S0460: Get2
Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.[1]
Analyst context for executives and security teams
Get2 matters because ATT&CK describes it as a Windows downloader used to deliver additional malware, including FlawedGrace, FlawedAmmyy, Snatch, and SDBbot. For leaders, the key risk is not just the downloader itself, but the possibility that an initial execution event becomes a staging point for follow-on tools. That makes endpoint visibility, web-traffic review, and rapid incident triage important decision points.
Executive priority
Prioritize validation of Windows endpoint and network controls that can show whether a downloader executed, performed discovery, communicated over web protocols, or led to secondary payload delivery. Because ATT&CK provides no official detection guidance for Get2, assurance should come from evidence: collected endpoint telemetry, proxy/DNS/web logs, process activity, and incident response playbooks that can quickly determine scope and whether additional malware was delivered.
Technical view
SOC and IR teams should treat Get2 as a Windows downloader with relationship-driven behaviors mapped to discovery, execution, process injection, and web-protocol command-and-control. Validate visibility for System Owner/User Discovery, Process Discovery, Command and Scripting Interpreter activity, Web Protocols, System Information Discovery, and Dynamic-link Library Injection. Detection engineering should focus on correlated behavior rather than a single malware name: suspicious Windows process execution followed by user/system/process discovery, web-based outbound communication, and evidence of DLL injection or follow-on payload activity.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Parent/child process relationships around command or script interpreter use
- Endpoint events for user, process, and system information discovery
- DLL load, remote thread, memory write, or process injection-related telemetry where available
- Proxy, web gateway, firewall, DNS, and TLS metadata for outbound web-protocol communications
Detection direction
- Because ATT&CK provides no official Get2 detection text, validate coverage against the related techniques rather than relying only on known indicators.
- Correlate Windows execution events with discovery behavior and outbound web traffic to identify downloader-like activity.
- Tune for false positives from legitimate administrative tools, software deployment agents, inventory scripts, and normal web-enabled applications.
- Review whether telemetry captures enough detail to distinguish ordinary HTTP/S traffic from unusual process-originated outbound communication.
- Confirm whether endpoint tooling can surface DLL injection behaviors associated with T1055.001, since process-based blind spots may reduce visibility.
Mitigation priorities
- Ensure Windows endpoints have prevention and monitoring controls capable of detecting suspicious execution, discovery, injection, and downloader behavior.
- Restrict unnecessary command and scripting interpreter use where operationally feasible, and monitor allowed use closely.
- Harden egress controls and logging for web-protocol traffic so unusual outbound communications can be investigated.
- Maintain incident response procedures for downloader cases, including scoping for secondary payloads named in the ATT&CK description and preserving endpoint/network evidence.
- Use application control, least privilege, and endpoint hardening to reduce the ability of a downloader to execute follow-on payloads or inject into processes.
Analyst notes and limits
The most decision-useful context is that Get2 is a downloader associated in ATT&CK with TA505 and with delivery of other malware. The supplied relationships indicate use of discovery, execution, web-protocol communication, and DLL injection techniques. Defensive planning should therefore emphasize telemetry correlation and response readiness for secondary payload delivery.
Official ATT&CK detection guidance is not provided for this object. Tactics are not specified on the malware object itself, and the platform support supplied is Windows. Local conclusions require environment-specific evidence such as endpoint logs, network logs, detections, malware analysis results, or incident artifacts.
Get2
Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1059 | Command and Scripting Interpreter | |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1071.001 | Web Protocols Sub-technique |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cc54d060c5cc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint TA505 October 2019
Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
Open source URL -
[2]
mitre-attack S0460Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.