{ "id": "4354ee34-a0fd-43e5-bca8-1f4e258a55c1", "created_at": "2026-04-06T00:16:38.917754Z", "updated_at": "2026-04-10T03:36:36.92073Z", "deleted_at": null, "sha1_hash": "71d071d0d47356e26ed72eeb51ad906b70fd46c3", "title": "TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82161, "plain_text": "TA505's Box of Chocolate - On Hidden Gems packed with the\r\nTA505 Packer\r\nBy Deutsche Telekom AG\r\nPublished: 2020-03-26 · Archived: 2026-04-02 12:42:19 UTC\r\nIn my very first two blogs I gave you an overview of Emotet - probably the biggest threat actor for now when\r\ntalking about malware. I explained details of its modular structure and which tricks Emotet uses to stay\r\nundetected. And of course, I talked about the consequences for defenders. Want more?\r\nCybersecurity: This TA505 threat acteur is active at least since 2014.Thomas Barabosch gives an\r\noverview of the hacking tools that TA505 currently uses.\r\nThis time I would like to introduce another big threat actor to you: TA505. This is a globally spread malware,\r\nwhich acts mainly out of financial motivation. TA505 has been active since 2014, but we at Telekom Security\r\nhave seen increased activity of this group, especially since the second half of 2019. I would like to show you\r\nwhich tools TA505 uses in contrast to Emotet to sneak into companies and organizations. So, here we go.\r\nAs of February 2020, they are mostly known for Big Game Hunting operations, in which they target large\r\norganizations with their ransomware attacks. This in turn ensures very high ransom payouts, easily in the range of\r\nsix figure Euro amounts. For instance, TA505 targeted the University of Maastricht in December 2019 and\r\ndemanded 30 bitcoins (BTC), roughly €220,000 at time of valuation, as ransom. Subsequently, the University of\r\nMaastricht took the decision to acquire a decryptor to get back their data.\r\nBig Game Hunting operations can take from a couple of days up to one year. This includes the initial compromise\r\nof one or more endpoints in a network, the subsequent network exploration and lateral movement, the takeover of\r\nstrategic points like domain controllers, and the final deployment of the ransomware to as many endpoints on the\r\nlocal network as possible.\r\nAs these operations comprise different stages, TA505 utilizes a wide range of hacking tools to accomplish their\r\nmissions. Furthermore, they continuously change and update their toolset. For instance, they added the\r\ndownloader Get2 and the Remote Access Trojan (RAT) SDBBot to their repertoire of malware in mid-2019. These\r\nfrequent changes and updates are a major difference to the group behind Emotet (TA542 / MUMMY SPIDER),\r\nwhose tools remain unchanged for long periods of time. I blogged on this group a couple of weeks ago. In this\r\nblog article, I will review hacking tools that TA505 is currently using.\r\nTA505 Packer\r\nBefore we dive into TA505 current tool set, let us first have a look at how these tools are packed. As of time of\r\nwriting, and at least since the second half of 2019, TA505 utilizes a custom packer to obfuscate its tools. While\r\ncustom packers always mean more work, since they may require manual unpacking of the payload, they are a\r\nperfect way to track threat actors.\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 1 of 14\n\nIn addition to this custom packer, TA505 may pack their tools a second or even a third time with UPX. I observed\r\nthat TA505 packed their Get2 downloader with one layer of UPX, a second layer of the TA505 packer, and a final\r\nthird layer of UPX again (see Hashes in Appendix).\r\nIn a nutshell, the TA505 packer decrypts its payload using simple xor and rol/ror operations and its technical\r\ndetails are well covered by this blog article. There is no need to manually unpack TA505 binaries, since Tera0017\r\npublished a static unpacker. This unpacker is called TAFOF-Unpacker and it is available on github. As of time of\r\nwriting, it works with the latest TA505 x86 binaries. Unfortunately, TAFOF-Unpacker does not work for x64\r\nbinaries yet. Thorsten Jenke and Daniel Plohmann provided the generic unpacker RoAMer, which is capable of\r\nunpacking the latest TA505 x64 binaries.\r\nLet's look behind the packer\r\nNow that we know how TA505 currently packs its tools and how to unpack them, let us have a look behind the\r\ncurtains and see which tools TA505 is currently using. Throughout the last months, I obtained 121 samples that\r\nwere packed by the TA505 packer. 46 samples are x86 binaries and 75 samples are x64 binaries. TAFOF-Unpacker unpacked all x86 binaries and RoAMer unpacked roughly 80% of all x64 binaries. In the following, I\r\nwill review the tools that I found in the order of when they are typically utilized in a Big Game Hunting operation:\r\nfrom the initial malicious document to the final ransomware. Note that there are some outliers that I will address\r\nin this section as well as at the end of this article. A full listing of all samples and their classification can be found\r\nin the Appendix.\r\nThe Spam and The Maldocs\r\nTA505 carries out high-volume spam campaigns to gain its initial foothold in an organization. As of February\r\n2020, the spam emails come with an HTML redirector attachment, which points to a server with an office / a\r\nshare-hoster themed domain name.\r\nFigure 1TA505 HTML redirector faking Cloudflare DDoS protection.\r\nThis server typically serves Microsoft Excel documents. These documents include a malicious VBA Macro and\r\ntry to lure the victim to activate Macros.\r\nFigure 2Recent TA505 Excel document convincing the victim to activate Macros.\r\nIf the targeted user enables Macros then the embedded VBA Macro loads either a x86 or x64 embedded payload.\r\nAs of February 2020, this is typically the Get2 downloader.\r\nThe Downloader: Get2\r\nGet2 is a very simple downloader. It has only two objectives. First, it calls home to its Command and Control (C2)\r\nserver and exfiltrates information regarding the victim’s system. This information includes the username, the\r\ndevice name, the Windows version, and the list of running processes. Based on this information, the C2 server\r\ndecided to serve another payload to Get2. Second, Get2 executes the payload provided by its C2 server. As of\r\nFebruary 2020, this is typically the RAT SDBBot.\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 2 of 14\n\nAnother Downloader: Amadey\r\nEven though Get2 seems to be current downloader, I found one Amadey dropper sample packed with the TA505\r\npacker. Amadey is a very simplistic downloader that is sold for $600 in the Russian cybercrime underground.\r\nThere is only one Amadey sample in the corpus that I analyzed. There could be many possible reason for this,\r\nwhich I will address at the end of this article.\r\nThe RAT: SDBBot\r\nSince September 2019, I have observed SDBBot to be a consistent third stage payload, which Get2 downloads.\r\nSDBBot is a Remote Administration Tool (RAT) that a human operator utilizes to prepare lateral movement.\r\nIts capabilities include, amongst other, execution of further payloads, video recording, enabling of RDP, as well as\r\nlisting, writing, and deleting of files / directories. A good write-up about SDBBot's capabilities can be found here.\r\nSDBBot is very prevalent in my data set. A huge share of the x64 samples was SDBBot, however, there were no\r\nx86 samples of SDBBot. This is in line with the market share of 64 bit Windows. Another explication could be\r\nthat x86 SDBBots are packed differently and therefore the data set does not comprise any of them.\r\nAnother RAT: FlawedGrace\r\nFlawedGrace is another RAT that was first observed in 2017. It seems to be exclusively utilized by TA505 at this\r\npoint in time. In my data set there were only two FlawedGrace samples and dozens of SDBBot samples, which\r\nmay indicate that FlawedGrace was mostly replaced by SDBBot.\r\nYet Another RAT: Silence\r\nSilence is a RAT that is (exclusively) developed and operated by the Silence Group, a presumably Russian\r\ncybercrime gang. They carry out attacks against financial organizations. Group-IB pointed out a connection to\r\nTA505, stating that the downloader of TA505's RAT FlawedAmmyy and the downloader of Silence are similar.\r\nFinding Silence packed with the TA505 packer suggests a possible on-going collaboration of these two gangs,\r\nalthough possibly a minor one due to the low sample count of two.\r\nThe Information Stealer: Azorult\r\nAzorult is a classic information stealer that steals saved passwords, credit card information, and cookies from\r\nbrowsers, as well as credentials from a wide range of software such as Filezilla, Microsoft Outlook, and\r\nThunderbird. Potential use cases of TA505 could be utilizing stolen credentials for lateral movement, feeding\r\nstolen mail account credentials back to the spamming stage, or selling them to the highest bidder. Researchers at\r\nBlueliv also observed other information stealer like Predator The Thief in the context of TA505.\r\nThe Post-Exploitation Tool: TinyMet\r\nTinyMet is a very small (around 4KB) stager for Metasploit's Meterpreter. Its main objective is to establish a\r\ncommunication channel between the attacker and victim and to execute a file-less payload on the victim's\r\nmachine.TA505 utilizes TinyMet during the post-exploitation phase in order to deploy their ransomware Clop.\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 3 of 14\n\nThe utilization of public Offensive Security Tools (OSTs) by threat actors involved in Big Game Hunting\r\noperations is a common trend. It is logical since these OSTs provide capabilities that threat actors do not have to\r\nbuild on their own. In addition, many of them are freely available, either as open source software or as cracked\r\nversions (e.g. Cobalt Strike).\r\nThe Preparation Tool: DeactivateDefender\r\nTA505 proceeds the last stage of rolling out their ransomware by deactivating security tools. The objective is\r\npreventing any behavioral analysis from stopping their ransomware and the ongoing encryption process. The tool\r\nDeactivateDefender achieves this by changing Windows Defender related registry keys. In my sample set, I only\r\nfound several samples that deactivate Windows Defender, though there seem to be variants, which target other\r\nsecurity tools like Malwarebytes.\r\nThe Ransomware: Clop\r\nTA505 finishes its Big Game Hunting operations with their ransomware Clop. At this stage the threat actor must\r\nbe pretty confident that their operation will succeed: strategic points of the target network have been taken over\r\nand antivirus software has been disabled. As a consequence, Clop encrypts many, if not all, endpoints of the target\r\nnetwork within minutes. From a technical point of view, Clop emerged as a variant of another ransomware called\r\nCryptoMix but by now it seems to be developed separately.\r\nConclusion\r\nIn this blog article, I have had a look at a partial set of TA505 tools that are currently in use. Note that this is only\r\na snapshot of their toolset. A couple of weeks ago, Blueliv mentioned additional tools like the RAT ServHelper\r\nand a modified TeamViewer client. In general, TA505 continuously replaces parts of their toolset. They have\r\nabandoned many tools and they certainly will abandon at some point the tools I observed. One of TA505 tactics\r\nseems to continuously change their tools to evade detection and to make tracking more difficult.\r\nHaving reviewed the tools that are behind the TA505 packer, there are many questions that one now could pose\r\nregarding TA505 and this packer: is TA505 one group or several groups? Or is it a group of subgroups that share\r\none packer? Or do they share their packer with affiliated groups like Silence? Or is the TA505 packer not\r\nexclusive to TA505 and it just another packer sold in the cybercrime underground? I believe that this packer is\r\nexclusive to what is publicly tracked as TA505 since the majority of samples are in line with what is publicly\r\ntracked as TA505. Only few samples seem to be outliers. For instance, the Amadey downloader sample, which\r\ncould have been an experiment or a service to a client / affiliated group. Otherwise I would have expected to see\r\nmore samples of this early stage tool like in the case of the Get2 downloader. And in the case of the Silence RAT,\r\nthere seems to be at least some form of cooperation between TA505 and Silence Group. Even though these\r\noutliers exist, the vast majority of samples falls into the Big Game Hunting category.\r\nAnother question regarding TA505 that may come to one’s mind is whether there is another branch of TA505 that\r\ncarries out more targeted attacks (e.g. as reported by BlueLiv and by FireEye) or it is the same group that carries\r\nout these attacks. At least the ServHelper RAT that is mentioned in the BlueLiv report (see Appendix) seems not to\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 4 of 14\n\nbe packed with the TA505 packer, which is another modus operandi. In fact, FireEye started to track this subset of\r\nwhat is publicly tracked as TA505 as another group.\r\nAppendix\r\nHashes of representative samples\r\nd84bf8370e8f75de9cc8de410d4c4fd0256ab31542c63b797684e3eb8df185d0\r\nMaldoc with UPX-packed\r\nGet2\r\n017c8e29cda1b77fdaef28b22ab0200385ff1b7b452e6252131bae86c0ef0cf6 Get2\r\n0617ddb1b7e7ab86159bc7be01c86c50a9d7a57db0914486c496e277c10b19ae Amadey\r\ne49953079c9f18adc26bfdd01d17add9b50f145936457ce01abc1489b143a25b SDBBot\r\n43723e8cea065bbbd4339ed83cb2edb4c1f4d686301a8a26d2c0d02672c07ed4 FlawedGrace\r\n4b0eafcb1ec03ff3faccd2c0f465f5ac5824145d00e08035f57067a40cd179d2 Silence\r\ne4eb1a831a8cc7402c8e0a898effd3fb966a9ee1a22bce9ddc3e44e574fe8c5e Azorult\r\n74c5ae5e64d0a850eb0ebe3cbca4c6b92918a8365f2f78306643be9cffc32def TinyMet\r\n6d13ddebdb7c57d61afecf6450b6d5667367d2ca8a263c6977af83eb143190d1 DeactivateDefender    \r\n6d8d5aac7ffda33caa1addcdc0d4e801de40cb437cf45cface5350710cde2a74 Clop\r\nd83063586bbdd28a3936fc508e69c0d880673fb985429ede6d0369c91250cbc2\r\nServHelper RAT referenced\r\nby BlueLiv\r\nHashes (x86)\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 5 of 14\n\n017c8e29cda1b77fdaef28b22ab0200385ff1b7b452e6252131bae86c0ef0cf6 Get2\r\n04e97922edd766b69fecf42370b52f81fe9efd7927e16eb8374042f565430365 Clop\r\n0617ddb1b7e7ab86159bc7be01c86c50a9d7a57db0914486c496e277c10b19ae Amadey\r\n0ba5294285461185a370af117d551080b678b399271143e9ede8a86aa74f4b9a Get2\r\n0bd7ec24742b5b87136e47396c0462865c92d29dc86e64468f4cefe7d6d7d863 TinyMet\r\n13831c641d1c0df39505b45fb71edc6cfb7bd6990415cf69d675d14f75df0f93 Clop\r\n155463dc90693d42ef1ab1910e4fdaad7216555bcaefaf60d1e6582468775dc3 DeactivateDefender\r\n238d40bbc430c6098a8ad4682ac3722e36b1d2e91fc9030124e5152b6b186e94 TinyMet\r\n25bfe1bd30bbe5100498ed74eb413168a3740cb03a6cca489a88324f20b71c0f Get2\r\n28534d617055925d0bd3f8fb6ec8f0f66731744cac5997ffa18ecd8e9986a2ff TinyMet\r\n318f86f9af6dca3431fb88d56171a637fbc49d87e222488692a19f59f5f56ae9 TinyMet\r\n3b5f2d1f3e9400ce830945a6a2e3ca5dc6ce1263eaed79ca1a66f40eed676b96 Get2\r\n41ed4f18b095f8a28dcb2f1a046fdd60de60321847eea7fa7b792b94017437a0 Get2\r\n43061ac4c490c98f7b225c6143c048a7c4b0c9cb1607bf17ad3d7e5f867aae5b Clop\r\n43723e8cea065bbbd4339ed83cb2edb4c1f4d686301a8a26d2c0d02672c07ed4 FlawedGrace\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 6 of 14\n\n46cab94e42a739b6ff68c310e17189ae685116b89b54c1893aa858e434e6996a Get2\r\n4b0eafcb1ec03ff3faccd2c0f465f5ac5824145d00e08035f57067a40cd179d2 Silence\r\n4d8c313d585ab2912037d8e07ce4dfc1fe7870dba1a8d75964128ce4d5a3168d Silence\r\n5bf2ec8edf8e6c69a0f3b8cc84ce22b06c96d7cd9bd388ea3b7a99e990b253ce FlawedGrace\r\n 6d115ae4c32d01a073185df95d3441d51065340ead1eada0efda6975214d1920 Clop\r\n6d13ddebdb7c57d61afecf6450b6d5667367d2ca8a263c6977af83eb143190d1 DeactivateDefender\r\n6d8d5aac7ffda33caa1addcdc0d4e801de40cb437cf45cface5350710cde2a74 Clop\r\n74c5ae5e64d0a850eb0ebe3cbca4c6b92918a8365f2f78306643be9cffc32def TinyMet\r\n7e43a3a9b4ed3820c91d74c6b128c00d0f0ba267f97c101fdc89fc66816258f1 Get2\r\n7f122f4c8dd6adbb8e71e65ac5ed99e981ead827186518be88ae6f6a569d554f      DeactivateDefender\r\n850adf1b855e043ec92b271d921502994bf8f39da090748fcc5fd40749ed0d0c Clop\r\n861284acf359d91bdcc68ea791bd807a569b4c289450b1eaf8fcbc7ca43be7ff Get2\r\n8a14d70433b5ec004e5295e1e8aef3ad406b80fa22eeeb8283edac706f1724d1 Get2\r\n9065b394d99a5812a3d56b51992f9d4592c9c8d1cc96ee565299e0f6f5400329 Clop\r\n93d60464aa6f4c46cfe71763e6b591d0444121d7e38e11b5122471715ff7b436 TinyMet\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 7 of 14\n\n967a66466eec2345aabd6999507340ce9bc94b1f0ce8a99cb279620379ab59a6 Clop\r\n9bcdf30646e15a28d3d4f00e5dc804bac1336a51a6f9f87098b8bf746bea0e96 Clop\r\n9efaa4eaad1da49e4893f80295c473faefadd00370e13fa07e83aade88b5f390 Get2\r\na407101bb3f2cf7f34ee5b0025fa80d7c488dd7aa789522333461fa5d73b69e7 Get2\r\nae22f4d687957c368b55c3ee5c493c7e72f63dc6c8530f2c2caf1b29fd280349 Clop\r\nbd5c800fa6b0f67cd7343158efca2ff95735cb7a82c62e0ce84442344e0b2f55 Get2\r\nbd9c2c9a08d890c36ff8d83f2fe8adfa965faaeded961406722a87e53852c95e Get2\r\nc33899af88bd583bcf779d4516bd554c0b0bfb7277dab87a124852c81360c795 DeactivateDefender\r\nc5aef005b14b035bc74142fea8de5ee40f9ea5644ad0fe0a71bd59167d14e1fa Get2\r\nc942c117e04a6173f1ee6da437a4e42544a92e4052fa72ea52dbc1e17ee138a7 DeactivateDefender\r\nd2a09be9dfe59b5a24675a412117b3b0df23667fb8f7b2b6b06520519f0e15d1 DeactivateDefender\r\nd3604c779b7decc195cee43251289568a957c0712c520868ddd0f3d0e0ca596f TinyMet  \r\nd3b2385aee12637d932654552200dd63b5b34ab81b850f4f901a029f7e22d66e  Get2\r\ne4eb1a831a8cc7402c8e0a898effd3fb966a9ee1a22bce9ddc3e44e574fe8c5e Azorult  \r\ne8fa1317e21034a4279d49364182560783ff4ad903078c18edc6bd97d75d86e6 DeactivateDefender\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 8 of 14\n\necc871318a482b1db40233db2ca9525c0131bd011db5de80191d9b5953b7976d FlawedGrace\r\nef571b7ff5db8ea20ee42474c626cff52b83963fcd39bc5238cb84d070887882 Clop\r\nHashes (x64)\r\n02e4e13a4471879c5b3943e1790af545099d8ac34a1e6bb50095dcb480f3376c Get2\r\n05eaf9287fbca272bdd08fd474983d898da496f48e023ca19ee26acab0102e72 SDBBot\r\n078db073259af3d431e72d4f35befe3aef681fb140dd80d853ac5b29e064f596 Get2\r\n07be5d876aa45fd4d6f68a7c3ffa9e0a67f4d3d5f557309e5621334ffea74b84 Get2\r\n0dc28068279678cebc5a885cb56edab4fcf930d68a668f39a4e2de1e0d75a082 Get2\r\n0e14d32b91cdd0e21c43c90924d93d5dd7f19596b2d771ae9ea4ab991c1d8a0a Get2\r\n0e2be7d0909f863d81986430084e4d64da6390c43c1846752c5dd8ac15e4aa99 SDBBot\r\n0ec3608921fb357ad48365185edc71e8d40b2e8052ffcc48809e5a5a7f0cc1eb Get2\r\n121e581e1d1c553d3976a8b054fc42818025955093214a3233831db5a7905b08 Get2\r\n141d71d86cd25b210b67fe8e49d2abf63324b7ce36736b95b51c9258c4b1ddbb Get2\r\n14341f74443e6d0dfde80fadb6dc48fa928e3ef31af2e05e357d5ed4d20f28d9 Get2\r\n1597b0f644a89509472cae64a63c79aaf545c9712cde453849e79178a4be1519 Get2\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 9 of 14\n\n1ac115a67bff6cd95a7150651807e8ffe5b67c3ada7897138ee2d01a4c7dd3b9 Get2\r\n1d53b599a7059d476c1f4f7bd8b32979676f0d7c3953cac2cedf01ec25fb69cd Get2\r\n22aa6a954d6cc074e6ae159766c2e94d0b08b6cef6c635ea65c585bb4798b576 Get2\r\n276ac3d7f9593b7f6bc1c282e27763581abf0571342ff446a9f81b9b58a41dcd Get2\r\n288756991e3cf5ee1296dd4b699b22140b8acc2d2460942e524175a9b0e30784 Get2\r\n309c15c52e4d61e15901051428ea00e1b9c916ac6bc69449c03239e110864343 Get2\r\n34b1f39453d2340cb78d2731ac4e5b85ec1dfa38fc60f49c40b66fcf8819e3d9 Get2\r\n3b409268a8cfb58052e1e93ec38d94f260ea5bd64a1ebdcb7c69feba8fcc6995 Get2\r\n4264e428e96376609462b8339b93c829b0b506784ab20c8561416aff2ca1f0c3 Get2\r\n    47fcafa29d3610f5ec276d7b6cdb3e4a7ae1f8a24762a56acc080be69a8667c1 Get2\r\n4a3faf2bccb773086fb34e7c486ada09f0d2ec47e5a06c684130c153d4392ddd Get2\r\n4bda777159fcaf021cb5ac98dc6f427fc0dc4725abb6a3d6521d7a0f89897063 Get2\r\n4c6a15b0efb1b3ac86869b7771cf57b75d4f6f6150c9e47655bcdf8ef387d18f Get2\r\n4e3afee4db687d1609541302b5b80d9c01cdc2b30f4f8d6481243b2b7217b97d Get2\r\n4fafcbd5009694e420fe85fa39c6c3f85fbb6c3ef871f6e9e1a232453742e475 Get2\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 10 of 14\n\n511ecf63f0bce7287c1ed6c931a94761b9425f3def1aea3398cb1765cd472166 Get2\r\n51730c6f705071b2ca031e2cd65a365dddcb07728f3e2c94715e8160ad37ab68 Get2\r\n53a290caf81d44d56f57e7a9c7fefadca0a18fac73fdeba97c7dcf5989150702 Get2\r\n5438272df636e70bf68dbaabc55a4f60452a0eb56c5e17e426c74ce179908211 Get2\r\n5b07369ada0a27d3259fd9523752b0a64fd4ebf21453ed7a2c442e57e5806445 Get2\r\n5ccfede2af0fd43d36d2d8f48787dc93d80dfb6e9655af367d406dc01994442e Get2\r\n5eeabd672965a671d7e75b40415a9c3502ba1987627122fdfe9f5064fc180ca6 Get2\r\n5ff0b9b14305683b9d7a14e71390ce5c7a7b29a5da4410d3df3b35268e09d9be Get2\r\n64f9c5dfda76fa986efcc6bcc22d5d052a9ca06e165f7bcf5fac8dcc10339f49 Get2\r\n66b35a54537946e23f17ef11ec217c88952f56849eb0ff535b324cd48ff109b5 Get2\r\n679bdcf3c369a90e82cfa5f5467e42c5c288bcc5264a4400d455e4568bf1d525 Get2\r\n6d5c207c998990f1e7c527971dfe0eb6d2b21fca136d616e6e211019d1c77698 Get2\r\n7327b04cf529f21f8d12f353ca5135e5a81f862d6ab8056dfbcedfcf8caa3666     Get2\r\n77329d82a96dfd81ec55c3e2ad8c4cef210d6d3dcdd7518f54aebe7f5606a6cd Get2\r\n7f4f69a2133ed3882bac7675c9aba77296bdeb3b4d624ca281de5032500b4f7f SDBBot\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 11 of 14\n\n80d72b63347f9fa70ac03fafcc46247b400ef2cbbb258f1bb55aa4981faf03fd Get2\r\n80e806c1c9a5a96ae46ca01c9a5748ceb89bd9e51405e88c0d90e6bfad713440 Get2\r\n81b6fe266fba724d6e37b751424d98111669971d8e8393bd5363c8b95d130dc6 Get2\r\n89257472a6a65659a98245ea9ddbf01081a2e0ebc51d9c946d4c3d64d240f99c Get2\r\n8978e1825ddd5a175c27ea8e75f878dd68aa59c64fb393cce5bfd2692c3161ea Get2\r\n8e8a8d06f72f2a5ed79e478e644dea55062fc2b79535655089fd22c551922bb9 Get2\r\n8f36df0c4f23d758cfa72aa706d28b7ce15513ba2c3354d7df0ee5335a5079c4 Get2\r\n97528075acc198ebeecb18a66de53206808b5a9d791463af36b9b1c7a402bcb7 Get2\r\n99eeb9b8ee908f6faf66982a5cef0098e261fcafdb558b56f6659f92510d4b4b Get2\r\na04d0cb7362e3650239230b40fac1d2d42357cec1ded2e78456e49dd6713b470 Get2\r\na0c4d66ccb7d0a5aaa52a9d06f797bbb9be127d22f705a5c0472cac52f0f0ddd Get2\r\na0e349afc168d890831e1353ce44abdd069b79d13f4170676ac2ffea3761bf01 Get2\r\na94a316ed134c43010709454d54f13327123f57a133d02351d2e19cf167b1e75 Get2\r\nac25d77a2091a5665d37b0a91be9b154ff61c16b35b5575c907ef4e6d8bbcc23 Get2\r\nafd1c04e11ebfc8d3eed2e011c26be25d133c30de9bd80eaa2605573a0d49db3 Get2\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 12 of 14\n\nb5c4b39ebf181b7bcb52176934fc46c608d0d4d1881d2fbe909d9d3889155930 Get2\r\n   b8b6a4ebe98146616012ffecee9651c51be7ce9fca10cda4b6bf17d66d71594d Get2\r\nbc62e6e52027724be2e3e78ab25c11dbcdd258f394014b6b1d637da6eee60217 SDBBot\r\nbccf6ecd6987bac361df1eb0fb2e9324dcf41ed30a3b5c6a8ee075794a6a0713 Get2\r\nc2a60385f73dcf2941ffd9fab11872f760cee6ef83b678696b16a179c079a870 Get2\r\nc2f99a2bba225fe3ab49cb952e418b2ab29ba7f2e34db6cf9bc51b0349d0acd8 Get2\r\nc530b2c85ba3b58e7174e754c73369a39e1e568f40d5cf777ea6f0f162bbe09a Get2\r\ncb855b21356e6562e5657bcf08a400b7eef69154f80e63616b1693a916902e94 SDBBot\r\nd0a6f9cbd6b078ecb90b0dfba541dc52377e04cee4b7885ea12967c7a26547aa Get2\r\nd1e1b4d3a323692bd12e81e3d7581f6754c85e748a83bc1489f105a62f203687 Get2\r\nd316684974989cdab30c4c4dd85d9f326ec5a57cff407a92bf202d3be5906e59 Get2\r\ndbb8abdbb80f8e8eadd339fc4e4680a082ba988034abd5d72824600d0a4b002a Get2\r\ndf9947332481ffbd90baf6939ae5bd5b62ff2305739ef91903803ae4d88d0f57 Get2\r\ne49953079c9f18adc26bfdd01d17add9b50f145936457ce01abc1489b143a25b SDBBot\r\ne7bdf82ccbc1c0da78b5747e044e77c2610cc29bc251218810ba43593fd80cfe Get2\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 13 of 14\n\ne88e116e8ab8c20db727a548cea792c8db45393b4f77653feb8bc13b36f02bf2 Get2\r\nfa6141e231b320d6ed94c1bdd2ab097474aea23eca7f511ebd895d80a2fc1eea Get2\r\nfc6f0f8a4ff16f1e3d04f4008a0cebef168517f1b80282422e2f537473d18f82 Get2\r\nfe97f76dd2b0c461020968f84b4399cdebb3fc2e4934f0491377ccaee568d8c5 Get2\r\nSource: https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nhttps://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" ], "report_names": [ "cybersecurity-ta505-s-box-of-chocolate-597672" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e8ebcbda-e8df-4a38-a2a6-63b2608ee6f3", "created_at": "2023-01-06T13:46:38.88051Z", "updated_at": "2026-04-10T02:00:03.131218Z", "deleted_at": null, "main_name": "Silence group", "aliases": [ "WHISPER SPIDER" ], "source_name": "MISPGALAXY:Silence group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434598, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/71d071d0d47356e26ed72eeb51ad906b70fd46c3.pdf", "text": "https://archive.orkl.eu/71d071d0d47356e26ed72eeb51ad906b70fd46c3.txt", "img": "https://archive.orkl.eu/71d071d0d47356e26ed72eeb51ad906b70fd46c3.jpg" } }