A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19272  by EP_X0FF
 Wed May 15, 2013 3:54 am
SHA1
Code: Select all
2b15d7f5195f766e5151c4da772c5965c6d6eccb
b6e6850bca9ae2440c9a6f3fc19c999f2b81fec3
f6c60be8656242d4024d6f93dfc992d681e0442c
1925a0119584288d48bd54bd5b5a992788705f86
388c37ecbd40d531dd03afce462ccfc563924a8b
9a2192f413ac99127f14e9da708a49c97261a078
c6a5c476d0f662adf4d74e26b6bdbb592c57d7d6
d196982db154ef8ab98ce96a0e5053808983c51e
e69054e9f00af5fff867dc1ad95946c0aae3a6b8
f6c60be8656242d4024d6f93dfc992d681e0442c
8a262d6e513c60f10ef0b117de92b3db79885088
You do not have the required permissions to view the files attached to this post.
 #19277  by bsteo
 Wed May 15, 2013 3:38 pm
EP_X0FF wrote:SHA1
Code: Select all
2b15d7f5195f766e5151c4da772c5965c6d6eccb
b6e6850bca9ae2440c9a6f3fc19c999f2b81fec3
f6c60be8656242d4024d6f93dfc992d681e0442c
1925a0119584288d48bd54bd5b5a992788705f86
388c37ecbd40d531dd03afce462ccfc563924a8b
9a2192f413ac99127f14e9da708a49c97261a078
c6a5c476d0f662adf4d74e26b6bdbb592c57d7d6
d196982db154ef8ab98ce96a0e5053808983c51e
e69054e9f00af5fff867dc1ad95946c0aae3a6b8
f6c60be8656242d4024d6f93dfc992d681e0442c
8a262d6e513c60f10ef0b117de92b3db79885088
Any idea if they/some are the "reloaded" version namely "Andromeda 2.7" or the old version?
 #19282  by EP_X0FF
 Wed May 15, 2013 4:24 pm
@exitthematrix
exitthematrix wrote:Any idea if they/some are the "reloaded" version namely "Andromeda 2.7" or the old version?
Check all that detected as Gamarue.I, maybe that is what you are looking for.

And check this one. This sample is described in blogpost linked above.
Can be problematic to launch this sample, so when you are in debugger, take a look on @00405764 (easy to find, multiple combinations of cpuid/rdtsc), there all the magic of first stage take place -> set IP to
Code: Select all
mov eax, main
call eax
dropper will continue to runpe part. In attach dropper (courtesy of markusg), decrypted 2stage dropper. Payload - TCP bind shell position independed code can be easily retrieved after NtAllocateVirtualMemory call. @00401247 in 2stage is decrypt procedure

https://www.virustotal.com/en/file/29a5 ... /analysis/
https://www.virustotal.com/en/file/87a4 ... /analysis/
You do not have the required permissions to view the files attached to this post.
 #19469  by EP_X0FF
 Thu May 30, 2013 2:05 am
11 Andromeda droppers.

SHA1
Code: Select all
298097a499a1e45314c7eaabb109ba7da70f4bf0
e3dcbd78ff5959e30f5645613474beac45f5554a
0e6f901a8193bac8ff5ca70325aceb63ed0c2476
19c1effb5294eb1d59ec530b73a4526d8a882107
19f8e7ac332db4d1508e7ac25f1f5591834f31cb
36129292066f264d46fdbe7ab67b976aa79421a6
4756a1687d8027ddab4a5efa034dbb1de2cc017d
ba09891a52d71d2ad2cc1acc76c8b774c34f1491
c9ca537a994bc4ec79128bbc5771252c08ca8fa6
e080a9a86da2ec9a20938d82c9ee983989414847
e3dcbd78ff5959e30f5645613474beac45f5554a
f881727c18fdb1a9fdf65f2dc6e18ceced6be226
You do not have the required permissions to view the files attached to this post.
 #19698  by Blaze
 Wed Jun 19, 2013 12:59 pm
Possible Gamarue attached. Received in spammail.

Subject:
SMS-MMS Id505044
You do not have the required permissions to view the files attached to this post.
 #19876  by TwinHeadedEagle
 Sun Jun 30, 2013 5:59 am
Gamarue has code Anti-Emulation and Anti-VM to detect the presence of Virtual machine, I was able to execute it on patched VM, but can you tell me does it have technique to disable USB spreading when it detects VM...
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 13