DanaBot banking Trojan in spam impersonating the "POL-INVEST Office"

Reader Konrad sent us another sample of the news. It would not be surprising if it were not that the attached invoice from "Bartosz Wozniak z Biuro POL-INVEST" is a virus trying to download DanaBot from the Ukrainian server.

Original message:

From: Bartosz Wozniak

Content: Good morning, an invoice is attached. VAT invoice - sales no. 05/13/2018

Yours sincerely, Bartosz Wozniak POL-INVEST Office.

A message containing a dangerous attachment

Attachment " FV_001762.pdf.exe " after unpacking at first glance is a PDF file without an icon, but actually after delving into details, it contains a double extension and is an EXE executable file.

Fake PDF

In this campaign once again we deal with SMTP servers nazwa.pl, which are incorrectly secured - allow spammers to send malicious attachments on the "name" of the Name.pl SMTP server. In this case, the fraudster sent spam from the mail server used by Comimport sp. Z o. O. The perpetrator in the e-mail message is impersonating POL-INVEST - we found several such companies, which is why it is difficult to establish the target.

We suspect that the malware used in this campaign is related to the previous one (or to the dropper) that we wrote about two days ago. It is quite likely that this campaign has some characteristics in common with the impersonation of Ergo Hestia and the accounting office "Tomfis" . Malware according to the Eset anti-virus nomenclature in both cases is detected as Win32/TrojanDropper.Danabot.C and appeared on computers in Poland, and earlier in Australia .

Banking Trojan Danabot

Traditionally, spam is sent from the servers name.pl:

ane151.rev.netart.pl ([]: 31061) 

The spamer to the nazwa.pl server logs in from the IP address: 

Hash attachment .EXE after unpacking .ZIP:


Potential attachment names:


Attempts to impersonate e-mail addresses:

[email protected] 

We recommend that readers pay particular attention to attachments and use reputable antivirus software. The choice is difficult, which is why we have been helping to identify the best for many years, as evidenced by the three safety tests we have published today . We encourage you to familiarize yourself with the details.

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.