From 6f7a7921ae9d0e9cf3d364cde84887e93146fc62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= <raphael@vinot.info>
Date: Fri, 6 Jul 2018 15:25:05 +0200
Subject: [PATCH] new: Add entries from Bambenek Consulting

---
 clusters/banker.json     | 66 +++++++++++++++++++++++++++++++++++++++-
 clusters/botnet.json     | 64 +++++++++++++++++++++++++++++++++++++-
 clusters/ransomware.json |  9 ++++++
 3 files changed, 137 insertions(+), 2 deletions(-)

diff --git a/clusters/banker.json b/clusters/banker.json
index 1f0ad4fb..725f3d56 100644
--- a/clusters/banker.json
+++ b/clusters/banker.json
@@ -2,7 +2,7 @@
   "uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
   "description": "A list of banker malware.",
   "source": "Open Sources",
-  "version": 9,
+  "version": 10,
   "values": [
     {
       "meta": {
@@ -595,6 +595,70 @@
       "value": "Backswap",
       "uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0"
     },
+    {
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A",
+          "https://www.symantec.com/security-center/writeup/2011-041411-0912-99"
+        ],
+        "synonyms": [
+          "URLZone",
+          "Shiotob"
+        ]
+      },
+      "value": "Bebloh",
+      "uuid": "67a1a317-9f79-42bd-a4b2-fa1867d37d27"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/"
+        ],
+        "synonyms": [
+          "MultiBanker 2",
+          "BankPatch",
+          "BackPatcher"
+        ]
+      },
+      "value": "Banjori",
+      "uuid": "f68555ff-6fbd-4f5a-bc23-34996f629c52"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/"
+        ]
+      },
+      "value": "Qadars",
+      "uuid": "a717c873-6670-447a-ba98-90db6464c07d"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.johannesbader.ch/2016/06/the-dga-of-sisron/"
+        ]
+      },
+      "value": "Sisron",
+      "uuid": "610a136c-820d-4f5f-b66c-ae298923dc55"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.johannesbader.ch/2016/06/the-dga-of-sisron/"
+        ]
+      },
+      "value": "Ranbyus",
+      "uuid": "6720f960-0382-479b-a0f8-f9e008995af4"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks"
+        ]
+      },
+      "value": "Fobber",
+      "uuid": "da124511-463c-4514-ad05-7ec8db1b38aa"
+    },
     {
       "meta": {
         "refs": [
diff --git a/clusters/botnet.json b/clusters/botnet.json
index 7bf90bdb..86c37240 100644
--- a/clusters/botnet.json
+++ b/clusters/botnet.json
@@ -2,7 +2,7 @@
   "description": "botnet galaxy",
   "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
   "source": "MISP Project",
-  "version": 6,
+  "version": 7,
   "values": [
     {
       "meta": {
@@ -629,6 +629,68 @@
       },
       "value": "Trik Spam Botnet",
       "uuid": "c68d5e64-7485-11e8-8625-2b14141f0501"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml"
+        ],
+        "synonyms": [
+          "Mad Max"
+        ]
+      },
+      "value": "Madmax",
+      "uuid": "7a6fcec7-3408-4371-907b-cbf8fc931b66"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/"
+        ]
+      },
+      "value": "Pushdo",
+      "uuid": "94d12a03-6ae8-4006-a98f-80c15e6f95c0"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.us-cert.gov/ncas/alerts/TA15-105A"
+        ]
+      },
+      "value": "Simda",
+      "uuid": "347e7a64-8ee2-487f-bcb3-ca7564fa836c"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://en.wikipedia.org/wiki/Virut"
+        ]
+      },
+      "value": "Virut",
+      "uuid": "cc1432a1-6580-4338-b119-a43236528ea1"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions"
+        ]
+      },
+      "value": "Beebone",
+      "uuid": "49b13880-9baf-4ae0-9171-814094b03d89"
+    },
+    {
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital",
+          "https://www.symantec.com/security-center/writeup/2010-070108-5941-99"
+        ],
+        "synonyms": [
+          "Mdrop-CSK",
+          "Agent-OCF"
+        ]
+      },
+      "value": "Bamital",
+      "uuid": "07815089-e2c6-4084-9a62-3ece7210f33f"
     }
   ],
   "authors": [
diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 39a82cf7..e64aa02c 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -9974,6 +9974,15 @@
       },
       "uuid": "9d09ac4a-73a0-11e8-b71c-63b86eedf9a2"
     },
+    {
+      "value": "DirCrypt",
+      "meta": {
+        "refs": [
+          "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/"
+        ]
+      },
+      "uuid": "cdcc59a0-955e-412d-b481-8dff4bce6fdf"
+    },
     {
       "value": "DBGer Ransomware",
       "description": "The authors of the Satan ransomware have rebranded their \"product\" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi.",