SYMBOLCOMMON_NAMEaka. SYNONYMS
win.andromut (Back to overview)

AndroMut

aka: Gelup

Actor(s): TA505

VTCollection    

According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.

References
2020-12-14BluelivAlberto Marín, Blueliv Labs Team, Carlos Rubio
Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet
2020-08-20CERT-FRCERT-FR
Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-06-22CERT-FRCERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-24Positive TechnologiesPT ESC Threat Intelligence
Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader
2020-05-21Intel 471Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-07-04Trend MicroTrend Micro
Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
AndroMut
2019-07-02ProofpointDennis Schwarz, Matthew Mesa, Proofpoint Threat Insight Team
TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
Yara Rules
[TLP:WHITE] win_andromut_auto (20230808 | Detects win.andromut.)
rule win_andromut_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.andromut."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b75f8 6bc828 8b441914 03441910 b9aacd12d8 50 56 }
            // n = 7, score = 200
            //   8b75f8               | mov                 esi, dword ptr [ebp - 8]
            //   6bc828               | imul                ecx, eax, 0x28
            //   8b441914             | mov                 eax, dword ptr [ecx + ebx + 0x14]
            //   03441910             | add                 eax, dword ptr [ecx + ebx + 0x10]
            //   b9aacd12d8           | mov                 ecx, 0xd812cdaa
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_1 = { e8???????? 8d850cffffff 50 8d8574ffffff 50 8d95fcfcffff 8d8d74fcffff }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8d850cffffff         | lea                 eax, [ebp - 0xf4]
            //   50                   | push                eax
            //   8d8574ffffff         | lea                 eax, [ebp - 0x8c]
            //   50                   | push                eax
            //   8d95fcfcffff         | lea                 edx, [ebp - 0x304]
            //   8d8d74fcffff         | lea                 ecx, [ebp - 0x38c]

        $sequence_2 = { c785fcfeffff84408441 c78500ffffff842c8415 c78504ffffff843c840d c78508ffffff841c8423 }
            // n = 4, score = 200
            //   c785fcfeffff84408441     | mov    dword ptr [ebp - 0x104], 0x41844084
            //   c78500ffffff842c8415     | mov    dword ptr [ebp - 0x100], 0x15842c84
            //   c78504ffffff843c840d     | mov    dword ptr [ebp - 0xfc], 0xd843c84
            //   c78508ffffff841c8423     | mov    dword ptr [ebp - 0xf8], 0x23841c84

        $sequence_3 = { e8???????? 8d8de8fcffff 51 8d8dd8faffff 51 ffd0 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8d8de8fcffff         | lea                 ecx, [ebp - 0x318]
            //   51                   | push                ecx
            //   8d8dd8faffff         | lea                 ecx, [ebp - 0x528]
            //   51                   | push                ecx
            //   ffd0                 | call                eax

        $sequence_4 = { 83c40c c745d4e278e238 c745d8de58e218 c745dcdef8dcb8 c745e0e498e0f8 }
            // n = 5, score = 200
            //   83c40c               | add                 esp, 0xc
            //   c745d4e278e238       | mov                 dword ptr [ebp - 0x2c], 0x38e278e2
            //   c745d8de58e218       | mov                 dword ptr [ebp - 0x28], 0x18e258de
            //   c745dcdef8dcb8       | mov                 dword ptr [ebp - 0x24], 0xb8dcf8de
            //   c745e0e498e0f8       | mov                 dword ptr [ebp - 0x20], 0xf8e098e4

        $sequence_5 = { e9???????? 83bde4feffff06 0f85cf000000 8b85e8feffff 83f803 7524 83ef02 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   83bde4feffff06       | cmp                 dword ptr [ebp - 0x11c], 6
            //   0f85cf000000         | jne                 0xd5
            //   8b85e8feffff         | mov                 eax, dword ptr [ebp - 0x118]
            //   83f803               | cmp                 eax, 3
            //   7524                 | jne                 0x26
            //   83ef02               | sub                 edi, 2

        $sequence_6 = { 8bd0 51 ffb5fcfcffff 8d4dcc e8???????? 59 }
            // n = 6, score = 200
            //   8bd0                 | mov                 edx, eax
            //   51                   | push                ecx
            //   ffb5fcfcffff         | push                dword ptr [ebp - 0x304]
            //   8d4dcc               | lea                 ecx, [ebp - 0x34]
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_7 = { f3ab 8b7dfc b802210000 6689443e16 0fb7443e06 }
            // n = 5, score = 200
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   b802210000           | mov                 eax, 0x2102
            //   6689443e16           | mov                 word ptr [esi + edi + 0x16], ax
            //   0fb7443e06           | movzx               eax, word ptr [esi + edi + 6]

        $sequence_8 = { 53 6a0a 6a18 8d8510f4ffff c645fc02 50 e8???????? }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   6a0a                 | push                0xa
            //   6a18                 | push                0x18
            //   8d8510f4ffff         | lea                 eax, [ebp - 0xbf0]
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_9 = { 5a 84c0 745c 8d4601 894588 f7e2 0f90c1 }
            // n = 7, score = 200
            //   5a                   | pop                 edx
            //   84c0                 | test                al, al
            //   745c                 | je                  0x5e
            //   8d4601               | lea                 eax, [esi + 1]
            //   894588               | mov                 dword ptr [ebp - 0x78], eax
            //   f7e2                 | mul                 edx
            //   0f90c1               | seto                cl

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules