SYMBOLCOMMON_NAMEaka. SYNONYMS
win.andromut (Back to overview)

AndroMut

aka: Gelup

Actor(s): TA505


There is no description at this point.

References
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-07-04Trend MicroTrend Micro
@techreport{micro:20190704:latest:dd6099a, author = {Trend Micro}, title = {{Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi}}, date = {2019-07-04}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf}, language = {English}, urldate = {2020-01-13} } Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
AndroMut
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
Yara Rules
[TLP:WHITE] win_andromut_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_andromut_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b949f70278 8bf0 e8???????? 68???????? 56 ffd0 57 }
            // n = 7, score = 200
            //   b949f70278           | mov                 ecx, 0x7802f749
            //   8bf0                 | mov                 esi, eax
            //   e8????????           |                     
            //   68????????           |                     
            //   56                   | push                esi
            //   ffd0                 | call                eax
            //   57                   | push                edi

        $sequence_1 = { e8???????? 8d850cffffff 50 8d8574ffffff 50 8d95fcfcffff 8d8d74fcffff }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8d850cffffff         | lea                 eax, [ebp - 0xf4]
            //   50                   | push                eax
            //   8d8574ffffff         | lea                 eax, [ebp - 0x8c]
            //   50                   | push                eax
            //   8d95fcfcffff         | lea                 edx, [ebp - 0x304]
            //   8d8d74fcffff         | lea                 ecx, [ebp - 0x38c]

        $sequence_2 = { 83c40c c745b8029f02ae c745bc0696068f 8bfb c745c00297029e c745c40e880e8e c745c802db02a1 }
            // n = 7, score = 200
            //   83c40c               | add                 esp, 0xc
            //   c745b8029f02ae       | mov                 dword ptr [ebp - 0x48], 0xae029f02
            //   c745bc0696068f       | mov                 dword ptr [ebp - 0x44], 0x8f069606
            //   8bfb                 | mov                 edi, ebx
            //   c745c00297029e       | mov                 dword ptr [ebp - 0x40], 0x9e029702
            //   c745c40e880e8e       | mov                 dword ptr [ebp - 0x3c], 0x8e0e880e
            //   c745c802db02a1       | mov                 dword ptr [ebp - 0x38], 0xa102db02

        $sequence_3 = { 48 7416 48 48 7412 83e806 7410 }
            // n = 7, score = 200
            //   48                   | dec                 eax
            //   7416                 | je                  0x18
            //   48                   | dec                 eax
            //   48                   | dec                 eax
            //   7412                 | je                  0x14
            //   83e806               | sub                 eax, 6
            //   7410                 | je                  0x12

        $sequence_4 = { ffd0 33c0 8d7de0 ab b9daf68a50 ab 66ab }
            // n = 7, score = 200
            //   ffd0                 | call                eax
            //   33c0                 | xor                 eax, eax
            //   8d7de0               | lea                 edi, [ebp - 0x20]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   b9daf68a50           | mov                 ecx, 0x508af6da
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   66ab                 | stosw               word ptr es:[edi], ax

        $sequence_5 = { 56 ffd0 5e c3 56 8bf1 }
            // n = 6, score = 200
            //   56                   | push                esi
            //   ffd0                 | call                eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx

        $sequence_6 = { 7e20 ff349f 8b8d70ffffff 8bc3 c1e004 50 6a10 }
            // n = 7, score = 200
            //   7e20                 | jle                 0x22
            //   ff349f               | push                dword ptr [edi + ebx*4]
            //   8b8d70ffffff         | mov                 ecx, dword ptr [ebp - 0x90]
            //   8bc3                 | mov                 eax, ebx
            //   c1e004               | shl                 eax, 4
            //   50                   | push                eax
            //   6a10                 | push                0x10

        $sequence_7 = { 8d85f8feffff b9ec3daf46 6a00 50 }
            // n = 4, score = 200
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   b9ec3daf46           | mov                 ecx, 0x46af3dec
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_8 = { e8???????? 6805010000 8d85d8fbffff b95d4411ff 50 57 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   6805010000           | push                0x105
            //   8d85d8fbffff         | lea                 eax, [ebp - 0x428]
            //   b95d4411ff           | mov                 ecx, 0xff11445d
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_9 = { 53 50 e8???????? ffd0 }
            // n = 4, score = 200
            //   53                   | push                ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   ffd0                 | call                eax

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules