From d8ea0f865c958e089da00028c7dc5f82f0681e7b Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 2 Mar 2020 13:33:38 +0100 Subject: [PATCH 1/2] add clop ransomware extension --- clusters/ransomware.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 9602fb1c..d7c9819d 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13627,7 +13627,8 @@ "extensions": [ ".CIop", ".Clop", - ".Ciop" + ".Ciop", + ".Clop2" ], "refs": [ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf" From b007d5d3ce56b526567291953f7ca287ce4d2b86 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 6 Mar 2020 14:33:19 +0100 Subject: [PATCH 2/2] add SdBbot --- clusters/rat.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index 91baed86..5bc8f763 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3426,7 +3426,20 @@ }, "uuid": "bbff39cb-a12b-4b18-be20-aa9e6d378fa6", "value": "Warzone" + }, + { + "description": "SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence. SDBbot is composed of three pieces: an installer, a loader, and a RAT component.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" + ], + "synonyms": [ + "SDB bot" + ] + }, + "uuid": "9d36db93-7d60-4da6-a611-1a32e02a054f", + "value": "SDBbot" } ], - "version": 33 + "version": 34 }