{ "id": "187f12d3-3b60-4827-840c-98f3cdea8508", "created_at": "2026-04-06T00:17:01.546305Z", "updated_at": "2026-04-10T13:12:28.48538Z", "deleted_at": null, "sha1_hash": "93e1852520ec90a0d3377e8698b03757bf001e73", "title": "Decoding a DanaBot Downloader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3847789, "plain_text": "Decoding a DanaBot Downloader\r\nPublished: 2022-03-15 · Archived: 2026-04-05 13:15:40 UTC\r\nSummary\r\nI came across a fairly interesting VBS-based DanaBot downloader the other day, and I figured it was worth doing\r\na quick write-up on the obfuscation scheme and a few of the other TPPs I observed. The social engineering pretext\r\nused in this campaign was interesting as it leveraged an “unclaimed property” themed lure and required user\r\ninteraction to deliver the first stage payload. A VBS file then fetches the DanaBot downloader. The VBS file\r\ncontains an embedded URL that is not obfuscated, but the actual execution mechanism is encoded in a very long\r\nstring.\r\nIn this blog, we will take a quick look at the social engineering pretext, then review the obfuscation scheme itself.\r\nFinally we will wrap up with coverage of three different methods to analyze and decode the VBS (each in order of\r\ncomplexity and potential to make you hate yourself). The first method we will review is the usage of a VBS\r\ndebugger for quick a win. We will then review an alternative where we can debug the VBS file itself without any\r\nspecial tools, but just by editing a few lines of code in the file. Finally, we will conclude with (debatably) the\r\nultimate exercise in futility, which is writing a Python decoder from scratch. This method doesn’t do anything for\r\nus beyond instilling a sense of satisfaction and provide an opportunity to understand the underlying obfuscation\r\nscheme a little bit better, and learn a little Python to boot. Let’s go!\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 1 of 12\n\nFigure 1. This Analyst’s thought process in meme format.\r\nDanaBot Overview and Delivery\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 2 of 12\n\nI don’t typically do much analysis on DanaBot as I simply don’t see it as often as the other eCrime variants that\r\nare delivered in massive volumes and in widespread campaigns. In this case, I found it interesting based on the\r\nsocial engineering scheme that required user interaction and the website landing page that had several elements\r\nthat attempted to reassure victims and instill a sense of security. In addition, DanaBot caught my eye as it has been\r\ncovered in the news and via OSINT reports from Zscaler that have linked DanaBot to recent DDoS campaigns\r\nagainst Ukrainian organizations, possibly in support of strategic objectives related to Russia’s war efforts. The\r\nauthors make a point to stress that “It is unclear whether this is an act of individual hacktivism, state-sponsored, or\r\npossibly a false flag operation.” To be clear, there is no known link here observed between the campaign covered\r\nin this blog and DDoS events in Ukraine — they are simply both linked to DanaBot.\r\nFigure 2. Execution chain for delivery of DanaBot\r\nThe DanaBot malware is a banker/infostealer originally discovered by Proofpoint researchers in 2018. It is\r\noperated by a financially motivated criminal group tracked as “SCULLY SPIDER” by CrowdStrike in a Malware\r\nas a Service (MaaS) model with multiple affiliate partners. Although DanaBot’s core functionality has focused on\r\nstealing banking credentials, it has been known to be used in DDoS operations before.\r\nDanaBot has been delivered via a variety methods in the past, including cracked games, sabotaged code packages,\r\nand phishing emails. In this case the VBS files was hosted on a fake “unclaimed property” website:\r\nwww[.]moneyunclaimed[.]net.\r\nFilename: rpetitto-s980361ad.vbs\r\nSHA256: a4f1ea5dd434deee93bdf312f658a7a26f767c7683601fa8b23ef096392eef17\r\nI have observed other domains in recent campaigns with a similar theme such as www[.]unclaimed2[.]com and/or\r\nwww[.]unclaimedhq[.]com. All of these sites lure a potential victim to performing a “search” for unclaimed\r\nproperty. The threat actors use a questionable selection of thumbnail portraits, but I’m assuming most visitors\r\nwon’t notice or care. The site is slick enough to likely fool most potential victims.\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 3 of 12\n\nFigure 3. The landing page\r\nAnd this is where things get interesting. The website is interactive, and in fact even requires user interaction to\r\ncomplete the initial malware delivery. If a user clicks on “Search”, they will be taken to a fake search page and\r\nprompted to input their First and Last Names and their state of residence. It even has a captcha in an attempt to\r\nappear more legitimate! There are other themes leveraged in the page such as making reference to the McAfee and\r\nGoDaddy brands in the sites’ footers to further cultivate a sense of trust and security with the victim.\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 4 of 12\n\nFigure 4. Running the property “report”\r\nIf the potential victim is “fortunate” enough to get results, they are prompted to download a “report” that allegedly\r\ncontains their unclaimed property findings. However, in reality this ZIP archive that is downloaded contains a\r\ncopy of winRAR and also the initial VBS downloader.\r\nThe Obfuscation Scheme\r\nThe URL is plainly available, but execution is not. If all you care about is IOCs, you can just stop here. But we\r\ndon’t just care about IOCs. Because IOCs without contextual behavior aren’t that helpful. We can do better.\r\nUnfortunately, simply accessing the VBS code turned out to be just the first stage of the battle. This particular file\r\nhas two loops that encode the script that is later executed as a function. In most analysis scenarios, speed is of the\r\nessence, so it is often better to rely on these tools to dump the code via dynamic analysis sandbox or debugger, but\r\nI often prefer to take a static analysis approach and manually decode the scripts in order to teas out the underlying\r\nsubtleties of their operation. It is also just a fun exercise, akin to putting together a puzzle or deciphering a riddle.\r\nThis type of approach may also provide some insight into adversary tactics, techniques, and procedures (TTPs)\r\nthat would otherwise be lost (or at least glossed over) when employing dynamic analysis.\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 5 of 12\n\nFigure 5 . The entire VBS content\r\nThe primary obfuscation technique utilized in this script is a string operations. The URL that hosts the final\r\nDanaBot payload is in clear text, but the function containing the execution is encoded in a very long string (over\r\n2,000 characters). There are two loops that iterate through this string. All of the text in comments or quotes is\r\nmeaningless and can be ignored for the purpose of analysis.\r\nFigure 6. Prettified VBS\r\nThe first loops takes slices of two characters each and adds them to a dictionary object. The second loop iterates\r\nthrough the string and takes slices of two characters and then looks up those values in the dictionary it just created.\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 6 of 12\n\nIt then accesses the key that corresponds to the lookup value. Since the dictionary is 256 keys long, each key\r\ncorrelates to a character in the extended ascii set. Finally, these keys are converted to their ascii values, stored in a\r\nfinal variable and then executed as s function.\r\nDecoding the Downloader 3 Ways\r\nSo at this point we have a basic understanding of how the code works and we have the network IOC for the next\r\nstage payload. The final piece of information an analyst would typically investigate is the manner in which the\r\nnext stage is executed. This is important for many reasons — but perhaps most importantly — the understanding\r\nof the specific tactics, techniques, and procedures (TTPs) can provide helpful contextual enrichment for\r\ndeveloping detection content and identifying potential residual disk artifacts. In this next section, we will take a\r\nlook at 3 options at how one could go about fully decoding the script to isolate these execution details.\r\nMethod 1: Using Vbsedit to debug\r\nFirst, and perhaps most viable, is simply using a debugger to execute the code in a controlled manner and\r\ncapturing the result as output. I have found the tool that is easiest and best for this purpose to be VbsEdit. This tool\r\nis not free, however, the lifetime license is very reasonably priced. There is also an evaluation license that allows\r\nusage of the tool, but implements some guardrails with an additional delay and some obstacles in the form of\r\nmessage prompts in the evaluation mode. Either way, the tool works great and you can set break points and use the\r\ndebugger console to step through the code. You can use this to populate variables and/or jump straight to the full\r\noutput as shown below.\r\nFigure 7. Debugger output\r\nThis is is a powerful tool whose capability to debug the code for quick output is hard to beat. Automatically de-obfuscating the code saves a ton of time, which can then be spent on other analysis or using the gathered\r\ninformation to pivot further on an investigation. In this sample, we uncovered multiple tool marks of interest:\r\nincluding the creation of a shell object and usage of wscript to kick off the script, the full path for the next stage\r\npayload written to disk, and the usage of rundll32 to execute that payload. This is a common technique that most\r\nEDR platforms should detect, but if you are following along at home, there are ATT\u0026CK tagings below if you\r\nneed to check for coverage.\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 7 of 12\n\nMethod 2: Modifying the VBS code to print to file\r\nThe second method we will look at is somewhat slower, but still provides quick output. The advantage to this\r\nmethod is that it does not require any additional tooling beyond a text editor and the ability to run VBscript. The\r\nidea here with this approach is that instead of executing the script within a shell object, we will simply re-direct\r\nthe script’s content as output to a file of our choosing. This requires the addition of just 4 extra lines of code. It\r\nshould be noted that using this method is safest to also comment out the “Execute(temp)” function by prepending\r\nthe line with “REM”.\r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\")\r\noutfile = \"\u003cINSERT PATH TO FILE\u003e\"\r\nsET objFile = objFSO.CreateTextFile(outFile,True)\r\nobjFile.Write \u003cINSERT THE FUNCTION'S ARGUMENT HERE\u003e \u0026 vbCrLf\r\nThe variable names in the code don’t matter. You can change them to whatever you wish. I just use what I copied\r\noff the guy that showed me how to do this. One additional note: the 4 line in the above can be moved around to\r\nwherever you like, sort of like using it as a break point, as that will output the script to file at that point in its\r\nexecution. The fourth line also needs to be modified with the specific argument that is called by the function being\r\ndebugged.\r\nFigure 8. File modification to write to file\r\nMethod 3: Writing a Python Script (slow and pointless?)\r\nAlright, so I’ve spent plenty of my time here writing a blog post that probably three people will ever read, and if\r\nyou think that was a waste of time, well have I got a surprise for you…Because I wasn’t content to just extract my\r\nIOCs and TTPs and write my little Yara rule (see below). No. I decided I wanted to commune with this code for a\r\nmore deeper understanding of how it worked, and how it fit in with the greater mysteries of the Universe. Also, I\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 8 of 12\n\nhadn’t written any code in a while, and I thought it could be a fun exercise to crack the ole knuckles, scrape off the\r\nrust, and slap together some Python. Ultimately, I didn’t unlock any mysteries of the Universe, but I did write\r\nsome dodgy Python and learned a few things — so I will count that as a win in my book.\r\nFigure 9. If a Python falls in the forest with nobody around, does it still make a sound?\r\nThe script here is very simple as you can see below. We don’t need any fancy imports or dependencies, just plain\r\nole Python does the trick. Basically, the Python script works exactly like the VBScript. It first takes a string\r\nvariable, then sets another variable to ensure we grab a pair of characters from the string. We then take two slices\r\nof the string, the first being for the creation of the dictionary, and the second used to build the command. After the\r\nfirst slice is converted into a dictionary, the second slice is simply indexed.\r\nWe then need to access the items in the dictionary and loop through the second slice’s index. For each character\r\npain in that loop, we look up the key for that value in the dictionary and convert the key’s decimal value it into its\r\nascii character. Then it is just a matter of joining the characters and printing them out to the console. Voilà!\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 9 of 12\n\nFigure 10 . The fruits of our labors.\r\nConclusion\r\nSo that’s it, my take on conducting analysis on a recent DanaBot downloader sample. This campaign caught my\r\neye as the social engineering tactic was fairly convincing. The VBScript itself used an interesting string\r\nobfuscation method as well, although nothing novel. I’ve shared a few resources and tools that can hopefully\r\nenable analysts to improve the velocity their data gathering for triage and investigations. ATT\u0026CK tagging is\r\nprovided below, and I’ve included some IOCs from similar campaigns, and include a quick Yara signature that\r\ncould help detect this particular downloader. I hope some of the analysis techniques will be helpful to those\r\nlearning the ropes and/or looking for new methods to add to their current toolkit. Thanks for reading!\r\nDetection\r\nrule VBS_Downloader\r\n//Downloaders were observed delivering Danabot in February/March of 2022\r\n{\r\n meta:\r\n description = \"Simple rule to detect VBS downloaders\"\r\n created = \"2022-03-13\"\r\n author = \"Ryan Campbell @sec_soup\"\r\nstrings:\r\n $a = \"CreateObject(\\\"Scripting.Dictionary\\\")\"\r\n $b = \"Dict.Add Mid(\"\r\n $c = \"-1,2), i\"\r\n $d = \"Mod 2 = 0 and Dict.count \u003c\u003e 256 then\"\r\n $e = \"Mod 2 = 0 and Dict.count = 256 then\"\r\n $f = \"Chrw(Dict.Item(Mid(\"\r\n $g = \"Execute(temp)\"\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 10 of 12\n\ncondition:\r\n 6 of ($a,$b,$c,$d,$e,$f,$g)\r\n filesize \u003c 50KB\r\n}\r\nIOCs\r\nwww[.]moneyunclaimed[.]net\r\nwww[.]unclaimed2[.]com\r\nwww[.]unclaimedhq[.]com\r\nz3[.]goldfishcloud[.]top\r\n2186495019ee3d4838df3482eaa3c6b37f08d68b8ef0675342cb761ccf04c4fc\r\nATT\u0026CK Tagging\r\nExecution\r\nUser Execution (ATT\u0026CK ID: T1204)\r\nCommand and Scripting Interpreter: Visual Basic (ATT\u0026ACK ID: T1059.005) \r\nSigned Binary Proxy Execution: Rundll32 (ATT\u0026CK ID: T1218.011)\r\nDefense Evasion\r\nDeobfuscate/Decode Files or Information (ATT\u0026CK ID: T1140)\r\nMasquerading (ATT\u0026CK ID: T1036)\r\nCommand and Control\r\nRemote File Copy (ATT\u0026CK ID: T1105)\r\nReferences\r\n[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot\r\n[2] https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0\r\n[3] https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense\r\n[4] https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf\r\n[5] https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity#:~:text=DanaBot%20is%20a%20malware%2Das,affiliates%20to%20the%20threat%20landscape.\r\n[6] https://www.virustotal.com/gui/file/2186495019ee3d4838df3482eaa3c6b37f08d68b8ef0675342cb761ccf04c4fc\r\n[7] https://www.vbsedit.com/\r\n[8] https://github.com/Sec-Soup\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 11 of 12\n\n[9] https://github.com/Sec-Soup/Python-ToolBox/blob/master/vbs-decode-dana/vbs-decode-dana.py\r\nSource: https://security-soup.net/decoding-a-danabot-downloader/\r\nhttps://security-soup.net/decoding-a-danabot-downloader/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://security-soup.net/decoding-a-danabot-downloader/" ], "report_names": [ "decoding-a-danabot-downloader" ], "threat_actors": [ { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "b3070c7b-c1e8-462c-94f1-62a0d2bdbc67", "created_at": "2023-01-06T13:46:39.116254Z", "updated_at": "2026-04-10T02:00:03.218594Z", "deleted_at": null, "main_name": "SCULLY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SCULLY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434621, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93e1852520ec90a0d3377e8698b03757bf001e73.pdf", "text": "https://archive.orkl.eu/93e1852520ec90a0d3377e8698b03757bf001e73.txt", "img": "https://archive.orkl.eu/93e1852520ec90a0d3377e8698b03757bf001e73.jpg" } }