SYMBOLCOMMON_NAMEaka. SYNONYMS
win.clop (Back to overview)

Clop

Actor(s): TA505


Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: "Dont Worry C|0P" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.

References
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-22BleepingComputerLawrence Abrams
@online{abrams:20200622:indiabulls:ce0fcdb, author = {Lawrence Abrams}, title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}}, date = {2020-06-22}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/}, language = {English}, urldate = {2020-06-23} } Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
Clop
2020-06-16TelekomThomas Barabosch
@online{barabosch:20200616:ta505:619f2c6, author = {Thomas Barabosch}, title = {{TA505 returns with a new bag of tricks}}, date = {2020-06-16}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104}, language = {English}, urldate = {2020-06-18} } TA505 returns with a new bag of tricks
Clop Get2 SDBbot TA505
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-04SentinelOneJason Reaves
@online{reaves:20200304:breaking:8262e7e, author = {Jason Reaves}, title = {{Breaking TA505’s Crypter with an SMT Solver}}, date = {2020-03-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/}, language = {English}, urldate = {2020-03-04} } Breaking TA505’s Crypter with an SMT Solver
Clop CryptoMix MINEBIDGE
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-20ZDNetCatalin Cimpanu
@online{cimpanu:20200220:croatias:ac07fa3, author = {Catalin Cimpanu}, title = {{Croatia's largest petrol station chain impacted by cyber-attack}}, date = {2020-02-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/}, language = {English}, urldate = {2020-02-26} } Croatia's largest petrol station chain impacted by cyber-attack
Clop
2020-02-07Bleeping ComputerSergiu Gatlan
@online{gatlan:20200207:ta505:7a8e5a2, author = {Sergiu Gatlan}, title = {{TA505 Hackers Behind Maastricht University Ransomware Attack}}, date = {2020-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/}, language = {English}, urldate = {2020-02-13} } TA505 Hackers Behind Maastricht University Ransomware Attack
Clop
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-13Github (Tera0017)Tera0017
@online{tera0017:20200113:tafof:d939bc6, author = {Tera0017}, title = {{TAFOF Unpacker}}, date = {2020-01-13}, organization = {Github (Tera0017)}, url = {https://github.com/Tera0017/TAFOF-Unpacker}, language = {English}, urldate = {2020-03-30} } TAFOF Unpacker
Clop Get2 Silence
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:3e7202e, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md}, language = {English}, urldate = {2020-02-01} } Clop ransomware Notes
Clop
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:07d2a90, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md}, language = {English}, urldate = {2020-01-09} } Clop ransomware Notes
Clop
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-11-22CERT-FRCERT-FR
@online{certfr:20191122:rapport:c457ee8, author = {CERT-FR}, title = {{RAPPORT MENACES ET INCIDENTS DU CERT-FR}}, date = {2019-11-22}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/}, language = {French}, urldate = {2020-01-07} } RAPPORT MENACES ET INCIDENTS DU CERT-FR
Clop
2019-11-19ACTURédaction Normandie
@online{normandie:20191119:une:d09ec98, author = {Rédaction Normandie}, title = {{Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates}}, date = {2019-11-19}, organization = {ACTU}, url = {https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html}, language = {French}, urldate = {2019-12-05} } Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates
Clop
2019-08-01McAfeeAlexandre Mundo, Marc Rivero López
@online{mundo:20190801:clop:fa3429f, author = {Alexandre Mundo and Marc Rivero López}, title = {{Clop Ransomware}}, date = {2019-08-01}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/}, language = {English}, urldate = {2020-01-06} } Clop Ransomware
Clop
2019-03-05Bleeping ComputerLawrence Abrams
@online{abrams:20190305:cryptomix:33e7eac, author = {Lawrence Abrams}, title = {{CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers}}, date = {2019-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/}, language = {English}, urldate = {2020-01-13} } CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers
Clop
2019-02-02Medium SebdravenSébastien Larinier
@online{larinier:20190202:unpacking:894335d, author = {Sébastien Larinier}, title = {{Unpacking Clop}}, date = {2019-02-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f}, language = {English}, urldate = {2020-01-06} } Unpacking Clop
Clop
Yara Rules
[TLP:WHITE] win_clop_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_clop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 75f9 2bc6 8d7001 6a01 56 e8???????? }
            // n = 6, score = 200
            //   75f9                 | jne                 0xfffffffb
            //   2bc6                 | sub                 eax, esi
            //   8d7001               | lea                 esi, [eax + 1]
            //   6a01                 | push                1
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_1 = { 894dd0 0fb60e 394de4 7ee5 46 46 807eff00 }
            // n = 7, score = 200
            //   894dd0               | mov                 dword ptr [ebp - 0x30], ecx
            //   0fb60e               | movzx               ecx, byte ptr [esi]
            //   394de4               | cmp                 dword ptr [ebp - 0x1c], ecx
            //   7ee5                 | jle                 0xffffffe7
            //   46                   | inc                 esi
            //   46                   | inc                 esi
            //   807eff00             | cmp                 byte ptr [esi - 1], 0

        $sequence_2 = { 8b45f4 3bc3 7467 395d20 750b }
            // n = 5, score = 200
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   3bc3                 | cmp                 eax, ebx
            //   7467                 | je                  0x69
            //   395d20               | cmp                 dword ptr [ebp + 0x20], ebx
            //   750b                 | jne                 0xd

        $sequence_3 = { e8???????? 83c404 47 83c620 3b7c2410 72aa }
            // n = 6, score = 200
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   47                   | inc                 edi
            //   83c620               | add                 esi, 0x20
            //   3b7c2410             | cmp                 edi, dword ptr [esp + 0x10]
            //   72aa                 | jb                  0xffffffac

        $sequence_4 = { e8???????? 59 ebcf 6a01 6820020000 }
            // n = 5, score = 200
            //   e8????????           |                     
            // 
            //   ebcf                 | jmp                 0xffffffd1
            //   6a01                 | push                1
            //   6820020000           | push                0x220

        $sequence_5 = { 52 ff15???????? 8b4518 3b4514 7254 c7451801000000 6a00 }
            // n = 7, score = 200
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   3b4514               | cmp                 eax, dword ptr [ebp + 0x14]
            //   7254                 | jb                  0x56
            //   c7451801000000       | mov                 dword ptr [ebp + 0x18], 1
            //   6a00                 | push                0

        $sequence_6 = { 51 8d95dcf7ffff 52 ff15???????? 68???????? 8d85dcf7ffff 50 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   8d95dcf7ffff         | lea                 edx, [ebp - 0x824]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   68????????           |                     
            //   8d85dcf7ffff         | lea                 eax, [ebp - 0x824]
            //   50                   | push                eax

        $sequence_7 = { 8d9598e5ffff 52 8d85bcefffff 50 ff15???????? }
            // n = 5, score = 200
            //   8d9598e5ffff         | lea                 edx, [ebp - 0x1a68]
            //   52                   | push                edx
            //   8d85bcefffff         | lea                 eax, [ebp - 0x1044]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 8b4d24 898854070000 8b9564e5ffff 8b4528 898258070000 8b8d64e5ffff }
            // n = 6, score = 200
            //   8b4d24               | mov                 ecx, dword ptr [ebp + 0x24]
            //   898854070000         | mov                 dword ptr [eax + 0x754], ecx
            //   8b9564e5ffff         | mov                 edx, dword ptr [ebp - 0x1a9c]
            //   8b4528               | mov                 eax, dword ptr [ebp + 0x28]
            //   898258070000         | mov                 dword ptr [edx + 0x758], eax
            //   8b8d64e5ffff         | mov                 ecx, dword ptr [ebp - 0x1a9c]

        $sequence_9 = { 89559e 668955a2 b82e000000 668945d0 b943000000 }
            // n = 5, score = 200
            //   89559e               | mov                 dword ptr [ebp - 0x62], edx
            //   668955a2             | mov                 word ptr [ebp - 0x5e], dx
            //   b82e000000           | mov                 eax, 0x2e
            //   668945d0             | mov                 word ptr [ebp - 0x30], ax
            //   b943000000           | mov                 ecx, 0x43

        $sequence_10 = { ba49000000 668955d4 b84f000000 668945d6 }
            // n = 4, score = 200
            //   ba49000000           | mov                 edx, 0x49
            //   668955d4             | mov                 word ptr [ebp - 0x2c], dx
            //   b84f000000           | mov                 eax, 0x4f
            //   668945d6             | mov                 word ptr [ebp - 0x2a], ax

        $sequence_11 = { 8d856ce2ffff 50 ffd6 8b1d???????? }
            // n = 4, score = 200
            //   8d856ce2ffff         | lea                 eax, [ebp - 0x1d94]
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   8b1d????????         |                     

        $sequence_12 = { ba4e000000 668995f8feffff b84b000000 668985fafeffff 33c9 }
            // n = 5, score = 200
            //   ba4e000000           | mov                 edx, 0x4e
            //   668995f8feffff       | mov                 word ptr [ebp - 0x108], dx
            //   b84b000000           | mov                 eax, 0x4b
            //   668985fafeffff       | mov                 word ptr [ebp - 0x106], ax
            //   33c9                 | xor                 ecx, ecx

        $sequence_13 = { ff45fc 837dfc07 8d740602 72ca 8d7968 c745ec0c000000 }
            // n = 6, score = 200
            //   ff45fc               | inc                 dword ptr [ebp - 4]
            //   837dfc07             | cmp                 dword ptr [ebp - 4], 7
            //   8d740602             | lea                 esi, [esi + eax + 2]
            //   72ca                 | jb                  0xffffffcc
            //   8d7968               | lea                 edi, [ecx + 0x68]
            //   c745ec0c000000       | mov                 dword ptr [ebp - 0x14], 0xc

        $sequence_14 = { 894520 395d1c 750b 8b4508 8b00 8b4004 89451c }
            // n = 7, score = 200
            //   894520               | mov                 dword ptr [ebp + 0x20], eax
            //   395d1c               | cmp                 dword ptr [ebp + 0x1c], ebx
            //   750b                 | jne                 0xd
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   89451c               | mov                 dword ptr [ebp + 0x1c], eax

        $sequence_15 = { ff15???????? 8b8550e5ffff 50 ff15???????? eb36 8b4d18 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   8b8550e5ffff         | mov                 eax, dword ptr [ebp - 0x1ab0]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   eb36                 | jmp                 0x38
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]

    condition:
        7 of them and filesize < 630784
}
Download all Yara Rules