From 796382d4ab2eb5e3795193a4c5da4b5841d65f87 Mon Sep 17 00:00:00 2001
From: Thanat0s <thanspam@trollprod.org>
Date: Fri, 24 Feb 2017 13:39:53 +0100
Subject: [PATCH] Remove Lstudio (group using elise) , add info to PWOBOT

---
 clusters/tool.json | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 2539cee..fa69da7 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -177,13 +177,23 @@
       "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.",
       "meta": {
         "refs": [
-          "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"
+            "http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"
+        ],
+        "synonyms" : [
+            "PWOLauncher",
+            "PWOHTTPD",
+            "PWOKeyLogger",
+            "PWOMiner",
+            "PWOPyExec",
+            "PWOQuery"
+        ],
+        "category" : [
+            "dropper",
+            "coinminer",
+            "spyware"
         ]
       }
     },
-    {
-      "value": "Lstudio"
-    },
     {
       "value": "Joy RAT"
     },