AndroMut (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.andromut (Back to overview)

AndroMut

aka: Gelup

Actor(s): TA505

VTCollection

According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.

References

2020-12-14 ⋅ Blueliv ⋅ Alberto Marín, Blueliv Labs Team, Carlos Rubio
Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet

2020-08-20 ⋅ CERT-FR ⋅ CERT-FR
Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot

2020-06-22 ⋅ ⋅ CERT-FR ⋅ CERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot

2020-05-24 ⋅ Positive Technologies ⋅ PT ESC Threat Intelligence
Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader

2020-05-21 ⋅ Intel 471 ⋅ Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2019-07-04 ⋅ Trend Micro ⋅ Trend Micro
Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
AndroMut

2019-07-02 ⋅ Proofpoint ⋅ Dennis Schwarz, Matthew Mesa, Proofpoint Threat Insight Team
TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy

Yara Rules

[TLP:WHITE] win_andromut_auto (20260504 | Detects win.andromut.)

rule win_andromut_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.andromut."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c418 8d8d04ffffff e8???????? 8d8504ffffff b9b4733de3 50 8d85b8fbffff }
            // n = 7, score = 200
            //   83c418               | add                 esp, 0x18
            //   8d8d04ffffff         | lea                 ecx, [ebp - 0xfc]
            //   e8????????           |                     
            //   8d8504ffffff         | lea                 eax, [ebp - 0xfc]
            //   b9b4733de3           | mov                 ecx, 0xe33d73b4
            //   50                   | push                eax
            //   8d85b8fbffff         | lea                 eax, [ebp - 0x448]

        $sequence_1 = { 8a4e01 8a46ff 8a7efe 884dfc 32cb 8ae9 8845fe }
            // n = 7, score = 200
            //   8a4e01               | mov                 cl, byte ptr [esi + 1]
            //   8a46ff               | mov                 al, byte ptr [esi - 1]
            //   8a7efe               | mov                 bh, byte ptr [esi - 2]
            //   884dfc               | mov                 byte ptr [ebp - 4], cl
            //   32cb                 | xor                 cl, bl
            //   8ae9                 | mov                 ch, cl
            //   8845fe               | mov                 byte ptr [ebp - 2], al

        $sequence_2 = { e8???????? 6810270000 ff15???????? 8b15???????? 8d45d4 8b0d???????? 33f6 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   6810270000           | push                0x2710
            //   ff15????????         |                     
            //   8b15????????         |                     
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   8b0d????????         |                     
            //   33f6                 | xor                 esi, esi

        $sequence_3 = { 6a00 8d8d70f0ffff 51 ffb500f3ffff 56 }
            // n = 5, score = 200
            //   6a00                 | push                0
            //   8d8d70f0ffff         | lea                 ecx, [ebp - 0xf90]
            //   51                   | push                ecx
            //   ffb500f3ffff         | push                dword ptr [ebp - 0xd00]
            //   56                   | push                esi

        $sequence_4 = { 57 0f438538f3ffff 50 e8???????? 8bf8 8d8de0f3ffff }
            // n = 6, score = 200
            //   57                   | push                edi
            //   0f438538f3ffff       | cmovae              eax, dword ptr [ebp - 0xcc8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   8d8de0f3ffff         | lea                 ecx, [ebp - 0xc20]

        $sequence_5 = { 8bce e8???????? fec3 6a10 58 80fb0e }
            // n = 6, score = 200
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   fec3                 | inc                 bl
            //   6a10                 | push                0x10
            //   58                   | pop                 eax
            //   80fb0e               | cmp                 bl, 0xe

        $sequence_6 = { e8???????? 59 8945e0 3818 755d 837f1410 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   3818                 | cmp                 byte ptr [eax], bl
            //   755d                 | jne                 0x5f
            //   837f1410             | cmp                 dword ptr [edi + 0x14], 0x10

        $sequence_7 = { 8bf0 8d458c 2bf3 56 53 }
            // n = 5, score = 200
            //   8bf0                 | mov                 esi, eax
            //   8d458c               | lea                 eax, [ebp - 0x74]
            //   2bf3                 | sub                 esi, ebx
            //   56                   | push                esi
            //   53                   | push                ebx

        $sequence_8 = { 83ec18 8b5d10 8bcc 50 }
            // n = 4, score = 200
            //   83ec18               | sub                 esp, 0x18
            //   8b5d10               | mov                 ebx, dword ptr [ebp + 0x10]
            //   8bcc                 | mov                 ecx, esp
            //   50                   | push                eax

        $sequence_9 = { 663bc3 75f6 2bca 8d856cffffff d1f9 51 }
            // n = 6, score = 200
            //   663bc3               | cmp                 ax, bx
            //   75f6                 | jne                 0xfffffff8
            //   2bca                 | sub                 ecx, edx
            //   8d856cffffff         | lea                 eax, [ebp - 0x94]
            //   d1f9                 | sar                 ecx, 1
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 368640
}

Download all Yara Rules

AndroMut Propose Change

References

Yara Rules

AndroMut