Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.
gritland
Posts: 31
Joined: Tue May 11, 2010 10:57 am

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by gritland » Wed Jun 24, 2015 7:00 pm

can share formgrab plugin of andromeda?

User avatar
teddybear
Posts: 16
Joined: Tue Sep 24, 2013 11:06 am

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by teddybear » Wed Jun 24, 2015 7:18 pm

Recent sample distributed via German-language spam email:

Code: Select all

154f102cc1c0ee63fe6681ab4f8ab8bccce726e96ad4ba78adfed7fb8913d22d
https://www.virustotal.com/en/file/154f ... /analysis/

User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by EP_X0FF » Thu Jun 25, 2015 9:23 am

teddybear wrote:Recent sample distributed via German-language spam email:

Code: Select all

154f102cc1c0ee63fe6681ab4f8ab8bccce726e96ad4ba78adfed7fb8913d22d
https://www.virustotal.com/en/file/154f ... /analysis/
Attached.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
Blaze
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by Blaze » Thu Jun 25, 2015 10:45 am

Seems Andromeda is re-surfacing, I've seen an increase at least since the end of May.

More samples attached, reference: http://www.certego.net/en/news/andromed ... man-users/

Code: Select all

12ce00464f919b6a06b75b1466e6e1bcb5913dcb3b2e8ccf95fb43e1e390806c
154f102cc1c0ee63fe6681ab4f8ab8bccce726e96ad4ba78adfed7fb8913d22d
18be79f153de263ccfc9e84e3554b4392d83ba5f874d5831eef63ee33e9354ff
19982d6c46ccbe2da1516716e7c60cb39654574f5666327efc206f0853e3daab
261aa822b571459496cafef6ea69dd85d12304a6868976e4c5626b754295e8c1
2dad35ef7d354946e58bff2ba0b53bfa38e064b1ceaf3f6e7c9ae1990f849b82
2e6d4783060b20e51e253edd3664ec14e056881459a200801041be5889ae8735
4087067ac301910a73feb402f3c7fe3806ce4f55b9bcb8413506904c052d9899
45b1019e2c776259454c146bfb86a8fb046a96370227c5549658d56141eb88a3
616616a6613e9eb80543e242706d01d295f793c9a26238e6dadaf7cb062a7250
873c9ee854b3aee345262c49dda76c25cae146f5efc545b0ac99f53af2dd7c51
8b19d2b1502e24f8a9bf7c54e36b32e283e8d25961a7eecf06dc267d65765449
8b878ecba45fbe77b19af9864402fda60f4a2feaa5988cd2ed7f610574195008
9f70aca2c19583ae673eac65adb3fce7621c23457d3059bea7e40ea61d298e0b
aafd046f0bccadca2d485fa94776cf632c52b7f77aeb48a9dacbbe0c3ad1caec
ab10406ddd3fb1afdde117b88f5166ad09e63fc84001930c9228c5ddfc284df5
b16cf6d0a11acf0d5094f47354b6c75717c988b4293a0f29e016565c48b2a5b0
c86dd7ca20dba9844e9400d3d2435faea7301cfe68e2f4e1c2c60f90c4d650eb
caef7e4c0919666f6e479004088f11d79586d277b6f1a86225667c8447359419
cf7d725b6afcf7f79d0980f9c7e61161bb2e8211d1dad24160d015686f961c50
cfe30c7c933aa1763cf0025d4ae231b5f6828437ca28da742918b89a8a6651bb
de276c5d9c9ab9d6ae7978915abdcdc653a536ed4b5db49b268d43e5bbc2b281
f3fc68df3bfa83293bc724e9d5376a90b304d4de238db8621cbdd679358baf89
fd35bfcc7b212dbd31515bce16a24397465e48c2420a140f8d1bc4819f1fc3d6
You do not have the required permissions to view the files attached to this post.

User avatar
teddybear
Posts: 16
Joined: Tue Sep 24, 2013 11:06 am

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by teddybear » Tue Jul 14, 2015 9:09 am

Italian campaign still ongoing, a sample from yesterday:
https://malwr.com/analysis/YzE1Y2QyNGZi ... JlMmQ4OGM/

uCares
Posts: 13
Joined: Sat Aug 20, 2011 12:13 am

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by uCares » Tue Jul 14, 2015 2:04 pm

teddybear wrote:Italian campaign still ongoing, a sample from yesterday:
https://malwr.com/analysis/YzE1Y2QyNGZi ... JlMmQ4OGM/
Control Panel : h**p://paranormal-online-kino.ru/data/connect.php
Other Connections :
h**p://109.120.180.29/intro/data.php

Download Files :
h**p://109.120.180.29/intro/autocrypt/n/neuc.exe
h**p://109.120.180.29/intro/autocrypt/g/gc.exe
h**p://109.120.180.29/intro/autocrypt/3000/btc.exe
h**p://109.120.180.29/intro/autocrypt/bk/bkc.exe

comak
Posts: 43
Joined: Mon Oct 14, 2013 8:25 am
Contact:

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by comak » Tue Jul 14, 2015 4:34 pm

i have those extracted from binary

Code: Select all

rc4key	81e01c3a426ed5b6f37847a95ecb696c
urls	http://109.120.180.29/intro/data.php,http://a.nas.ru/intro/data.php,http://b.nas.ru/intro/data.php,http://c.nas.ru/intro/data.php,http://faumoussuperstars.ru/intro/data.php

uCares
Posts: 13
Joined: Sat Aug 20, 2011 12:13 am

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by uCares » Tue Jul 14, 2015 7:52 pm

comak wrote:i have those extracted from binary

Code: Select all

rc4key	81e01c3a426ed5b6f37847a95ecb696c
urls	http://109.120.180.29/intro/data.php,http://a.nas.ru/intro/data.php,http://b.nas.ru/intro/data.php,http://c.nas.ru/intro/data.php,http://faumoussuperstars.ru/intro/data.php
Well on live lab connection was :

Code: Select all

h**p://paranormal-online-kino.ru/data/connect.php?cmd=1&uid=25bd6ba3-2687-5873-n25z-852468v8sss4&os=Win%207%20(64-bit)&av=N%252FA&version=3.9.3&quality=9

sysopfb
Posts: 96
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Post by sysopfb » Tue Jul 14, 2015 9:29 pm

uCares wrote:
comak wrote:i have those extracted from binary

Code: Select all

rc4key	81e01c3a426ed5b6f37847a95ecb696c
urls	http://109.120.180.29/intro/data.php,http://a.nas.ru/intro/data.php,http://b.nas.ru/intro/data.php,http://c.nas.ru/intro/data.php,http://faumoussuperstars.ru/intro/data.php
Well on live lab connection was :

Code: Select all

h**p://paranormal-online-kino.ru/data/connect.php?cmd=1&uid=25bd6ba3-2687-5873-n25z-852468v8sss4&os=Win%207%20(64-bit)&av=N%252FA&version=3.9.3&quality=9
That's a callout from one of the downloaded files from Andromeda, specifically from neuc.exe which is Neutrino Bot;Win32/Kasidet

ikolor
Posts: 307
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Sun Aug 16, 2015 9:30 am

You do not have the required permissions to view the files attached to this post.

Post Reply