{ "id": "6f3810fe-984c-4898-82ea-fd205db2eefe", "created_at": "2026-04-06T00:17:17.480408Z", "updated_at": "2026-04-10T03:36:36.63106Z", "deleted_at": null, "sha1_hash": "a8e18ffad4653ce7f46ee9e42e7440a3890caab5", "title": "Get2 Downloader \u0026 SDBbot RAT Analysis | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2339353, "plain_text": "Get2 Downloader \u0026 SDBbot RAT Analysis | Proofpoint US\r\nBy Dennis Schwarz | Kafeine | Matthew Mesa | Axel F and The Proofpoint Threat Insight Team\r\nPublished: 2019-10-15 · Archived: 2026-04-05 16:20:16 UTC\r\nEditor’s note: Following publication of this blog, it came to our attention that AhnLab encountered what appears\r\nto be an earlier version of SDBbot, described in their recent Q3 ASEC Report as a “malicious SDB file.” AhnLab\r\ndescribes delivery of the malware in South Korean campaigns as a secondary payload to the FlawedAmmyy RAT.\r\nTA505 has been active in South Korea in 2019 and frequently distributes the FlawedAmmyy RAT, but we cannot\r\nverify the connection at this time.\r\nOverview\r\nIn September 2019, Proofpoint researchers observed a prolific threat actor, TA505, sending email campaigns that\r\nattempt to deliver and install Get2, a new downloader. Get2 was, in turn, observed downloading FlawedGrace,\r\nFlawedAmmyy, Snatch, and SDBbot (a new RAT) as secondary payloads.\r\nIn this blog post, Proofpoint will detail the tactics, techniques, and procedures (TTPs) associated with these latest\r\ncampaigns and provide a detailed analysis of Get2 downloader and SDBbot RAT.\r\nThese new developments are a continuation of a pattern where, since 2018, Proofpoint researchers observed\r\nnumerous threat actors increasingly distributing downloaders, backdoors, information stealers, remote access\r\nTrojans (RATs), and more as they abandoned ransomware as their primary payloads.\r\nTA505 has been at the forefront of this trend, which began with the distribution of a new backdoor “ServHelper”\r\nin November 2018, and a new downloader malware, AndroMut earlier this year.\r\nCampaigns\r\nSince September 9, 2019, Proofpoint researchers started observing TA505 using Get2 as their initial downloader\r\n(still at the time of this publication). At first, it downloaded traditional payloads including FlawedAmmyy and\r\nFlawedGrace. However, on October 7 Proofpoint researchers observed Get2 downloading the new RAT, SDBbot.\r\nIn addition to the new malware, these campaigns have continued to innovate in other aspects:\r\nTA505 remains a serious contender for the top positions in the volumes of emails distributed (most days\r\ntens or hundreds of thousands of messages, but sometimes pushing into millions).\r\nTA505 continues to focus on targeting financial institutions alternating with more widely-targeted\r\ncampaigns going after other verticals.\r\nA recent focus on Greece, Germany, and Georgia as targeted geographies.\r\nNew Microsoft Office macros are used specifically with the Get2 downloader.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 1 of 20\n\nFigure 1: A selected chronology of TA505 malspam campaigns culminating with Get2 and SDBbot in September\r\nand October of 2019.\r\nBelow are the details of several notable malicious email campaigns.\r\nSeptember 9, 2019\r\nOn September 9 Proofpoint researchers observed tens of thousands of emails attempting to deliver Microsoft\r\nExcel attachments with English and Greek lures. These emails targeted financial institutions in Greece, Singapore,\r\nUnited Arab Emirates, Georgia, Sweden, Lithuania, and a few other countries.\r\nThe emails used the following example subjects and attachment names:\r\nSubject “HPE INV-02 - Invoice and documents” and attachment “hpe_s_hp-inv_02[.]xls”\r\nSubject “Need to Apply” and attachment “dc123456[.]xls”\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 2 of 20\n\nSubject “Παραστατικό” (translated from Greek: “Document”) and attachment “business cloud invoice\r\nno142 09-09-2019[.]xls”\r\nSubject “ΣΤΕΛΙΟΣ ΠΡΟΤΙΜΟΛΟΓΙΟ” (translated from Greek: “EXECUTIVE SUMMARY”)  and\r\nattachment “προτιμολογιο[.]xls”\r\nThis was the first campaign where the new downloader Get2 was observed. However, in Proofpoint’s testing, the\r\nlater stage payloads were not observed at the time.\r\nFigure 2: Example email delivering a malicious Microsoft Excel spreadsheet with an embedded Get2 payload.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 3 of 20\n\nFigure 3: Example Microsoft Excel attachment using Greek language and targeting Greece.\r\nSeptember 20, 2019\r\nOn September 20, we observed hundreds of thousands of emails attempting to deliver Microsoft Excel and .ISO\r\nattachments with English and French lures. These emails targeted companies from different verticals in the United\r\nStates and Canada.\r\nThe emails used the following example subjects and attachment names:\r\nSubject \"Reçu de paiement (facture 12345)\" and attachment \"facture_no_432478_v2[.]xls\"\r\nSubject \"Account opening form\" and attachment \"formulaire_01234.iso\" (ISO contains an Excel file such\r\nas \"0920_0123456[.]xls\")\r\nIn this campaign, Proofpoint researchers again observed the installation and execution of Get2 which in turn\r\ndownloaded FlawedGrace.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 4 of 20\n\nFigure 4: Email delivering an ISO attachment in a French-language email targeting Canada.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 5 of 20\n\nFigure 5: Microsoft Excel attachment using the French language and targeting Canada.\r\nOctober 7, 2019\r\nOn October 7, instead of directly attached malicious Microsoft Excel files, Proofpoint researchers observed\r\nthousands of emails containing URL shortener links redirecting to a landing page that in turn links to an Excel\r\nsheet “request[.]xls”. This campaign only used the English language and targeted companies from various\r\nindustries primarily in the United States.\r\nThe emails used the following example subjects:\r\nSubject ‘Admin shared \"request[.]xls\" with you’ where email contained a Bit.ly URL\r\nIn this campaign, Proofpoint researchers observed the execution of Get2, which downloaded SDBbot for the first\r\ntime.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 6 of 20\n\nFigure 6: Example email with a Bit.ly URL leading to a landing page that links to download of a malicious\r\ndocument; this uses stolen branding to increase the legitimacy of the shared file lure.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 7 of 20\n\nFigure 7: Dropbox-themed landing page with a lure asking users to click a button that links to the malicious\r\ndocument.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 8 of 20\n\nFigure 8: Microsoft Excel spreadsheet with embedded Get2 downloader luring the user to open the document and\r\nenable macros.\r\nMicrosoft Excel Document Analysis\r\nIn addition to TA505’s use of new malware, it should be noted that the new Get2 loader works in conjunction with\r\na new Microsoft Excel macro. Get2 is embedded into the Microsoft Excel file as an object, which can be found as\r\nan image icon by scrolling through the document. It is extracted by the macro using the following logic (note that\r\nthis is an analysis of the September 9 macro and incremental changes were introduced since):\r\nThe original Microsoft Excel spreadsheet is copied into the %TEMP% directory\r\nThe embedded object “xl\\embeddings\\oleObject1[.]bin” inside the Microsoft Excel spreadsheet is copied\r\ninto the %TEMP% directory\r\nThe DLL inside oleObject1.bin is extracted and copied into %APPDATA% by the\r\n“ReadAndWriteExtractedBinFile” function\r\nThe DLL is loaded with LoadLibraryA\r\nThe DLL’s exported function, such as “Get2”, is run by the macro\r\nAn excerpt from the VBA code from the Microsoft Excel file that performs some of this is shown below. This\r\ncode appears to be in part borrowed from a Stack Overflow article (except it works to extract a file starting with\r\nthe “MZ” header instead of “PDF”).\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 9 of 20\n\nFigure 9: Visual Basic macro code sample from the malicious Microsoft Excel spreadsheet used in conjunction\r\nwith the Get2 downloader.\r\nGet2 is a new downloader malware written in C++ and used in recent TA505 campaigns. The name is derived\r\nfrom the DLL export name used in the initial sample that was analyzed. Successive campaigns used different\r\nexport names such as Amway, Hadno, Seven, and Wakeup.\r\nThe downloader collects basic system information and sends it via an HTTP POST request to a hardcoded\r\ncommand and control (C\u0026C) server (Figure 10):\r\nFigure 10: Example Get2 C\u0026C request\r\nThe POST data contains the following URL-encoded parameters:\r\nD - Computer name\r\nU - Username\r\nOS - Windows version\r\nPR - Pipe-delimited process list\r\nFigures 11 and 12 depict some example responses from the C\u0026C server:\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 10 of 20\n\nFigure 11: Example Get2 C\u0026C response\r\nFigure 12: Example Get2 C\u0026C response\r\nThe C\u0026C response data is pipe-delimited and each section contains a payload URL and an optional argument\r\ndelimited by a semicolon.\r\nIn earlier observed versions of Get2, it’s payloads were executables run with the argument passed on the command\r\nline. In later samples, authors included additional code to check the argument for “RD86” and “RD64” (possibly\r\nshort for “run DLL”). RD86 indicated the payload was a DLL to be injected and loaded. The system was also\r\nscheduled to reboot a random amount of time later (more on the reboot in the SDBbot section below). At the time\r\nof research, the RD64 code path had not been implemented, but will likely be similar to RD86 for 64-bit DLLs.\r\nSDBbot Remote Access Trojan\r\nSDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in\r\nrecent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name\r\n(BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence.\r\nSDBbot is composed of three pieces: an installer, a loader, and a RAT component.\r\nInstaller Component\r\nThe installer stores the RAT component in the registry and establishes persistence for the loader component. In the\r\nanalyzed sample, the installer was named “SdbInstallerDll[.]dll”. Most of its important strings and data were\r\nXOR-encoded with a hardcoded 128-byte key.\r\nA registry value is created at “\\SOFTWARE\\Microsoft\\\u003crandom 3 characters subkey\u003e[random 1 character\r\nvalue name]” in HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER depending on user privileges. A\r\nbinary blob is stored at the value and has the following structure:\r\nCopyright notice (“Copyright (C) Microsoft Corporation.”)\r\nLoader shellcode (stored as a function in the installer)\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 11 of 20\n\nString consisting of “\u003crandom 3 characters from registry subkey\u003e0INIT”\r\nCompressed RAT payload (stored in “.data1” PE section of the installer)\r\nIf the bot is running with a regular user privilege, persistence is established using the registry “Run” method. The\r\nloader DLL component is written to “%APPDATA%\\mswinload[.]dll” and a “mswinload” value is added to the\r\n“Run” key to execute ordinal #1 of the DLL with rundll32[.]exe.\r\nIf the bot is running with admin privileges on a Windows version newer than Windows 7, persistence is\r\nestablished using the registry “image file execution options” method. The loader DLL component is written to\r\n“%SYSTEM%\\mswinload0[.]dll” and added to the “VerifierDlls” value for “winlogon[.]exe”.\r\nIf the bot is running as admin on Windows XP or 7, persistence is established using application shimming [1]. It\r\nuses a method very similar to the one described by FireEye in their blog post “To SDB, Or Not To SDB: FIN7\r\nLeveraging Shim Databases for Persistence” [3]. A shim database (SDB) is created (Figure 13) to patch\r\nservices[.]exe with the loader code and then installed with sdbinst[.]exe:\r\nFigure 13: Example shim database (SDB) created by SDBbot\r\nAll three of the persistence mechanisms require a reboot to take effect and there is no additional code to continue\r\nexecuting the loader and RAT components from the installer. Proofpoint researchers speculate that the reboot\r\nfunctionality in the Get2 downloader (described above) is used to continue SDBbot’s execution after installation\r\nin the TA505 campaigns.\r\nLoader Component\r\nIn the registry-based persistence mechanisms, a separate loader DLL is used to execute the RAT payload. In the\r\nanalyzed sample, the loader was named “RegCodeLoader[.]dll” and saved to disk as “mswinload[.]dll” or\r\n“mswinload0[.]dll”. The application shimming-based persistence doesn’t use a separate DLL, but the code it\r\npatches into services[.]exe is similar in functionality. In both cases the random registry key and value name is\r\npatched into the loader code.\r\nThe loader component reads the binary blob stored in the registry and starts executing the loader shellcode stored\r\nthere. The shellcode decompresses the RAT payload then loads and executes the DLL.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 12 of 20\n\nRAT Component\r\nIn the analyzed sample the RAT component was named “BotDLL[.]dll”. It has some typical RAT functionality\r\nsuch as command shell, video recording of the screen, remote desktop, port forwarding, and file system access.\r\nSDBbot stores its C\u0026Cs in a plaintext string or file (“ip.txt”). It uses a plaintext protocol over TCP port 443; an\r\nexample session is shown in Figure 14:\r\nFigure 14: Example SDBbot C\u0026C protocol\r\nThe bot starts the communication by sending and receiving an acknowledgment DWORD: 0xC0DE0000. It then\r\ncontinues by sending basic system information:\r\nver - Likely malware version\r\ndomain - Domain name\r\npc - Computer name\r\ngeo - Country code\r\nos - Windows version\r\nrights - User rights\r\nproxyenabled - Whether a proxy is configured\r\nAfter the malware sends system information, the C\u0026C server responds with a command DWORD. Depending on\r\nthe command, the C\u0026C server then sends additional arguments. Some of the commands (mostly the shell and\r\nvideo related ones) make use of 48-byte data structures to store various data. There are other commands which\r\ncreate, delete, and query the status of these data structures, so it is defined in Figure 15:\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 13 of 20\n\nFigure 15: 48-byte data structure used by some of the commands\r\nThe available commands are:\r\n2 - Get subcommand from C\u0026C:\r\n“cmd” - Start a cmd[.]exe shell\r\n“shutdown_pc” - Shutdown\r\n“reboot” - Reboot\r\n“sleep utc” - Set sleep time\r\n“video online” - Get existing or create new video data structure\r\n“video stop” - Set a “stop” event in video data structure\r\n“rdpwrap install” - This command enables RDP in the registry, but despite its name does not\r\ninstall the RDP Wrapper [4]\r\n“rdpwrap uninstall” - If RDP Wrapper [4] was installed, uninstall it\r\n“portforward” - Setup a proxy between a target host and port and the C\u0026C\r\n“run” - Execute command via cmd[.]exe, but don’t send output to the C\u0026C\r\n“runreflective” - Download DLL from C\u0026C, inject it into a freshly created rundll32[.]exe, and\r\nreflectively load it\r\n“keep_bot_online on” - Sets a flag and sleep timeout\r\n“keep_bot_online off” - Turns off a flag and sets sleep timeout to zero\r\n4 - Send number, type, and index of data structures\r\n5 - If shell or video recording is enabled, send shell output or screenshots to the C\u0026C\r\n11 - Send number, index, and tag of command shell data structures\r\n12 - Write a command to a shell\r\n13 / 32 - Create a new, empty data structure and send its index to the C\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 14 of 20\n\n14 - Clean up and remove existing data structure\r\n15 - Write file\r\n23 - Get drive information or directory listing\r\n24 - Read file\r\n25 - Create directory\r\n26 - Delete file\r\n27 - Clean up and remove all data structures\r\n31 - Exact functionality is unclear. It writes a file using two data structures: one associated with the file and\r\nother used for reading data from the C\u0026C\r\nConclusion\r\nTA505 has helped shape the threat landscape for years, largely because of the massive volumes associated with\r\ntheir campaigns through the end of 2017 and 2018. Over the last two years, Proofpoint researchers have observed\r\nTA505 and a number of other actors focus on downloaders, RATs, information stealers, and banking Trojans. With\r\nthis recently observed October 2019 push by TA505 with attacks on a wide range of verticals and regions, the\r\nactor’s usual “follow the money” behavioral pattern remains consistent. The new Get2 downloader, when\r\ncombined with the SDBbot as its payload appears to be TA505’s latest trick (or treat) for the Fall of 2019.\r\nReferences\r\n[1] https://attack.mitre.org/techniques/T1138/\r\n[2] https://attack.mitre.org/techniques/T1060/\r\n[3] https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\r\n[4] https://github.com/stascorp/rdpwrap\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nhttps[://update365-office-ens[.com/rb8 URL\r\nGet2 callback -\r\n2019-09-09\r\nupdate365-office-ens[.com|212.80.216[.172 domain|ip\r\nGet2 C\u0026C -\r\n2019-09-09\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 15 of 20\n\n0683d9f225d54d48081f53abd7d569b32bc153d98157a5a6b763bc3cf57a6ad6 sha256\r\nGet2 - 2019-\r\n09-09\r\ncfce53335bbe61de612353cdd83ce17953b1f230c576ed6de1463626aff9088e sha256\r\nSnatch\r\n(updated\r\nversion) -\r\n2019-09-19\r\n37.59.52[.229:53 ip:port\r\nSnatch C\u0026C -\r\n2019-09-19\r\nf27c5375046c734dfe62d2efe936b92cd519da091d04f22db713514caafece2a sha256\r\nGet2 - 2019-\r\n09-20\r\nhttps[://windows-update-sdfw[.com/trase URL\r\nGet2 callback -\r\n2019-09-20\r\nwindows-update-sdfw[.com|167.114.194.56  domain|ip\r\nGet2 C\u0026C -\r\n2019-09-20\r\n34f3733177bbe3d7a8d793fe3c4fd82759519ddc6545b608613c81af9019a52d sha256\r\nFlawedGrace -\r\n2019-09-20\r\nhttps[://office365-update-en[.com/frey URL\r\nGet2 callback -\r\n2019-09-27\r\nhttps[://office365-update-eu[.com/frey URL\r\nGet2 callback -\r\n2019-09-27\r\noffice365-update-en[.com|5.149.252[.171  domain|ip\r\nGet2 C\u0026C -\r\n2019-09-27\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 16 of 20\n\noffice365-update-eu[.com|147.135.204[.64  domain|ip\r\nGet2 C\u0026C -\r\n2019-09-27\r\ne3ec2aa04afecc6f43492bfe2e0d271045ab693abfa332a2c89a5115ffe77653 sha256\r\nFlawedGrace -\r\n2019-09-27\r\nen-gb-facebook[.com|95.169.190[.29 domain|ip\r\nFlawedGrace\r\nC\u0026C - 2019-\r\n09-20 \u003e 27\r\n4efcc22da094e876346cff9500e7894718c8b6402ff3735ea81a9e057d488849 sha256\r\nFlawedAmmyy\r\n- 2019-09-27\r\n102.130.114[.246 ip\r\nFlawedAmmy\r\nC\u0026C - 2019-\r\n09-24 \u003e 2019-\r\n10-01\r\n133121ea82269ec943847e04cb070109ca94612aed23a471868937f119ae8175 sha256\r\nFlawedAmmyy\r\n- 2019-10-01\r\nedb838be33fde5878010ca84fc7765c8ff964af9e8387393f3fa7860c95fc70b sha256\r\nSDBbot -\r\n2019-10-07\r\n9eaad594dd8038fc8d608e0c4826244069a7a016ffd8881d8f42f643c972630f sha256\r\nSDBbot -\r\n2019-10-07\r\nnews-server-drm-google[.com|170.75.175[.209 domain|ip\r\nSDBbot C\u0026C -\r\n2019-10-07\r\n99c76d377e1e37f04f749034f2c2a6f33cb785adee76ac44edb4156b5cbbaa9a sha256\r\nSDBbot -\r\n2019-10-\r\n08/09/10/11\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 17 of 20\n\n6b3aa7a7a9771f7464263993b974c7ba233ec9bd445ea635e14a0764523cbef4 sha256\r\nSDBbot -\r\n2019-10-\r\n08/09/10/11\r\nstatic-google-analtyic[.com|103.75.118[.231   domain|ip\r\nSDBbot C\u0026C -\r\n2019-10-\r\n08/09/10/11\r\nhttps[://windows-wsus-en[.com/version URL\r\nGet2 callback -\r\n2019-10-01\r\nwindows-wsus-en[.com|192.99.211.205 domain|ip\r\nGet2 C\u0026C -\r\n2019-10-01\r\nhttps[://windows-msd-update[.com/2019 URL\r\nGet2 callback -\r\n2019-10-07\r\nwindows-msd-update[.com|94.44.166.189 domain|ip\r\nGet2 C\u0026C -\r\n2019-10-07\r\nwindows-cnd-update.com|185.176.221.64 domain|ip\r\nServing Get2\r\npayload -\r\n2019-10-07\r\nhttps[://windows-fsd-update[.com/2020 URL\r\nGet2 callback -\r\n2019-10-08\r\nwindows-fsd-update[.com|185.86.148.144 domain|ip\r\nGet2 C\u0026C -\r\n2019-10-08\r\nhttps://windows-sys-update[.com/2021 URL\r\nGet2 callback -\r\n2019-10-09\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 18 of 20\n\nwindows-sys-update[.com|195.123.228.14 domain|ip\r\nGet2 C\u0026C -\r\n2019-10-09\r\nf4fed12625e2b983b918f239bf74623746cfc6b874717e6d8dd502a45e073d32 sha256\r\nGet2 - 2019-\r\n10-10\r\nhttps[://windows-me-update[.com/2021 URL\r\nGet2 callback -\r\n2019-10-10\r\nwindows-me-update[.com|95.217.16[.248 domain|ip\r\nGet2 C\u0026C -\r\n2019-10-10\r\n84f7c3fcf3a53f37ecbb21d0b9368d332901fe8c3f06b3d1a92123479c567c95 sha256\r\nGet2 - 2019-\r\n10-11\r\nhttps[://windows-se-update[.com/2022 URL\r\nGet2 callback -\r\n2019-10-11\r\nwindows-se-update.com|185.238.3.76 domain|ip\r\nGet2 C\u0026C -\r\n2019-10-11\r\nhttps[://office365-eu-update[.com/2023 URL\r\nGet2 callback -\r\n2019-10-14\r\noffice365-eu-update[.com|45.8.126[.7 domain|ip\r\nGet2 C\u0026C -\r\n2019-10-14\r\n8916a09f205910759edb082175bf2808d2acae00c7ded5bb8c9c174f60ebe152 sha256\r\nSDBbot -\r\n2019-10-14\r\nc2f99a2bba225fe3ab49cb952e418b2ab29ba7f2e34db6cf9bc51b0349d0acd8 sha256\r\nSDBbot -\r\n2019-10-14\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 19 of 20\n\ndrm-server13-login-microsoftonline[.]com|195.123.242[.250 domain|ip\r\nSDBbot C\u0026C\r\n2019-10-14\r\nET and ETPRO Suricata/Snort Signatures\r\n2028642 || ET TROJAN Possible Win32/Get2 Downloader Activity\r\n2838412 || ETPRO TROJAN Win32/Get2 Downloader C\u0026C Checkin\r\n2025408 || ET TROJAN Win32/FlawedAmmyy RAT C\u0026C Checkin\r\n2026773 || ET TROJAN FlawedGrace CnC Activity\r\n2838808 || ETPRO TROJAN Win32/SDBbot C\u0026C Checkin\r\nSource: https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "MITRE", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" ], "report_names": [ "ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434637, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a8e18ffad4653ce7f46ee9e42e7440a3890caab5.pdf", "text": "https://archive.orkl.eu/a8e18ffad4653ce7f46ee9e42e7440a3890caab5.txt", "img": "https://archive.orkl.eu/a8e18ffad4653ce7f46ee9e42e7440a3890caab5.jpg" } }