SYMBOLCOMMON_NAMEaka. SYNONYMS
win.andromut (Back to overview)

AndroMut

aka: Gelup

Actor(s): TA505


According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.

References
2020-12-14BluelivAlberto Marín, Carlos Rubio, Blueliv Labs Team
@online{marn:20201214:using:e81621e, author = {Alberto Marín and Carlos Rubio and Blueliv Labs Team}, title = {{Using Qiling Framework to Unpack TA505 packed samples}}, date = {2020-12-14}, organization = {Blueliv}, url = {https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/}, language = {English}, urldate = {2023-08-03} } Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-24Positive TechnologiesPT ESC Threat Intelligence
@online{intelligence:20200524:operation:2ce432b, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: network infrastructure. Part 3.}}, date = {2020-05-24}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/}, language = {English}, urldate = {2020-11-23} } Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-07-04Trend MicroTrend Micro
@techreport{micro:20190704:latest:dd6099a, author = {Trend Micro}, title = {{Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi}}, date = {2019-07-04}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf}, language = {English}, urldate = {2020-01-13} } Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
AndroMut
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
Yara Rules
[TLP:WHITE] win_andromut_auto (20230715 | Detects win.andromut.)
rule win_andromut_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.andromut."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33c0 eb02 8bc7 8b4dfc 5f 33cd 5e }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   eb02                 | jmp                 4
            //   8bc7                 | mov                 eax, edi
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   33cd                 | xor                 ecx, ebp
            //   5e                   | pop                 esi

        $sequence_1 = { 8b8568e0ffff 3c02 0f85a2080000 c1e808 }
            // n = 4, score = 200
            //   8b8568e0ffff         | mov                 eax, dword ptr [ebp - 0x1f98]
            //   3c02                 | cmp                 al, 2
            //   0f85a2080000         | jne                 0x8a8
            //   c1e808               | shr                 eax, 8

        $sequence_2 = { 56 50 6a01 e8???????? 83c40c 68ff000000 }
            // n = 6, score = 200
            //   56                   | push                esi
            //   50                   | push                eax
            //   6a01                 | push                1
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   68ff000000           | push                0xff

        $sequence_3 = { 8bcf e8???????? 8d850cffffff 50 8d8574ffffff 50 8d95fcfcffff }
            // n = 7, score = 200
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8d850cffffff         | lea                 eax, [ebp - 0xf4]
            //   50                   | push                eax
            //   8d8574ffffff         | lea                 eax, [ebp - 0x8c]
            //   50                   | push                eax
            //   8d95fcfcffff         | lea                 edx, [ebp - 0x304]

        $sequence_4 = { ffd0 b974723dc5 e8???????? 68???????? 8d8d00f8ffff 51 ffd0 }
            // n = 7, score = 200
            //   ffd0                 | call                eax
            //   b974723dc5           | mov                 ecx, 0xc53d7274
            //   e8????????           |                     
            //   68????????           |                     
            //   8d8d00f8ffff         | lea                 ecx, [ebp - 0x800]
            //   51                   | push                ecx
            //   ffd0                 | call                eax

        $sequence_5 = { c745e43083c081 c745e840f890f6 c745ec30f3b0ee c745f0c0f950f8 c745f4e0e250df c745f8d0e200fe 0fb74455a4 }
            // n = 7, score = 200
            //   c745e43083c081       | mov                 dword ptr [ebp - 0x1c], 0x81c08330
            //   c745e840f890f6       | mov                 dword ptr [ebp - 0x18], 0xf690f840
            //   c745ec30f3b0ee       | mov                 dword ptr [ebp - 0x14], 0xeeb0f330
            //   c745f0c0f950f8       | mov                 dword ptr [ebp - 0x10], 0xf850f9c0
            //   c745f4e0e250df       | mov                 dword ptr [ebp - 0xc], 0xdf50e2e0
            //   c745f8d0e200fe       | mov                 dword ptr [ebp - 8], 0xfe00e2d0
            //   0fb74455a4           | movzx               eax, word ptr [ebp + edx*2 - 0x5c]

        $sequence_6 = { c745d4cc4fb44d c745d86c42e83e 8bde c745dc2c446642 c745e0a03bd524 c745e4d75ad51a c745e8d9dada1a }
            // n = 7, score = 200
            //   c745d4cc4fb44d       | mov                 dword ptr [ebp - 0x2c], 0x4db44fcc
            //   c745d86c42e83e       | mov                 dword ptr [ebp - 0x28], 0x3ee8426c
            //   8bde                 | mov                 ebx, esi
            //   c745dc2c446642       | mov                 dword ptr [ebp - 0x24], 0x4266442c
            //   c745e0a03bd524       | mov                 dword ptr [ebp - 0x20], 0x24d53ba0
            //   c745e4d75ad51a       | mov                 dword ptr [ebp - 0x1c], 0x1ad55ad7
            //   c745e8d9dada1a       | mov                 dword ptr [ebp - 0x18], 0x1adadad9

        $sequence_7 = { b94c77d607 50 e8???????? ffd0 8d4da4 8d5102 668b01 }
            // n = 7, score = 200
            //   b94c77d607           | mov                 ecx, 0x7d6774c
            //   50                   | push                eax
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   8d4da4               | lea                 ecx, [ebp - 0x5c]
            //   8d5102               | lea                 edx, [ecx + 2]
            //   668b01               | mov                 ax, word ptr [ecx]

        $sequence_8 = { e8???????? 83c40c 8d44246c b974723dc5 50 8d84247c030000 50 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d44246c             | lea                 eax, [esp + 0x6c]
            //   b974723dc5           | mov                 ecx, 0xc53d7274
            //   50                   | push                eax
            //   8d84247c030000       | lea                 eax, [esp + 0x37c]
            //   50                   | push                eax

        $sequence_9 = { 83c40c 50 57 57 e8???????? 8b15???????? 8d442418 }
            // n = 7, score = 200
            //   83c40c               | add                 esp, 0xc
            //   50                   | push                eax
            //   57                   | push                edi
            //   57                   | push                edi
            //   e8????????           |                     
            //   8b15????????         |                     
            //   8d442418             | lea                 eax, [esp + 0x18]

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules