From b007d5d3ce56b526567291953f7ca287ce4d2b86 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 6 Mar 2020 14:33:19 +0100
Subject: [PATCH] add SdBbot

---
 clusters/rat.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index 91baed8..5bc8f76 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -3426,7 +3426,20 @@
       },
       "uuid": "bbff39cb-a12b-4b18-be20-aa9e6d378fa6",
       "value": "Warzone"
+    },
+    {
+      "description": "SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence. SDBbot is composed of three pieces: an installer, a loader, and a RAT component.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader"
+        ],
+        "synonyms": [
+          "SDB bot"
+        ]
+      },
+      "uuid": "9d36db93-7d60-4da6-a611-1a32e02a054f",
+      "value": "SDBbot"
     }
   ],
-  "version": 33
+  "version": 34
 }