SYMBOLCOMMON_NAMEaka. SYNONYMS
win.clop (Back to overview)

Clop

Actor(s): TA505


Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: "Dont Worry C|0P" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.

References
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-07-07HornetsecurityHornetsecurity Security Lab
@online{lab:20200707:clop:12bb60d, author = {Hornetsecurity Security Lab}, title = {{Clop, Clop! It’s a TA505 HTML malspam analysis}}, date = {2020-07-07}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/}, language = {English}, urldate = {2020-07-30} } Clop, Clop! It’s a TA505 HTML malspam analysis
Clop Get2
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-22BleepingComputerLawrence Abrams
@online{abrams:20200622:indiabulls:ce0fcdb, author = {Lawrence Abrams}, title = {{Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline}}, date = {2020-06-22}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/}, language = {English}, urldate = {2020-06-23} } Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
Clop
2020-06-16TelekomThomas Barabosch
@online{barabosch:20200616:ta505:619f2c6, author = {Thomas Barabosch}, title = {{TA505 returns with a new bag of tricks}}, date = {2020-06-16}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104}, language = {English}, urldate = {2020-06-18} } TA505 returns with a new bag of tricks
Clop Get2 SDBbot TA505
2020-03-26TelekomThomas Barabosch
@online{barabosch:20200326:ta505s:24d9805, author = {Thomas Barabosch}, title = {{TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer}}, date = {2020-03-26}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672}, language = {English}, urldate = {2020-03-27} } TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-24Bleeping ComputerLawrence Abrams
@online{abrams:20200324:three:fb92d03, author = {Lawrence Abrams}, title = {{Three More Ransomware Families Create Sites to Leak Stolen Data}}, date = {2020-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/}, language = {English}, urldate = {2020-03-26} } Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Ransomware Nemty REvil
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-04SentinelOneJason Reaves
@online{reaves:20200304:breaking:8262e7e, author = {Jason Reaves}, title = {{Breaking TA505’s Crypter with an SMT Solver}}, date = {2020-03-04}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/}, language = {English}, urldate = {2020-03-04} } Breaking TA505’s Crypter with an SMT Solver
Clop CryptoMix MINEBIDGE
2020-02-28Financial Security InstituteFinancial Security Institute
@online{institute:20200228:profiling:ebaa39b, author = {Financial Security Institute}, title = {{Profiling of TA505 Threat Group That Continues to Attack the Financial Sector}}, date = {2020-02-28}, organization = {Financial Security Institute}, url = {https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do}, language = {English}, urldate = {2020-02-28} } Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-20ZDNetCatalin Cimpanu
@online{cimpanu:20200220:croatias:ac07fa3, author = {Catalin Cimpanu}, title = {{Croatia's largest petrol station chain impacted by cyber-attack}}, date = {2020-02-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/}, language = {English}, urldate = {2020-02-26} } Croatia's largest petrol station chain impacted by cyber-attack
Clop
2020-02-07Bleeping ComputerSergiu Gatlan
@online{gatlan:20200207:ta505:7a8e5a2, author = {Sergiu Gatlan}, title = {{TA505 Hackers Behind Maastricht University Ransomware Attack}}, date = {2020-02-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/}, language = {English}, urldate = {2020-02-13} } TA505 Hackers Behind Maastricht University Ransomware Attack
Clop
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-13Github (Tera0017)Tera0017
@online{tera0017:20200113:tafof:d939bc6, author = {Tera0017}, title = {{TAFOF Unpacker}}, date = {2020-01-13}, organization = {Github (Tera0017)}, url = {https://github.com/Tera0017/TAFOF-Unpacker}, language = {English}, urldate = {2020-03-30} } TAFOF Unpacker
Clop Get2 Silence
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:3e7202e, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md}, language = {English}, urldate = {2020-02-01} } Clop ransomware Notes
Clop
2020-01-07Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200107:clop:07d2a90, author = {Albert Zsigovits}, title = {{Clop ransomware Notes}}, date = {2020-01-07}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md}, language = {English}, urldate = {2020-01-09} } Clop ransomware Notes
Clop
2020SecureworksSecureWorks
@online{secureworks:2020:gold:f38f910, author = {SecureWorks}, title = {{GOLD TAHOE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-tahoe}, language = {English}, urldate = {2020-05-23} } GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-11-22CERT-FRCERT-FR
@online{certfr:20191122:rapport:c457ee8, author = {CERT-FR}, title = {{RAPPORT MENACES ET INCIDENTS DU CERT-FR}}, date = {2019-11-22}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/}, language = {French}, urldate = {2020-01-07} } RAPPORT MENACES ET INCIDENTS DU CERT-FR
Clop
2019-11-19ACTURédaction Normandie
@online{normandie:20191119:une:d09ec98, author = {Rédaction Normandie}, title = {{Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates}}, date = {2019-11-19}, organization = {ACTU}, url = {https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html}, language = {French}, urldate = {2019-12-05} } Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates
Clop
2019-08-01McAfeeAlexandre Mundo, Marc Rivero López
@online{mundo:20190801:clop:fa3429f, author = {Alexandre Mundo and Marc Rivero López}, title = {{Clop Ransomware}}, date = {2019-08-01}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/}, language = {English}, urldate = {2020-01-06} } Clop Ransomware
Clop
2019-03-05Bleeping ComputerLawrence Abrams
@online{abrams:20190305:cryptomix:33e7eac, author = {Lawrence Abrams}, title = {{CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers}}, date = {2019-03-05}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/}, language = {English}, urldate = {2020-01-13} } CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers
Clop
2019-02-02Medium SebdravenSébastien Larinier
@online{larinier:20190202:unpacking:894335d, author = {Sébastien Larinier}, title = {{Unpacking Clop}}, date = {2019-02-02}, organization = {Medium Sebdraven}, url = {https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f}, language = {English}, urldate = {2020-01-06} } Unpacking Clop
Clop
Yara Rules
[TLP:WHITE] win_clop_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_clop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7402 eb52 833d????????04 7402 eb47 }
            // n = 5, score = 200
            //   7402                 | je                  4
            //   eb52                 | jmp                 0x54
            //   833d????????04       |                     
            //   7402                 | je                  4
            //   eb47                 | jmp                 0x49

        $sequence_1 = { 53 33db 56 3bfb 751b e8???????? 6a16 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   3bfb                 | cmp                 edi, ebx
            //   751b                 | jne                 0x1d
            //   e8????????           |                     
            //   6a16                 | push                0x16

        $sequence_2 = { 8d8598e5ffff 50 8b8d68e5ffff 81c13c050000 51 ff15???????? }
            // n = 6, score = 200
            //   8d8598e5ffff         | lea                 eax, [ebp - 0x1a68]
            //   50                   | push                eax
            //   8b8d68e5ffff         | mov                 ecx, dword ptr [ebp - 0x1a98]
            //   81c13c050000         | add                 ecx, 0x53c
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_3 = { 8b7d08 3bfb 751f e8???????? }
            // n = 4, score = 200
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   3bfb                 | cmp                 edi, ebx
            //   751f                 | jne                 0x21
            //   e8????????           |                     

        $sequence_4 = { 3dc8000000 732d 68???????? 8d8424dc0b0000 }
            // n = 4, score = 200
            //   3dc8000000           | cmp                 eax, 0xc8
            //   732d                 | jae                 0x2f
            //   68????????           |                     
            //   8d8424dc0b0000       | lea                 eax, [esp + 0xbdc]

        $sequence_5 = { 752f 395dfc 772a e8???????? }
            // n = 4, score = 200
            //   752f                 | jne                 0x31
            //   395dfc               | cmp                 dword ptr [ebp - 4], ebx
            //   772a                 | ja                  0x2c
            //   e8????????           |                     

        $sequence_6 = { 50 ff15???????? e9???????? 8bb59ce9ffff 33ff 33d2 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   e9????????           |                     
            //   8bb59ce9ffff         | mov                 esi, dword ptr [ebp - 0x1664]
            //   33ff                 | xor                 edi, edi
            //   33d2                 | xor                 edx, edx

        $sequence_7 = { 7514 837de800 740a 8b45e8 50 ff15???????? }
            // n = 6, score = 200
            //   7514                 | jne                 0x16
            //   837de800             | cmp                 dword ptr [ebp - 0x18], 0
            //   740a                 | je                  0xc
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_8 = { 8d95dcf7ffff 52 68???????? 8d85ecfbffff 50 ff15???????? 83c40c }
            // n = 7, score = 200
            //   8d95dcf7ffff         | lea                 edx, [ebp - 0x824]
            //   52                   | push                edx
            //   68????????           |                     
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_9 = { 8b8d70e9ffff 8b9528e9ffff 899148070000 8b852ce9ffff 89814c070000 8b8d70e9ffff 8b5520 }
            // n = 7, score = 200
            //   8b8d70e9ffff         | mov                 ecx, dword ptr [ebp - 0x1690]
            //   8b9528e9ffff         | mov                 edx, dword ptr [ebp - 0x16d8]
            //   899148070000         | mov                 dword ptr [ecx + 0x748], edx
            //   8b852ce9ffff         | mov                 eax, dword ptr [ebp - 0x16d4]
            //   89814c070000         | mov                 dword ptr [ecx + 0x74c], eax
            //   8b8d70e9ffff         | mov                 ecx, dword ptr [ebp - 0x1690]
            //   8b5520               | mov                 edx, dword ptr [ebp + 0x20]

        $sequence_10 = { eb06 8b9ea0000000 83beb000000001 8b4510 0f84f8000000 }
            // n = 5, score = 200
            //   eb06                 | jmp                 8
            //   8b9ea0000000         | mov                 ebx, dword ptr [esi + 0xa0]
            //   83beb000000001       | cmp                 dword ptr [esi + 0xb0], 1
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   0f84f8000000         | je                  0xfe

        $sequence_11 = { c7451801000000 6a00 6a00 8b8564e5ffff 50 68???????? 6a00 }
            // n = 7, score = 200
            //   c7451801000000       | mov                 dword ptr [ebp + 0x18], 1
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8b8564e5ffff         | mov                 eax, dword ptr [ebp - 0x1a9c]
            //   50                   | push                eax
            //   68????????           |                     
            //   6a00                 | push                0

        $sequence_12 = { 8d5c0301 8b45fc 8918 ff7730 }
            // n = 4, score = 200
            //   8d5c0301             | lea                 ebx, [ebx + eax + 1]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8918                 | mov                 dword ptr [eax], ebx
            //   ff7730               | push                dword ptr [edi + 0x30]

        $sequence_13 = { 8b55f4 52 e8???????? 83c404 8945ec 8b45f0 50 }
            // n = 7, score = 200
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   50                   | push                eax

        $sequence_14 = { 8d4e01 33db 3bce 7205 83f901 7303 }
            // n = 6, score = 200
            //   8d4e01               | lea                 ecx, [esi + 1]
            //   33db                 | xor                 ebx, ebx
            //   3bce                 | cmp                 ecx, esi
            //   7205                 | jb                  7
            //   83f901               | cmp                 ecx, 1
            //   7303                 | jae                 5

        $sequence_15 = { ff15???????? 6808020000 8d8424ec0f0000 6a00 50 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   6808020000           | push                0x208
            //   8d8424ec0f0000       | lea                 eax, [esp + 0xfec]
            //   6a00                 | push                0
            //   50                   | push                eax

    condition:
        7 of them and filesize < 630784
}
Download all Yara Rules