Get2

Malware updated 7 months ago (2024-05-04T16:11:17.982Z)

Download STIX

Preview STIX

Get2 is a type of malware, harmful software designed to infiltrate and damage computer systems or devices. It can be unknowingly downloaded through suspicious emails, downloads, or websites, enabling it to steal personal information, disrupt operations, or hold data hostage for ransom. Among the most frequently observed loaders of such malware are Bazar, Buer, Dridex, Get2, IcedID, and Qakbot. In particular, Get2 has been used as a dropper to download other types of malware such as SDBot and FlawedGrace. In 2019, threat actors known as TA505 leveraged a type of ransomware called CL0P as the final payload of a phishing campaign. This campaign involved the use of a macro-enabled document that utilized Get2 as a malware dropper for downloading SDBot and FlawedGrace. Serving the Get2 payload was particularly noticeable in October 2019, with TA505 targeting a wide range of verticals and regions, indicating their consistent behavioral pattern of "following the money." The Get2 downloader, combined with SDBbot as its payload, appears to be TA505's latest strategy during the Fall of 2019. Proofpoint researchers speculate that the reboot functionality in the Get2 downloader is used to continue SDBbot’s execution after installation in the TA505 campaigns. SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns.

Description last updated: 2024-05-04T16:08:33.743Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Payload

Phishing

Malware

Loader

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The FlawedGrace Malware is associated with Get2. FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, Truebo	Unspecified	4
The Clop Malware is associated with Get2. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The TA505 Threat Actor is associated with Get2. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec	Unspecified	4
The cl0p Threat Actor is associated with Get2. Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for at	Unspecified	2

Source Document References

Information about the Get2 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Flashpoint	2 years ago	No title
CISA	a year ago	#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability \| CISA
CERT-EU	a year ago	#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability – Cyber Safe NV
MITRE	2 years ago	Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies
MITRE	2 years ago	TA505: A Brief History Of Their Time
MITRE	2 years ago	TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader \| Proofpoint US
MITRE	2 years ago	Threat Assessment: Clop Ransomware
MITRE	2 years ago	Cybereason vs. Cl0p Ransomware
Secureworks	2 years ago	Phases of a Post-Intrusion Ransomware Attack
CERT-EU	2 years ago	New Malware Granting Threat Actors Hidden VNC Access