigure 7: Example of junk StrAsg and StrCopy function calls\r\nThe IDA Python script 06_fake_UStrLAsg_and_UStrCopy.py tries to find and patch these junk calls. Figure 8\r\nshows the result in the example from Figure 7.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 5 of 15\n\nFigure 8: Example of patched junk StrAsg and StrCopy function calls\r\nStack Strings\r\nThe next obfuscation method is DanaBot’s version of creating “stack strings”. The malware assigns letters of the\r\nalphabet to individual variables and then uses those variables, pointers to those variables, and various Delphi\r\ncharacter/string handling functions to construct strings one character at a time. Figure 9 is an example construction\r\nof the string “wow64.dll”.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 6 of 15\n\nFigure 9: Example stack string of “wow64.dll”\r\nThese stack strings litter most of the malicious functions in DanaBot and very easily lead to reverse engineering\r\nfatigue. On top of that, while some of the constructed strings are used for malware purposes, most of them turn out\r\nto be junk strings. Figure 10 is a snippet of output from a script that will be introduced below. As can be seen in\r\nthe figure, most of the strings are random DLL, executable, and Windows API names.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 7 of 15\n\nFigure 10: Example script output showing junk strings\r\nThe best way to extract these stack strings is by emulating the construction code, but due to the following reasons\r\nwe experimented with another deobfuscation technique:\r\nThere are thousands of these strings\r\nThere are not clear start/end patterns to automatically extract the construction code\r\nThey rely on standard Delphi functions which aren’t particularly easy to emulate\r\nMost of them are junk strings\r\nThe sheer amount of construction code hinders malware analysis the most\r\nThe goal of the IDA Python scripts 07_stack_string_letters_to_last_StrCatN_call.py and\r\n08_set_stack_string_letters_comments.py is not to extract a wholly accurate stack string, but enough of the string\r\nto determine whether the string is junk or not. After some trial and error experimentation, the scripts also try their\r\nbest to remove the stack string construction code to allow for much easier analysis. If the string turns out to be\r\nlegitimate, the original construction code is saved as comments so a proper extraction of the string can be done\r\nif/when needed.\r\nEmpty Loops and Junk Math Loops\r\nAfter removing the junk StrAsg and StrCopy function calls and the stack strings, there will be a bunch of empty\r\nloops. The IDA Python script 09_empty_loops.py can be used to remove these loops. There will also be loops left\r\nthat just contain junk math code (see Figure 11.) The IDA Python script 10_math_loops.py will remove these junk\r\ncode math loops.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 8 of 15\n\nFigure 11: Example junk math loops\r\nJunk Strings and Junk Global Variables\r\nAs we saw in the stack strings section above, there were a lot of DLL, executable, and Windows API name based\r\njunk strings. These junk strings exist as normal strings as well, see Figure 12 as an example.\r\nFigure 12: Example junk strings\r\nWhile we haven’t found good patterns to automatically remove references to these junk strings, the IDA Python\r\nscript 11_rename_junk_variables.py renames them as “junk” to ease manual analysis.\r\nDanaBot also adds a lot of junk code involving global variables and various math operations, see Figure 13 for an\r\nexample.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 9 of 15\n\nFigure 13: Example junk global variable math\r\nThe IDA Python script 12_rename_junk_random_variables.py attempts to locate and rename these variables as\r\n“junk” to help with analysis.\r\nMiscellaneous Tips and Tricks\r\nBased on our experience reverse engineering DanaBot over the years, we have found the following miscellaneous\r\ntricks and tips to be helpful. The first is using the Interactive Delphi Reconstructor (IDR) program to export\r\nstandard Delphi library function and variable names. We use Tools → MAP Generator and Tools → IDC\r\nGenerator to export MAP and IDC files. While IDR creates an IDA IDC script, we don’t use it directly as it\r\ndegrades the quality of the IDA Pro disassembly/decompilation. Instead, we use the scripts idr_idc_to_idapy.py\r\nand idr_map_to_idapy.py to extract the information from the generated IDC and MAP files and use the output\r\nscripts to import the naming information.\r\nDanaBot resolves some of its Windows API functions by hash, so we use OALabs’ HashDB IDA Plugin (which\r\nrecently added support for DanaBot’s hashing algorithm) to resolve the names by hash.\r\nFinally, we make liberal use of IDA Pro’s right click → Collapse item feature to hide the remaining junk code,\r\nespecially the renamed junk strings and global variables.\r\nBefore and After Example\r\nAs an overall example, Figure 14 is a screenshot for a section of DanaBot code before the deobfuscation scripts\r\nhave been applied. The details of the code don’t particularly matter for this discussion, but the snippet shows\r\nDanaBot’s initialization of its 455-byte binary structure used in its initial “system information” command and\r\ncontrol beacon.\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 10 of 15\n\nFigure 14: Example of code before deobfuscations\r\nFigure 15 is an example of the same code snippet after applying the deobfuscation scripts. \r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 11 of 15\n\nFigure 15: Example of code after deobfuscations\r\nConclusion\r\nWhile there is still room for improvement, the DanaBot malware code is much easier to analyze and reason about.\r\nExpanding the scope to the entire binary, the deobfuscation techniques significantly reduce the complexity and\r\ntime spent while reverse engineering the malware. We look forward to making further improvements/additions\r\nand welcome other researchers’ contributions to the existing scripts to peel away more layers of DanaBot’s\r\nobfuscation.\r\nZscaler Detection Status\r\nW32/Danabot\r\nCloud Sandbox Detection\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 12 of 15\n\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 13 of 15\n\nIndicators of Compromise\r\nIOC Notes\r\n8c6224d9622b929e992500cb0a75025332c9cf901b3a25f48de6c87ad7b67114\r\nSHA256 hash of DanaBot\r\nversion 2646 main\r\ncomponent\r\nSource: https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 14 of 15\n\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques"
	],
	"report_names": [
		"technical-analysis-danabot-obfuscation-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775434301,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/feeb129a2f05c2d78456627752312bf287f6b039.pdf",
		"text": "https://archive.orkl.eu/feeb129a2f05c2d78456627752312bf287f6b039.txt",
		"img": "https://archive.orkl.eu/feeb129a2f05c2d78456627752312bf287f6b039.jpg"
	}
}