{
	"id": "493cd3c7-ec51-4354-adbd-5a5bf6645548",
	"created_at": "2026-04-06T00:18:49.355058Z",
	"updated_at": "2026-04-10T13:12:20.854149Z",
	"deleted_at": null,
	"sha1_hash": "ad22c72890f173aa8ae0c8547ed4f5d78879b061",
	"title": "GitHub - Tera0017/SDBbot-Unpacker: SDBbot Unpacker Python 2.7",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105649,
	"plain_text": "GitHub - Tera0017/SDBbot-Unpacker: SDBbot Unpacker Python\r\n2.7\r\nBy Tera0017\r\nArchived: 2026-04-02 11:05:50 UTC\r\nREADME\r\nMIT license\r\nSDBbot Unpacker is a python 2.7 script that is able to unpack/dump statically modules of x86 and x64 SDBbot\r\npacked samples.\r\nSDBbot Infection process\r\nMore information:\r\nProofpoint https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader\r\nUsage\r\n$ python sdbbot_unpacker.py --help\r\n ____ ____ ____ _ _ _ _ _\r\n / ___|| _ \\| __ )| |__ ___ | |_ | | | |_ __ _ __ ___| | ___ __\r\n \\___ \\| | | | _ \\| '_ \\ / _ \\| __| | | | | '_ \\| '_ \\ / __| |/ / '__|\r\n ___) | |_| | |_) | |_) | (_) | |_ | |_| | | | | |_) | (__| \u003c| |\r\n |____/|____/|____/|_.__/ \\___/ \\__| \\___/|_| |_| .__/ \\___|_|\\_\\_|\r\n |_|\r\nhttps://github.com/Tera0017/SDBbot-Unpacker\r\nPage 1 of 3\n\n|--\u003e SDBbot Unpacker\r\nusage: sdbbot_unpacker.py [-h] [-f FILE]\r\nSDBbot Modules Unpacker\r\noptional arguments:\r\n -h, --help show this help message and exit\r\n -f FILE, --file FILE File to unpack modules.\r\nExample x86\r\n$ python sdbbot_unpacker.py -f png1\r\n ____ ____ ____ _ _ _ _ _\r\n / ___|| _ \\| __ )| |__ ___ | |_ | | | |_ __ _ __ ___| | ___ __\r\n \\___ \\| | | | _ \\| '_ \\ / _ \\| __| | | | | '_ \\| '_ \\ / __| |/ / '__|\r\n ___) | |_| | |_) | |_) | (_) | |_ | |_| | | | | |_) | (__| \u003c| |\r\n |____/|____/|____/|_.__/ \\___/ \\__| \\___/|_| |_| .__/ \\___|_|\\_\\_|\r\n |_|\r\n|--\u003e SDBbot Unpacker\r\n|--\u003e Encoded code ROL 3\r\n|--\u003e Encoded code XOR Key: 0X1D24\r\n|--\u003e Encoded code Size: 0X270\r\n|--\u003e Encoded Binary ROL 3\r\n|--\u003e Encoded Binary XOR Key: 0X7178\r\n|--\u003e Encoded Binary Size: 0XF432\r\n|--\u003e SdbInstallerDll successfully dumped: SDBbot_SdbInstallerDll_png1\r\n|--\u003e RegCodeLoader successfully dumped: SDBbot_RegCodeLoader_png1\r\n|--\u003e RegBlob successfully dumped: SDBbot_RegBlob_png1\r\n|--\u003e BotDLL successfully dumped: SDBbot_RAT_BotDLL_png1\r\nhttps://github.com/Tera0017/SDBbot-Unpacker\r\nPage 2 of 3\n\nExample x64\r\n$ python sdbbot_unpacker.py -f png2\r\n ____ ____ ____ _ _ _ _ _\r\n / ___|| _ \\| __ )| |__ ___ | |_ | | | |_ __ _ __ ___| | ___ __\r\n \\___ \\| | | | _ \\| '_ \\ / _ \\| __| | | | | '_ \\| '_ \\ / __| |/ / '__|\r\n ___) | |_| | |_) | |_) | (_) | |_ | |_| | | | | |_) | (__| \u003c| |\r\n |____/|____/|____/|_.__/ \\___/ \\__| \\___/|_| |_| .__/ \\___|_|\\_\\_|\r\n |_|\r\n|--\u003e SDBbot Unpacker\r\n|--\u003e Encoded code ROL 7\r\n|--\u003e Encoded code XOR Key: 0XA82\r\n|--\u003e Encoded code Size: 0X375\r\n|--\u003e Encoded Binary ROL 7\r\n|--\u003e Encoded Binary XOR Key: 0X55EE\r\n|--\u003e Encoded Binary Size: 0X12786\r\n|--\u003e SdbInstallerDll successfully dumped: SDBbot_SdbInstallerDll_png2\r\n|--\u003e RegCodeLoader successfully dumped: SDBbot_RegCodeLoader_png2\r\n|--\u003e RegBlob successfully dumped: SDBbot_RegBlob_png2\r\n|--\u003e BotDLL successfully dumped: SDBbot_RAT_BotDLL_png2\r\nRequirements\r\nlznt1 (https://github.com/you0708/lznt1)\r\npefile\r\nyara-python\r\nSupport\r\nIn case some files are not working, please make sure it is a packed SDBbot, if yes please provide me the hash in a\r\nDM @Tera0017.\r\nRegards\r\nSource: https://github.com/Tera0017/SDBbot-Unpacker\r\nhttps://github.com/Tera0017/SDBbot-Unpacker\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/Tera0017/SDBbot-Unpacker"
	],
	"report_names": [
		"SDBbot-Unpacker"
	],
	"threat_actors": [
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434729,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ad22c72890f173aa8ae0c8547ed4f5d78879b061.pdf",
		"text": "https://archive.orkl.eu/ad22c72890f173aa8ae0c8547ed4f5d78879b061.txt",
		"img": "https://archive.orkl.eu/ad22c72890f173aa8ae0c8547ed4f5d78879b061.jpg"
	}
}