In this stream we continue our analysis of Danabot with a focus on the core component. Danabot is written in Delphi which requires some additional tooling on top of IDA to reverse engineer.
Building on our use of IDR in the last stream, we extract the "record" metadata (struct) and use it to identify key information in the binary. We also demonstrate how to diff an older version of the malware records with a new version to quickly identify changes and updates!
DanaBot Core - Taking a look at a new version of the DanaBot Core
m4n0w4r
2024-02-17 15:46:55 +0000 UTC