DanaBot Updated with New C2 Communication

ESET researchers have discovered new versions of the DanaBot Trojan, updated with a more complicated protocol for C&C communication and slight modifications to architecture and campaign IDs.

“The fast-evolving, modular Trojan DanaBot has undergone further changes, with the latest version featuring an entirely new communication protocol. The protocol, introduced to DanaBot at the end of January 2019, adds several layers of encryption to DanaBot’s C&C communication.

Besides the changes in communication, DanaBot’s architecture and campaign IDs have also been modified.”

One of the more notable changes found in this sample should be of concern:

“These changes break existing network-based signatures and make it more difficult to write new rules for Intrusion Detection and Prevention Systems. Also, without access to the corresponding RSA keys, it is impossible to decode sent or received packets; thus PCAP files from cloud-based analysis systems (such as ANY.RUN) become unusable for researchers.”

Read the whole article here:


Currently identifed indicators are shown below:

FileHash-SHA1 0df17562844b7a0a0170c9830921c3442d59c73c 0
IPv4 0
IPv4 0
IPv4 0
FileHash-SHA1 28139782562b0e4cab7f7885eca75dfca5e1d570 0
FileHash-SHA1 4075375a08273e65c223116ecd2cef903ba97b1e 0
FileHash-SHA1 5f085b19657d2511a89f3172b7887ce29fc70792 0
FileHash-SHA1 73a5b0bee8c9fb4703a206608ed277a06aa1e384 3
IPv4 0

IPv4 0
FileHash-SHA1 890b5473b419057f89802e0b6da011b315f3ef94 0
FileHash-SHA1 98c70361ea611ba33ee3a79816a88b2500ed7844 0
FileHash-SHA1 9b0ec454401023df6d3d4903735301ba669aadd1 0
FileHash-SHA1 b1ff7285b49f36fe8d65e7b896fccdb1618eaa4b 0
FileHash-SHA1 b816e90e9b71c85539ea3bb897e4f234a0422f85 0
FileHash-SHA1 dbfd8553c66275694fc4b32f9df16adea74145e6 3
FileHash-SHA1 e0880dcfcb1724790dfeb7dfe01a5d54b33d80b6 0
FileHash-SHA1 e50a03d12ddac6ea626718286650b9bb858b2e69

Leave a Comment

Your email address will not be published. Required fields are marked *