SYMBOLCOMMON_NAMEaka. SYNONYMS
win.andromut (Back to overview)

AndroMut

aka: Gelup

Actor(s): TA505


There is no description at this point.

References
2020-08-20CERT-FRCERT-FR
@techreport{certfr:20200820:development:d518522, author = {CERT-FR}, title = {{Development of the Activity of the TA505 Cybercriminal Group}}, date = {2020-08-20}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf}, language = {English}, urldate = {2020-08-28} } Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-06-22CERT-FRCERT-FR
@techreport{certfr:20200622:volution:fba1cfa, author = {CERT-FR}, title = {{Évolution De Lactivité du Groupe Cybercriminel TA505}}, date = {2020-06-22}, institution = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf}, language = {French}, urldate = {2020-06-24} } Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-05-24Positive TechnologiesPT ESC Threat Intelligence
@online{intelligence:20200524:operation:2ce432b, author = {PT ESC Threat Intelligence}, title = {{Operation TA505: network infrastructure. Part 3.}}, date = {2020-05-24}, organization = {Positive Technologies}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/}, language = {English}, urldate = {2020-11-23} } Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader
2020-05-21Intel 471Intel 471
@online{471:20200521:brief:048d164, author = {Intel 471}, title = {{A brief history of TA505}}, date = {2020-05-21}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/}, language = {English}, urldate = {2020-05-23} } A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-07-04Trend MicroTrend Micro
@techreport{micro:20190704:latest:dd6099a, author = {Trend Micro}, title = {{Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi}}, date = {2019-07-04}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf}, language = {English}, urldate = {2020-01-13} } Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
AndroMut
2019-07-02ProofpointMatthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
@online{mesa:20190702:ta505:7f99961, author = {Matthew Mesa and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States}}, date = {2019-07-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south}, language = {English}, urldate = {2019-11-26} } TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
Yara Rules
[TLP:WHITE] win_andromut_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_andromut_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf3 6a10 e8???????? 59 }
            // n = 4, score = 200
            //   8bf3                 | mov                 esi, ebx
            //   6a10                 | push                0x10
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_1 = { e8???????? 6a00 ebf7 56 ebf4 55 8bec }
            // n = 7, score = 200
            //   e8????????           |                     
            //   6a00                 | push                0
            //   ebf7                 | jmp                 0xfffffff9
            //   56                   | push                esi
            //   ebf4                 | jmp                 0xfffffff6
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_2 = { 807d8700 742b ff34b7 8b5580 8bc6 8b8d70ffffff }
            // n = 6, score = 200
            //   807d8700             | cmp                 byte ptr [ebp - 0x79], 0
            //   742b                 | je                  0x2d
            //   ff34b7               | push                dword ptr [edi + esi*4]
            //   8b5580               | mov                 edx, dword ptr [ebp - 0x80]
            //   8bc6                 | mov                 eax, esi
            //   8b8d70ffffff         | mov                 ecx, dword ptr [ebp - 0x90]

        $sequence_3 = { 663bc3 75f5 2bca 8d45a0 d1f9 51 53 }
            // n = 7, score = 200
            //   663bc3               | cmp                 ax, bx
            //   75f5                 | jne                 0xfffffff7
            //   2bca                 | sub                 ecx, edx
            //   8d45a0               | lea                 eax, [ebp - 0x60]
            //   d1f9                 | sar                 ecx, 1
            //   51                   | push                ecx
            //   53                   | push                ebx

        $sequence_4 = { 2bca 8d85c8feffff d1f9 51 53 }
            // n = 5, score = 200
            //   2bca                 | sub                 ecx, edx
            //   8d85c8feffff         | lea                 eax, [ebp - 0x138]
            //   d1f9                 | sar                 ecx, 1
            //   51                   | push                ecx
            //   53                   | push                ebx

        $sequence_5 = { 6a02 8d5102 5e 668b01 03ce 663bc7 75f6 }
            // n = 7, score = 200
            //   6a02                 | push                2
            //   8d5102               | lea                 edx, [ecx + 2]
            //   5e                   | pop                 esi
            //   668b01               | mov                 ax, word ptr [ecx]
            //   03ce                 | add                 ecx, esi
            //   663bc7               | cmp                 ax, di
            //   75f6                 | jne                 0xfffffff8

        $sequence_6 = { 23c7 33c2 8bc8 c1e00f }
            // n = 4, score = 200
            //   23c7                 | and                 eax, edi
            //   33c2                 | xor                 eax, edx
            //   8bc8                 | mov                 ecx, eax
            //   c1e00f               | shl                 eax, 0xf

        $sequence_7 = { 51 57 ffd0 8bce e8???????? }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   57                   | push                edi
            //   ffd0                 | call                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_8 = { 59 59 68e0930400 ffd6 ebb3 55 8bec }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   68e0930400           | push                0x493e0
            //   ffd6                 | call                esi
            //   ebb3                 | jmp                 0xffffffb5
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp

        $sequence_9 = { 80e280 0fb6c0 0f45c8 324dfd 32cb }
            // n = 5, score = 200
            //   80e280               | and                 dl, 0x80
            //   0fb6c0               | movzx               eax, al
            //   0f45c8               | cmovne              ecx, eax
            //   324dfd               | xor                 cl, byte ptr [ebp - 3]
            //   32cb                 | xor                 cl, bl

    condition:
        7 of them and filesize < 368640
}
Download all Yara Rules