SDBbot

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
SDBbot is a malicious software (malware) that infiltrates computer systems typically through deceptive downloads, emails, or websites. In the context of cyber threats, it falls under the category of custom malware, used by threat groups such as GOLD TAHOE. Other common offensive security tools and commodity malware include Cobalt Strike, PowerShell Empire, and SystemBC. Once inside a system, SDBbot can steal personal information, disrupt operations, or hold data hostage for ransom. It moves laterally within the compromised network, exfiltrates data, and deploys the Cl0p ransomware on as many systems as possible. The cybercriminal group Graceful Spider (also known as TA505, Gold Evergreen, TEMP.Warlock, Hive0065, Chimborazo, FIN11) distributed spearphishing emails impersonating Onehub in 2019 to trick users into downloading the SDBbot remote access trojan (RAT). This RAT has typical functionalities such as command shell, video recording of the screen, remote desktop, port forwarding, and file system access. The SDBbot RAT installers are x64-packed and decrypt parts of SDBbot’s code and strings upon execution. Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders. The email was designed to extract Active Directory (AD) discovery data and user credentials and to infect the environment with the SDBbot RAT. Proofpoint researchers speculate that the reboot functionality in the Get2 downloader is used to continue SDBbot’s execution after installation in the TA505 campaigns. The RAT component, named “BotDLL[.]dll”, stores its Command and Control servers (C&Cs) in a plaintext string or file (“ip.txt”).
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rat
Malware
Cobalt Strike
Ransomware
Loader
Proofpoint
Trojan
Spearphishing
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FlawedGraceUnspecified
1
FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, Truebo
Get2Unspecified
1
Get2 is a type of malware, harmful software designed to infiltrate and damage computer systems or devices. It can be unknowingly downloaded through suspicious emails, downloads, or websites, enabling it to steal personal information, disrupt operations, or hold data hostage for ransom. Among the mos
FlawedAmmyyUnspecified
1
FlawedAmmyy is a notable malware, specifically a Remote Access Trojan (RAT), that has been leveraged by threat actors for malicious purposes. The malware is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites unbeknownst to the user.
HiveUnspecified
1
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
ClopUnspecified
1
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
SnatchUnspecified
1
Snatch is a type of malware, specifically ransomware, designed to infiltrate systems undetected, often through suspicious downloads, emails, or websites. Once inside the system, it can wreak havoc by stealing personal information, disrupting operations, or holding data hostage for ransom. The Snatch
Get2 DownloaderUnspecified
1
The Get2 downloader is a type of malware that has been recently used by the threat actor TA505 in its campaigns. The malicious software, which can infiltrate systems through suspicious downloads, emails, or websites, has been incorporated into new Microsoft Office macros. These macros are embedded w
SystembcUnspecified
1
SystemBC is a malicious software (malware) that has been used in various cyber attacks to exploit and damage computer systems. This malware was observed in 2023, being heavily used with BlackBasta and Quicksand. It has been deployed by teams using BlackBasta during their attacks. Play ransomware act
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
cl0pUnspecified
1
Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for at
TA505Unspecified
1
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Hive0065Unspecified
1
Hive0065, also known as Graceful Spider, TA505, Gold Evergreen, TEMP.Warlock, Chimborazo, or FIN11, is a financially motivated cybercrime group that has been actively targeting various industries such as finance, retail and restaurants since at least 2014. The group has been notorious for distributi
fin11Unspecified
1
FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Graceful Spider Ta505Unspecified
1
None
ChimborazoUnspecified
1
None
Source Document References
Information about the SDBbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies
MITRE
a year ago
TA505: A Brief History Of Their Time
MITRE
a year ago
TA505 Continues to Infect Networks With SDBbot RAT
MITRE
a year ago
TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader | Proofpoint US
MITRE
a year ago
Cybereason vs. Cl0p Ransomware
Secureworks
a year ago
Phases of a Post-Intrusion Ransomware Attack