A forum for reverse engineering, OS internals and malware analysis 

Backdoor Andromeda (waahoo, alias Gamarue)

Forum for analysis and discussion about malware.

Re: Backdoor Andromeda (waahoo, alias Gamarue)

 #26180  by EP_X0FF
 Thu Jun 25, 2015 9:23 am
teddybear wrote:Recent sample distributed via German-language spam email:
Code: Select all
154f102cc1c0ee63fe6681ab4f8ab8bccce726e96ad4ba78adfed7fb8913d22d
https://www.virustotal.com/en/file/154f ... /analysis/
Attached.
Attachments
pass: infected
(28.09 KiB) Downloaded 77 times

Re: Backdoor Andromeda (waahoo, alias Gamarue)

 #26181  by Blaze
 Thu Jun 25, 2015 10:45 am
Seems Andromeda is re-surfacing, I've seen an increase at least since the end of May.

More samples attached, reference: http://www.certego.net/en/news/andromed ... man-users/
Code: Select all
12ce00464f919b6a06b75b1466e6e1bcb5913dcb3b2e8ccf95fb43e1e390806c
154f102cc1c0ee63fe6681ab4f8ab8bccce726e96ad4ba78adfed7fb8913d22d
18be79f153de263ccfc9e84e3554b4392d83ba5f874d5831eef63ee33e9354ff
19982d6c46ccbe2da1516716e7c60cb39654574f5666327efc206f0853e3daab
261aa822b571459496cafef6ea69dd85d12304a6868976e4c5626b754295e8c1
2dad35ef7d354946e58bff2ba0b53bfa38e064b1ceaf3f6e7c9ae1990f849b82
2e6d4783060b20e51e253edd3664ec14e056881459a200801041be5889ae8735
4087067ac301910a73feb402f3c7fe3806ce4f55b9bcb8413506904c052d9899
45b1019e2c776259454c146bfb86a8fb046a96370227c5549658d56141eb88a3
616616a6613e9eb80543e242706d01d295f793c9a26238e6dadaf7cb062a7250
873c9ee854b3aee345262c49dda76c25cae146f5efc545b0ac99f53af2dd7c51
8b19d2b1502e24f8a9bf7c54e36b32e283e8d25961a7eecf06dc267d65765449
8b878ecba45fbe77b19af9864402fda60f4a2feaa5988cd2ed7f610574195008
9f70aca2c19583ae673eac65adb3fce7621c23457d3059bea7e40ea61d298e0b
aafd046f0bccadca2d485fa94776cf632c52b7f77aeb48a9dacbbe0c3ad1caec
ab10406ddd3fb1afdde117b88f5166ad09e63fc84001930c9228c5ddfc284df5
b16cf6d0a11acf0d5094f47354b6c75717c988b4293a0f29e016565c48b2a5b0
c86dd7ca20dba9844e9400d3d2435faea7301cfe68e2f4e1c2c60f90c4d650eb
caef7e4c0919666f6e479004088f11d79586d277b6f1a86225667c8447359419
cf7d725b6afcf7f79d0980f9c7e61161bb2e8211d1dad24160d015686f961c50
cfe30c7c933aa1763cf0025d4ae231b5f6828437ca28da742918b89a8a6651bb
de276c5d9c9ab9d6ae7978915abdcdc653a536ed4b5db49b268d43e5bbc2b281
f3fc68df3bfa83293bc724e9d5376a90b304d4de238db8621cbdd679358baf89
fd35bfcc7b212dbd31515bce16a24397465e48c2420a140f8d1bc4819f1fc3d6
Attachments
(2.5 MiB) Downloaded 114 times

Re: Backdoor Andromeda (waahoo, alias Gamarue)

 #26285  by uCares
 Tue Jul 14, 2015 2:04 pm
teddybear wrote:Italian campaign still ongoing, a sample from yesterday:
https://malwr.com/analysis/YzE1Y2QyNGZi ... JlMmQ4OGM/
Control Panel : h**p://paranormal-online-kino.ru/data/connect.php
Other Connections :
h**p://109.120.180.29/intro/data.php

Download Files :
h**p://109.120.180.29/intro/autocrypt/n/neuc.exe
h**p://109.120.180.29/intro/autocrypt/g/gc.exe
h**p://109.120.180.29/intro/autocrypt/3000/btc.exe
h**p://109.120.180.29/intro/autocrypt/bk/bkc.exe

Re: Backdoor Andromeda (waahoo, alias Gamarue)

 #26287  by comak
 Tue Jul 14, 2015 4:34 pm
i have those extracted from binary
Code: Select all
rc4key	81e01c3a426ed5b6f37847a95ecb696c
urls	http://109.120.180.29/intro/data.php,http://a.nas.ru/intro/data.php,http://b.nas.ru/intro/data.php,http://c.nas.ru/intro/data.php,http://faumoussuperstars.ru/intro/data.php

Re: Backdoor Andromeda (waahoo, alias Gamarue)

 #26290  by uCares
 Tue Jul 14, 2015 7:52 pm
comak wrote:i have those extracted from binary
Code: Select all
rc4key	81e01c3a426ed5b6f37847a95ecb696c
urls	http://109.120.180.29/intro/data.php,http://a.nas.ru/intro/data.php,http://b.nas.ru/intro/data.php,http://c.nas.ru/intro/data.php,http://faumoussuperstars.ru/intro/data.php
Well on live lab connection was :
Code: Select all
h**p://paranormal-online-kino.ru/data/connect.php?cmd=1&uid=25bd6ba3-2687-5873-n25z-852468v8sss4&os=Win%207%20(64-bit)&av=N%252FA&version=3.9.3&quality=9

Re: Backdoor Andromeda (waahoo, alias Gamarue)

 #26293  by sysopfb
 Tue Jul 14, 2015 9:29 pm
uCares wrote:
comak wrote:i have those extracted from binary
Code: Select all
rc4key	81e01c3a426ed5b6f37847a95ecb696c
urls	http://109.120.180.29/intro/data.php,http://a.nas.ru/intro/data.php,http://b.nas.ru/intro/data.php,http://c.nas.ru/intro/data.php,http://faumoussuperstars.ru/intro/data.php
Well on live lab connection was :
Code: Select all
h**p://paranormal-online-kino.ru/data/connect.php?cmd=1&uid=25bd6ba3-2687-5873-n25z-852468v8sss4&os=Win%207%20(64-bit)&av=N%252FA&version=3.9.3&quality=9
That's a callout from one of the downloaded files from Andromeda, specifically from neuc.exe which is Neutrino Bot;Win32/Kasidet
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
 Return to “Malware”