Merge pull request #522 from Delta-Sierra/master

add sdbbot
2020-03-06 15:24:14 +01:00 · 2020-03-06 15:24:14 +01:00 · e81c91e3e9
parent a407ddcc5b b007d5d3ce
commit e81c91e3e9
2 changed files with 16 additions and 2 deletions
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@ -13627,7 +13627,8 @@
        "extensions": [
          ".CIop",
          ".Clop",
-          ".Ciop"
+          ".Ciop",
+          ".Clop2"
        ],
        "refs": [
          "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf"
--- a/clusters/rat.json
+++ b/clusters/rat.json
@ -3426,7 +3426,20 @@
      },
      "uuid": "bbff39cb-a12b-4b18-be20-aa9e6d378fa6",
      "value": "Warzone"
+    },
+    {
+      "description": "SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence. SDBbot is composed of three pieces: an installer, a loader, and a RAT component.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader"
+        ],
+        "synonyms": [
+          "SDB bot"
+        ]
+      },
+      "uuid": "9d36db93-7d60-4da6-a611-1a32e02a054f",
+      "value": "SDBbot"
    }
  ],
-  "version": 33
+  "version": 34
 }