S1014 DanBot
DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at least 2018.1
| Item | Value |
|---|---|
| ID | S1014 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 03 June 2022 |
| Last Modified | 01 September 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | DanBot can use HTTP in C2 communication.1 |
| enterprise | T1071.004 | DNS | DanBot can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | DanBot has the ability to execute arbitrary commands via cmd.exe.12 |
| enterprise | T1059.005 | Visual Basic | DanBot can use a VBA macro embedded in an Excel file to drop the payload.1 |
| enterprise | T1005 | Data from Local System | DanBot can upload files from compromised hosts.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | DanBot can use a VBA macro to decode its payload prior to installation and execution.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | DanBot can delete its configuration file after installation.2 |
| enterprise | T1105 | Ingress Tool Transfer | DanBot can download additional files to a targeted system.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | DanBot files have been named UltraVNC.exe and WINVNC.exe to appear as legitimate VNC tools.2 |
| enterprise | T1027 | Obfuscated Files or Information | DanBot can Base64 encode its payload.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | DanBot has been distributed within a malicious Excel attachment via spearphishing emails.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.005 | VNC | DanBot can use VNC for remote access to targeted systems.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | DanBot can use a scheduled task for installation.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | DanBot has relied on victims’ opening a malicious file for initial execution.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1001 | HEXANE | 1 |