SYMBOLCOMMON_NAMEaka. SYNONYMS
win.andromut (Back to overview)

AndroMut

aka: Gelup

Actor(s): TA505


According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.

References
2020-12-14BluelivAlberto Marín, Carlos Rubio, Blueliv Labs Team
@online{marn:20201214:using:e81621e, author = {Alberto Marín and Carlos Rubio and Blueliv Labs Team}, title = {{Using Qiling Framework to Unpack TA505 packed samples}}, date = {2020-12-14}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/}, language = {English}, urldate = {2020-12-15} } Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-24Positive TechnologiesPT ESC Threat Intelligence
@online{intelligence:20200524:operation:2ce432b, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: network infrastructure. Part 3.}}, date = {2020-05-24}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/}, language = {English}, urldate = {2020-11-23} } Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://intel471.com/blog/a-brief-history-of-ta505}, language = {English}, urldate = {2022-02-14} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-07-04Trend MicroTrend Micro
@techreport{micro:20190704:latest:dd6099a, author = {Trend Micro}, title = {{Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi}}, date = {2019-07-04}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf}, language = {English}, urldate = {2020-01-13} } Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
AndroMut
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
Yara Rules
[TLP:WHITE] win_andromut_auto (20230407 | Detects win.andromut.)
rule win_andromut_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.andromut."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66ab e8???????? 56 6880000000 6a03 56 6a01 }
            // n = 7, score = 200
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   e8????????           |                     
            //   56                   | push                esi
            //   6880000000           | push                0x80
            //   6a03                 | push                3
            //   56                   | push                esi
            //   6a01                 | push                1

        $sequence_1 = { e8???????? 8b15???????? 8d45e8 8b0d???????? }
            // n = 4, score = 200
            //   e8????????           |                     
            //   8b15????????         |                     
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   8b0d????????         |                     

        $sequence_2 = { 57 50 e8???????? 83c40c 8d45c4 8bcb 50 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d45c4               | lea                 eax, [ebp - 0x3c]
            //   8bcb                 | mov                 ecx, ebx
            //   50                   | push                eax

        $sequence_3 = { 50 e8???????? 8b857cf0ffff 83c40c 3d2c010000 0f85ca030000 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b857cf0ffff         | mov                 eax, dword ptr [ebp - 0xf84]
            //   83c40c               | add                 esp, 0xc
            //   3d2c010000           | cmp                 eax, 0x12c
            //   0f85ca030000         | jne                 0x3d0

        $sequence_4 = { 50 e8???????? 83c40c 8d8564faffff 6805010000 56 50 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8564faffff         | lea                 eax, [ebp - 0x59c]
            //   6805010000           | push                0x105
            //   56                   | push                esi
            //   50                   | push                eax

        $sequence_5 = { c745d0c3191318 c745d4f3164316 c745d863145314 c745dc7314c314 c745e083168316 c745e4b318b314 c745e8c3132311 }
            // n = 7, score = 200
            //   c745d0c3191318       | mov                 dword ptr [ebp - 0x30], 0x181319c3
            //   c745d4f3164316       | mov                 dword ptr [ebp - 0x2c], 0x164316f3
            //   c745d863145314       | mov                 dword ptr [ebp - 0x28], 0x14531463
            //   c745dc7314c314       | mov                 dword ptr [ebp - 0x24], 0x14c31473
            //   c745e083168316       | mov                 dword ptr [ebp - 0x20], 0x16831683
            //   c745e4b318b314       | mov                 dword ptr [ebp - 0x1c], 0x14b318b3
            //   c745e8c3132311       | mov                 dword ptr [ebp - 0x18], 0x112313c3

        $sequence_6 = { 50 e8???????? 83c40c b979ccef86 e8???????? 8d8d3cf0ffff 33d2 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   b979ccef86           | mov                 ecx, 0x86efcc79
            //   e8????????           |                     
            //   8d8d3cf0ffff         | lea                 ecx, [ebp - 0xfc4]
            //   33d2                 | xor                 edx, edx

        $sequence_7 = { 72c1 8d45d0 b9b4733de3 50 57 e8???????? }
            // n = 6, score = 200
            //   72c1                 | jb                  0xffffffc3
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   b9b4733de3           | mov                 ecx, 0xe33d73b4
            //   50                   | push                eax
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_8 = { 51 ffd0 8b15???????? 8d8574fcffff 8b0d???????? 33f6 56 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   ffd0                 | call                eax
            //   8b15????????         |                     
            //   8d8574fcffff         | lea                 eax, [ebp - 0x38c]
            //   8b0d????????         |                     
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi

        $sequence_9 = { 8d8570f9ffff b9c6968752 50 e8???????? ffd0 6a04 8d85d8fbffff }
            // n = 7, score = 200
            //   8d8570f9ffff         | lea                 eax, [ebp - 0x690]
            //   b9c6968752           | mov                 ecx, 0x528796c6
            //   50                   | push                eax
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   6a04                 | push                4
            //   8d85d8fbffff         | lea                 eax, [ebp - 0x428]

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules