Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
63
Global rank
70 infographic chevron month
Month rank
60 infographic chevron week
Week rank
0
IOCs

Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.

Trojan
Type
Unknown
Origin
6 May, 2018
First seen
21 September, 2025
Last seen

How to analyze Danabot with ANY.RUN

Type
Unknown
Origin
6 May, 2018
First seen
21 September, 2025
Last seen

IOCs

IP addresses
185.101.92.195
38.55.144.23
179.43.190.29
192.236.147.159
190.218.32.139
95.111.233.125
91.227.16.22
188.213.22.181
5.8.8.83
214.49.245.24
185.237.188.109
155.202.27.76
222.3.244.105
164.56.22.90
82.190.206.1
53.159.185.126
32.117.36.79
133.64.16.65
122.129.244.123
198.59.171.10
Hashes
8d45601a7eacf6cdad87da5a19c1866da9400e612e991c0f2452b6e70ae6bac2
07762231da2a8ce1dd2a211c49a27a2f06d7d2b7d5426fc5b6b114f845f1eca6
6ae1dcd78ae961270649466c2e843acaf3a55e7480aae65bdbd8715078e315e0
53c2e8b99e5864b8be1172fcd86275ed978a22537784cc102aaa4af0f315d656
cd278a233eff57bb016ffa7ef043371244d497e9e4bb1ed10937721c5cd15d87
e2874e1b7661bab87814c7be2425a6fa41965efbf80a58c2eff00a4a29becf9f
ce3b821a6e6ef52212cd15d08ef620ad4adc19d0112236e14e6727d3b25f5d72
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
2e7d8011d1f806caa4151edd55e3e82ec76d33b04577dbc5ea9b48d1dae30e23
31832f7a8b9e94962378e3dd3250ad63f62d1a9be3c4227b46caacff2b92c9c0
efb6169bbb869a849afb91184a75b906fe509cbf6e672b6b4f3311c02343bbbb
2d40da8ee687152fcb99a36442390885767b667005dba437a79e6d12c91cd7a9
681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c
330c1d3dd702af11b01ae38ced101e4c4217816e4887e9ebffe2e529cdc857d5
fb4db1424d6ce63e1d96a796acb10cd493f89a816180bc6b38bafdd72387d567
1298f95e9281dc33cdf2df8a2a11c55d76f0bbf266c0657579fec056ca882991
41c1f0d335494bc0169e4d5ff2b0036eeb1fbeaf5b8bc06d282baed573f65c68
6e64122b430c6357b483c6127d01268694a982bf1a5f442bfa7276c11fdf4dc3
6d4bb9f253658e3443c4fe9a5b6fccc80a99cdd72c265fa2d1c03c6bcfe4391b
7e4132835419e4c415d048b64a5fc2813b8d2ff72bb5586d857dcdf6a90a45f2
Domains
dcc.fllimorettinilegnaegiardini.it
amd.cibariefoodconsulting.it
it.sunballast.de
pph.picchio-intl.com
icon.fllimorettinilegnaegiardini.it
ricci.bikescout24.fr
job.hitjob.it
vps.hitjob.it
gtdspr.space
drk.fm604.com
vps.cibariefoodconsulting.it
team.hitweb.it
latest.hitweb.it
rprtinfog6st.world
partner-40215.com
bookingmarch-en-lang.com
booking.partner-04240144.com
booking-human-id90024054.com
partner-40415.com
februaryconfr-21563.com
Last Seen at

Recent blog posts

post image
Efficient SOC: How to Detect and Solve Incide...
watchers 521
comments 0
post image
ANY.RUN & Palo Alto Networks Cortex XSOAR...
watchers 608
comments 0
post image
Lazarus Group Attacks in 2025: Here's Everyth...
watchers 3947
comments 0

What is Danabot banking malware?

Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.

This malware is constantly updated by the creators, helping the Trojan continue to gain popularity in the hacking community. Danabot is written using the Delphi programming language carries several credential theft functions.

General description of Danabot

When first documented, Danabot malware was being used by just one actor who carried out a campaign against Australian companies. Since then, other malicious actors have started utilizing this malware and expanded the geography of attacks to Europe and North America.

In particular, the Danabot trojan was seen in attacks in Poland, Germany, Italy, Austria, and the US. Particularly, the US campaigns were carried out on a large scale, indicating that the malware is evolving and developing.

As far as the function set of this malware is concerned, Danabot can be classified as a banking trojan, though some of its features suggest that it is becoming a more versatile malware. Danabot is constructed out of three main components. The loader is a program created to download the main payload. The main component, which is installed by the loader, is configured to download the modules that the attacker can specify. Finally, once installed, the modules provide the functionality, which can vary depending on which modules were chosen by the ill-wisher in a particular campaign.

The malware can take screenshots, grant attackers remote control of the victims’ machine, collect system information, steal credentials, and record lists of files stored on infected PCs. Once collected, all information recorded by Danabot is sent to the control server in an encrypted form. Danabot aims to steal sensitive information that can be leveraged by the attackers later, therefore instead of confirming the victim head-on and demanding a ransom. This malware tries to stay hidden and collect valuable data over time. Some of the smaller distribution campaigns featuring Danabot were well made in terms of clever social engineering and carried on with the same philosophy of a more subtle approach.

In addition, researchers noticed that the attackers utilizing Danabot ventured beyond banking credentials theft and started utilizing this banking malware to host other spam and malicious campaigns, using the infected machines of their victims. What’s more, Danabot creators are thought to be collaborating with the group behind a different banking trojan – GootKit. Danabot was recorded as being used to distribute this type of threat. This case is a first for both malicious programs since neither has been distributed or distributed by other malware before.

In January 2019, researchers noticed a new version of the Danabot trojan in the wild. The investigation confirmed the new samples to be the evolution of Danabot, with a different C2 communication protocol that began to use multiple encryption layers and proved very complex. In the new variant, AES and RSA encryption algorithms were employed in particular. On top of that, the core design of the malware was also changed, as the loader was made responsible for downloading all the modules along with the main component. The researchers believe a technique was used to avoid detection on a network level that the attackers could have invented after reading existing analysis material on Danabot.

It should be noted that Danabot features several evasion techniques designed to make research as complicated as possible. For one, the banking malware is loaded with many lines of junk code, implemented solely to mislead the researchers. The malware also uses encryption and Windows API function hashing to fool automated sandboxes and researchers and prevent them from uncovering the true nature of the code.

Malware analysis of Danabot

A video recorded in the ANY.RUN malware hunting service enables us to take a look at Danabot in action.

danabot execution process graph

Figure 1: A process graph generated by ANY.RUN for the convenience of the researchers

text report of the Danabot malware execution

Figure 2: The text report generated by ANY.RUN is created to allow easy sharing of the study results

Danabot banking malware execution process

Typically Danabot trojan infects devices according to the following scenario. First of all, the downloader establishes a connection with the C2 server and downloads an executable file with a DLL file, which can be either 32-bit or 64-bit based on the infected OS version.

After that, Danabot begins stealing information from the infected OS. The banking malware bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe). This allows Danabot to create services and execute the injection into system processes. After all of these steps, Danabot receives full system control.

How to avoid infection by Danabot?

Danabot is distributed in email spam campaigns targeting organizations and using social engineering to trick victims into downloading malicious documents the same scenario as

Danabot is also known to get into PCs with another malware called Hancitor. Email campaigns featuring Danabot were considered well crafted by some researchers, who noted that social engineering involved seemed very effective.

Communication with C&C

In older samples of Danabot, the loader component used HTTP protocol to communicate with the control server, whereas the main component utilized the binary protocol. In more recent iterations, both components started to communicate with the C2 server over TCP port 443 using TLS instead.

How to detect Danabot using ANY.RUN?

ANY.RUN uses Suricata IDS rule sets, so if malware trying to communicate with C&C servers, it will be detected. To look at what threats were detected, click on the "Threats" section of the "Network" tab.

danabot network threats Figure 3: Danabot's network threats

Conclusion

Danabot is a very sophisticated malicious program used as a banking trojan and more. Targeting organizations across multiple continents, Danabot malware poses a high threat to businesses thanks to robust distribution methods and cutting-edge anti-evasion and persistence techniques.

In addition, the module nature of this banking malware allows attackers to fine-tune their campaigns, customizing them for every potential victim. All these traits combined helped make Danabot a very popular banking trojan that is only continuing to gain traction in the criminal community and further expand the geography of attacks.

To establish a reliable cyber defense, security professionals can utilize malware hunting and analysis services such as ANY.RUN, which allows to dissect malware samples and thoroughly study their behavior and architecture.

HAVE A LOOK AT

WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
DarkVision screenshot
DarkVision
darkvision
DarkVision RAT is a low-cost, modular Remote Access Trojan that gives attackers remote control of infected Windows hosts. Initially observed around 2020 and sold in underground marketplaces, DarkVision has become notable for its full feature set (keylogging, screen capture, file theft, remote command execution and plugin support) and for being distributed via multi-stage loaders in recent campaigns.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
HijackLoader screenshot
HijackLoader
hijackloader
HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More