SYMBOLCOMMON_NAMEaka. SYNONYMS
win.andromut (Back to overview)

AndroMut

aka: Gelup

Actor(s): TA505


There is no description at this point.

References
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-07-04Trend MicroTrend Micro
@techreport{micro:20190704:latest:dd6099a, author = {Trend Micro}, title = {{Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi}}, date = {2019-07-04}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf}, language = {English}, urldate = {2020-01-13} } Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
AndroMut
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
Yara Rules
[TLP:WHITE] win_andromut_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_andromut_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bc6 83791410 7204 8b11 eb02 8bd1 }
            // n = 6, score = 200
            //   8bc6                 | mov                 eax, esi
            //   83791410             | cmp                 dword ptr [ecx + 0x14], 0x10
            //   7204                 | jb                  6
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   eb02                 | jmp                 4
            //   8bd1                 | mov                 edx, ecx

        $sequence_1 = { 8d8d40f9ffff 51 ffd0 85c0 7512 8b4dfc }
            // n = 6, score = 200
            //   8d8d40f9ffff         | lea                 ecx, [ebp - 0x6c0]
            //   51                   | push                ecx
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax
            //   7512                 | jne                 0x14
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_2 = { 83c40c c745b8029f02ae c745bc0696068f 8bfb c745c00297029e c745c40e880e8e c745c802db02a1 }
            // n = 7, score = 200
            //   83c40c               | add                 esp, 0xc
            //   c745b8029f02ae       | mov                 dword ptr [ebp - 0x48], 0xae029f02
            //   c745bc0696068f       | mov                 dword ptr [ebp - 0x44], 0x8f069606
            //   8bfb                 | mov                 edi, ebx
            //   c745c00297029e       | mov                 dword ptr [ebp - 0x40], 0x9e029702
            //   c745c40e880e8e       | mov                 dword ptr [ebp - 0x3c], 0x8e0e880e
            //   c745c802db02a1       | mov                 dword ptr [ebp - 0x38], 0xa102db02

        $sequence_3 = { 8d8dd4f8ffff 51 8d8dfcfcffff 51 ffd0 b974723dc5 e8???????? }
            // n = 7, score = 200
            //   8d8dd4f8ffff         | lea                 ecx, [ebp - 0x72c]
            //   51                   | push                ecx
            //   8d8dfcfcffff         | lea                 ecx, [ebp - 0x304]
            //   51                   | push                ecx
            //   ffd0                 | call                eax
            //   b974723dc5           | mov                 ecx, 0xc53d7274
            //   e8????????           |                     

        $sequence_4 = { 25ff3f0000 0bc1 66894475ec 46 83fe07 72bb 8d45ec }
            // n = 7, score = 200
            //   25ff3f0000           | and                 eax, 0x3fff
            //   0bc1                 | or                  eax, ecx
            //   66894475ec           | mov                 word ptr [ebp + esi*2 - 0x14], ax
            //   46                   | inc                 esi
            //   83fe07               | cmp                 esi, 7
            //   72bb                 | jb                  0xffffffbd
            //   8d45ec               | lea                 eax, [ebp - 0x14]

        $sequence_5 = { 50 8d85b8ebffff 50 8d8d40e3ffff e8???????? 83bd54e3ffff10 8db540e3ffff }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8d85b8ebffff         | lea                 eax, [ebp - 0x1448]
            //   50                   | push                eax
            //   8d8d40e3ffff         | lea                 ecx, [ebp - 0x1cc0]
            //   e8????????           |                     
            //   83bd54e3ffff10       | cmp                 dword ptr [ebp - 0x1cac], 0x10
            //   8db540e3ffff         | lea                 esi, [ebp - 0x1cc0]

        $sequence_6 = { 03fb 663bc1 75f5 be???????? a5 a5 }
            // n = 6, score = 200
            //   03fb                 | add                 edi, ebx
            //   663bc1               | cmp                 ax, cx
            //   75f5                 | jne                 0xfffffff7
            //   be????????           |                     
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]

        $sequence_7 = { 59 8b4d88 3bf7 7ce2 }
            // n = 4, score = 200
            //   59                   | pop                 ecx
            //   8b4d88               | mov                 ecx, dword ptr [ebp - 0x78]
            //   3bf7                 | cmp                 esi, edi
            //   7ce2                 | jl                  0xffffffe4

        $sequence_8 = { e8???????? 83c40c 807d0801 7533 8bd3 8d8d58fdffff e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   807d0801             | cmp                 byte ptr [ebp + 8], 1
            //   7533                 | jne                 0x35
            //   8bd3                 | mov                 edx, ebx
            //   8d8d58fdffff         | lea                 ecx, [ebp - 0x2a8]
            //   e8????????           |                     

        $sequence_9 = { 668b4702 03fb 663bc1 75f5 be???????? ebba 85c0 }
            // n = 7, score = 200
            //   668b4702             | mov                 ax, word ptr [edi + 2]
            //   03fb                 | add                 edi, ebx
            //   663bc1               | cmp                 ax, cx
            //   75f5                 | jne                 0xfffffff7
            //   be????????           |                     
            //   ebba                 | jmp                 0xffffffbc
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules