From e98de5cb5eab6e404d5940d0e1ab8f1853381cc1 Mon Sep 17 00:00:00 2001
From: Thanat0s <Thanspam@trollprod.org>
Date: Sat, 25 Feb 2017 01:12:42 +0100
Subject: [PATCH] add derusbi

---
 clusters/tool.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index c636568..bfb4154 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -266,7 +266,19 @@
       }
     },
     {
-      "value": "Derusbi"
+      "value": "Derusbi",
+      "meta": {
+        "synonyms": [
+          "TROJ_DLLSERV.BE"
+          ],
+        "refs": [
+          "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf",
+          "https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf"
+        ],
+        "type": [
+          "Backdoor"
+        ]
+      }
     },
     {
       "value": "EvilGrab"
@@ -498,6 +510,7 @@
           "IEChecker"
         ],
         "refs": [
+          "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_sasfis.tl",
           "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
         ],
         "type": [