Skip to content

S1014 DanBot

DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at least 2018.1

Item Value
ID S1014
Associated Names
Version 1.0
Created 03 June 2022
Last Modified 01 September 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols DanBot can use HTTP in C2 communication.1
enterprise T1071.004 DNS DanBot can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell DanBot has the ability to execute arbitrary commands via cmd.exe.12
enterprise T1059.005 Visual Basic DanBot can use a VBA macro embedded in an Excel file to drop the payload.1
enterprise T1005 Data from Local System DanBot can upload files from compromised hosts.1
enterprise T1140 Deobfuscate/Decode Files or Information DanBot can use a VBA macro to decode its payload prior to installation and execution.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion DanBot can delete its configuration file after installation.2
enterprise T1105 Ingress Tool Transfer DanBot can download additional files to a targeted system.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location DanBot files have been named UltraVNC.exe and WINVNC.exe to appear as legitimate VNC tools.2
enterprise T1027 Obfuscated Files or Information DanBot can Base64 encode its payload.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment DanBot has been distributed within a malicious Excel attachment via spearphishing emails.1
enterprise T1021 Remote Services -
enterprise T1021.005 VNC DanBot can use VNC for remote access to targeted systems.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task DanBot can use a scheduled task for installation.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File DanBot has relied on victims’ opening a malicious file for initial execution.12

Groups That Use This Software

ID Name References
G1001 HEXANE 1