We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
TrojanDownloader:VBS/Danabot
Aliases: No associated aliases
Summary
DanaBot is a sophisticated banking Trojan and infostealer first identified in May 2018, developed in Delphi. It operates as a Malware-as-a-Service (MaaS) platform, enabling cybercriminals, known as affiliates, to purchase access and distribute it for various malicious purposes, including credential theft and financial fraud. The malware employs a multi-stage infection chain, often beginning with a dropper that retrieves and loads a secondary payload, typically a DLL. DanaBot is modular, allowing it to perform several malicious actions, including stealing credentials, capturing screenshots, recording keystrokes, and injecting scripts into web sessions to manipulate browser interactions. It is distributed through phishing emails, cracked software, and malspam campaigns and has also been linked to DDoS attacks. DanaBot utilizes a centralized command-and-control (C2) infrastructure, where each compromised system connects to receive instructions and additional payloads. Recent versions have improved evasion techniques and introduced support for TOR-based C2 servers.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
