{
	"id": "524753bb-efce-41d8-8c97-5f9e3e1e5afa",
	"created_at": "2026-04-06T00:14:44.956759Z",
	"updated_at": "2026-04-10T03:21:26.062799Z",
	"deleted_at": null,
	"sha1_hash": "dd94e8489de566b94134b310206b1fee6ca1836f",
	"title": "A review of the evolution of Andromeda over the years before we say goodbye",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1071187,
	"plain_text": "A review of the evolution of Andromeda over the years before we say\r\ngoodbye\r\nArchived: 2026-04-05 21:40:25 UTC\r\nBahare Sabouri \u0026 He Xu\r\nFortinet, Canada\r\nCopyright © 2018 Virus Bulletin\r\nTable of contents\r\nIntroduction\r\nAndromeda, also known as Gamaru and Wauchos, is a modular and HTTP-based botnet that was discovered in late\r\n2011. From that point on, it managed to survive and continue hardening by evolving in different ways. In particular, the\r\ncomplexity of its loader and AV evasion methods increased repeatedly, and C\u0026C communication changed between the\r\ndifferent versions as well.\r\nWe deal with versions of this threat on a daily basis and we have collected a number of different variants. The botnet\r\nfirst came onto our tracking radar at version 2.06, and we have tracked the versions since then. In this paper we will\r\ndescribe the evolution of Andromeda from version 2.06 to 2.10 and demonstrate both how it has improved its loader to\r\nevade automatic analysis/detection and how the payload varies among the different versions.\r\nThis article could also be seen as a way to say 'goodbye' to the botnet: a takedown effort, followed by the arrest of the\r\nsuspected botnet owner in December 2017, may mean we have seen the last of the botnet that has plagued Internet users\r\nfor more than half a decade.\r\nOverview of Andromeda\r\nThe first Andromeda to be discovered was spotted in the wild in 2011, and the new 2.06 version followed quickly\r\nafterwards in early 2012. Not much is known about any earlier versions and it is possible they were never released into\r\nthe wild.\r\nThe campaign continued to develop with versions 2.07, 2.08, 2.09 and 2.10. The latest known version, 2.10, was first\r\nseen in 2015 and may be the final version released: according to posts on underground forums, the development of the\r\nthreat stopped around a year ago. Figure 1 shows a brief history of Andromeda.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 1 of 16\n\nFigure 1: A brief history of Andromeda.\r\nRegardless of the version, Andromeda arrives on the target machine as a packed sample. Various packers have been\r\nused, from very famous packers such as UPX and SFX RAR to lesser known and even customized ones which are\r\ncompiled in various languages such as Autoit, .Net and C++.\r\nUnpacking the first layer of the sample reveals the loader, which is small both in terms of size (13KB to 20KB) and in\r\nthe number of function calls it contains.\r\nLoader\r\nIn all versions of Andromeda the loader avoids making direct calls to APIs. Instead, it incorporates hashes to find and\r\ncall the APIs via general purpose registers. Versions 2.06, 2.07 and 2.08 pass hash values as immediate values to a\r\nfunction and thus find the matching API name. Version 2.06 uses a custom hash function, while versions 2.07 and 2.08\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 2 of 16\n\nuse CRC32. Versions 2.09 and 2.10 have the same trivial custom hash function. Figure 3 shows the loader in version\r\n2.09 handling an array of hash values.\r\nFigure 2: Version 2.08\r\npasses the hash as an immediate value to 'resolveAddress_byHash'.\r\nFigure 3: In version 2.09, the\r\nloader handles an array of hash values.\r\nVersion 2.10 also keeps an array of API hash values. The hash algorithm is a custom function and, in order to\r\ncomplicate static analysis further, the author incorporates opaque predicates, as shown in Figure 4.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 3 of 16\n\nFigure 4: Opaque predicates in the version 2.10 loader make static anaylsis more difficult.\r\nMain structure\r\nThe section in the loader that is used to evade virtual machines and, more generally, analysis, is similar in versions 2.06,\r\n2.07 and 2.08. In these variants, the loader enumerates the processes running on the machine and compares them against\r\na list of unwanted processes. In order to do this, the loader converts the name of each process to lowercase and then\r\ncalculates its hash value. The hash values are then compared against a hard-coded list of values. The same algorithm as\r\nis used to hash API names is used here. The hash algorithm in version 2.08 has an extra xor instruction (xor eax,\r\n0E17176Fh). As shown in Figure 5, the newer versions have longer lists of unwanted processes.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 4 of 16\n\nFigure 5: From left to right: version 2.06, 2.07 and 2.08 hard-coded hash values correspond to the list of unwanted\r\nprocesses.\r\n2.06 2.07 2.08\r\n0x4CE5FD07: vmwareuser.exe\r\n0x8181326C: vmwareservice.exe\r\n0x31E233AF: vboxservice.exe\r\n0x91D47DF6: vboxtray.exe\r\n0xE8CDDC54:\r\nsandboxiedcomlaunch.exe\r\n0x8C6D6C: sandboxierpcss.exe\r\n0x0A8D0BA0E: procmon.exe\r\n0x0A4EF3C0E: wireshark.exe\r\n0x5CD7BA5E: netmon.exe\r\n0x99DD4432: vmwareuser.exe\r\n0x2D859DB4: vmwareservice.exe\r\n0x64340DCE: vboxservice.exe\r\n0x63C54474: vboxtray.exe\r\n0x349C9C8B:\r\nsandboxiedcomlaunch.exe\r\n0x3446EBCE: sandboxierpcss.exe\r\n0x5BA9B1FE: procmon.exe\r\n0x3CE2BEF3: regmon.exe\r\n0x3D46F02B: filemon.exe\r\n0x77AE10F7: wireshark.exe\r\n0x0F344E95D: netmon.exe\r\n0x97CA535D: vmwareuser.exe\r\n0x23928ADB: vmwareservice.exe\r\n0x6A231AA1: vboxservice.exe\r\n0x6DD2531B: vboxtray.exe\r\n0x3A8B8BE4:\r\nsandboxiedcomlaunch.exe\r\n0x3A51FCA1: sandoxierpcss.exe\r\n0x55BEA691: procmon.exe\r\n0x32F5A99C: regmon.exe\r\n0x3351E744: filemon.exe\r\n0x79B90798: wireshark.exe\r\n0x0FD53FE32: netmon.exe\r\n0x23A97A00: prl_tools_service.exe\r\n0x0ADC6152B: prl_tools.exe\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 5 of 16\n\n0x1365FAFE: prl_cc.exe\r\n0x98847CD1: sharedintapp.exe\r\n0x299BC837: vmtoolsd.exe\r\n0x35E8EFEA: vmsrvc.exe\r\n0x632434B6: vmusrvc.exe\r\nTable 1: Corresponding process to each hash.\r\nNext, the bot takes advantage of registry artifacts and checks the registry value in the following key:\r\nKey: HKLM\\system\\currentcontrolset\\services\\disk\\enum\r\nValueName: 0\r\nVersion 2.06 parses the value of the subkey for the presence of the substrings 'qemu', 'vbox' and 'wmwa'. Similarly,\r\nversions 2.07 and 2.08 check for 'qemu', 'vbox' and 'vmwa'. (It is likely that 'wmwa' was a bug in version 2.06 that was\r\npatched later.) Upon finding any of these strings, each version takes a different approach to redirect the flow of the code.\r\nBefore redirecting the code in versions 2.06 and 2.07, the sample designates another snippet of code that uses a\r\ntechnique known as 'time attack' in order to prevent further analysis. The malware acquires the timestamp counter (by\r\ncalling rdtsc) twice and calculates the difference between the two. If the difference is less than 512ms, it proceeds to\r\nresolve imports and decrypt the payload. Otherwise, it leads to a dummy code, where the loader drops a copy of itself in\r\n%ALLUSERSPROFILE% and renames it to svchost.exe.\r\nFigure 6:\r\nTimestamp analysis to detect the debugger.\r\nFollowing that, it creates an autorun registry for the dropped file as follows:\r\nKey: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValueName: SunJavaUpdateSched\r\nEventually, waiting for a command in an infinite loop, it sniffs port 8000. A received command will then be run in the\r\ncommand window.\r\nAs part of its evolution, version 2.07 implements a custom exception handler using a call to\r\nSetUnhandledExceptionFilter. Similarly, version 2.08 calls RtlAddVectoredExceptionHandler and adds the custom\r\nhandler as the first handler into the vectored exception handler chain (VEH), as shown in Figures 7 and 8.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 6 of 16\n\nFigure 7: Bot creates a custom exception handler in version 2.07.\r\nFigure 8: Bot adds a custom exception handler into VEH in version 2.08.\r\nIf the malware finds any of the substrings in the retrieved registry, it runs a function that causes an access violation. The\r\naccess violation is created intentionally when the sample tries to overwrite the DLL characteristics in the PE header\r\nwhich only has read rights, as shown in Figures 9 and 10.\r\nFigure 9: Overwriting the PE header raises an exception.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 7 of 16\n\nFigure 10: The PE\r\nheader only has read rights.\r\nIn this case, if the sample is not being debugged, control is passed immediately to the custom handler. The custom\r\nexception handler decrypts a piece of code that will be injected into another process later (Figure 11).\r\nFigure 11: Custom exception handler.\r\nVersions 2.07 and 2.08 share another feature that controls whether the loader bypasses anti-VM and anti-debugging\r\nprocedures. The loader calls GetVolumeInformationA on the 'C:\\' drive and acquires the drive name. Next, it calculates\r\nthe CRC32 of the drive name and compares it against a hard-coded value, 0x20C7DD84 (Figure 12). If they match, it\r\nbypasses the anti-forensics checks and proceeds directly to invoke the exception. The author probably used this\r\ntechnique to test the bot in his/her virtual machine without the need to go through the anti-VM/anti-analysis features.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 8 of 16\n\nFigure 12:\r\nDrive C checksum is calculated and compared to 0x20C7DD84.\r\nVersions 2.09 and 2.10 evade debugging and analysis by implementing the same idea as previous versions, but this time\r\nin the payload. Eventually, in all versions, the loader injects the payload into a remote process using a process hollowing\r\ntechnique and runs it in memory.\r\nPayload\r\nAs mentioned, the payloads of versions 2.09 and 2.10 start with some anti-VM tricks, despite the earlier versions having\r\ntaken care of this in the loader. Like the older versions, they check for a list of blacklisted processes in case the machine\r\nis compromised. The number of blacklisted processes in version 2.09 is exactly the same as in 2.08, whereas it increases\r\nto 21 processes in version 2.10 (see Figure 13). Like versions 2.07 and 2.08, versions 2.09 and 2.10 calculate the\r\nCRC32 of the process name. However, instead of implementing the algorithm, they call RtlComputeCrc32 directly. If\r\nthe bot finds any of the target processes, it runs a snippet of code to sleep for one minute in an infinite loop in order to\r\nevade detection.\r\nFigure 13:\r\nThe number of blacklisted processes increases in version 2.10.\r\nIf 'HKLM\\software\\policies' contains the registry key 'is_not_vm' and the key is VolumeSerialNumber, version 2.10\r\nbypasses these checks. This behaviour is comparable to that in versions 2.07 and 2.08 where the bot checked the\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 9 of 16\n\nchecksum of the root drive.\r\nEvolution of C\u0026C\r\nThe main aim of Andromeda's payload is to steal the infected system's information, talk to the command-and-control\r\n(C\u0026C) server, and download and install additional malware onto the system. In order to do this, it initiates a\r\nsophisticated command-and-control channel with the server. Each version of Andromeda uses a different format for the\r\nmessage and the report that it sends to the server.\r\nAs shown in Table 2, each version has two message formats, both sent as HTTP POST requests: Action Request and\r\nTask Report. Action Request contains the information exfiltrated from the compromised system; the bot sends it to the\r\nserver after encryption. Task Report, as the name implies, provides a report about the accomplished task.\r\nVersion Action Request Task Report\r\n2.06 id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu id:%lu|tid:%lu|result:%lu\r\n2.07 id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu id:%lu|tid:%lu|res:%lu\r\n2.08 id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu id:%lu|tid:%lu|res:%lu\r\n2.09 id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu id:%lu|tid:%lu|err:%lu|w32:%lu\r\n2.10\r\n{“id”:%lu,“bid”:%lu,“os”:%lu,“la”:%lu,“rg”:%lu}\r\n{“id”:%lu,“bid”:%lu,“os”:%lu,“la”:%lu,“rg”:%lu,“bb”:%lu}\r\n{“id”:%lu,“tid”:%lu,“err”:%lu,“w32”:%lu}\r\nTable 2: Evolution of the message formats.\r\nThe Action Request format shares some essential tags among all versions, such as 'id' and 'bid', while some other tags\r\nare version‑specific, such as 'ar' in version 2.06 and 'bb' in version 2.10. It is only the last version of the bot that uses\r\nJSON format to communicate with the C\u0026C server.\r\nTable 3 describes the role of each tag in the format.\r\nAction Request Task Report\r\nTag Information Tag Information\r\nid Volume serial number of victim machine id\r\nVolume serial number of victim\r\nmachine\r\nbid Bot ID, a hard-coded DWORD in payload tid Task ID provided by server\r\nbv Bot version res/result/err Flag indicating if task is successful\r\npa Flag indicating whether OS is 32-bit or 64-bit w32\r\nSystem error code, returned by\r\nRtlGetLastWin32Error\r\nla\r\nLocal IP address acquired from sockaddr\r\nstructure\r\n   \r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 10 of 16\n\nar/rg\r\nFlag indicating if the process runs in the\r\nadministrator group\r\n   \r\nsv/os Version of the victim operating system       \r\nbb\r\nFlag indicating if victim system uses a Russian,\r\nUkrainian, Belarusian or Kazakh keyboard\r\n   \r\nTable 3: Definition of tags.\r\nWe believe that 'bid' is used to represent build ID and, interestingly, in some versions, like 2.06 and 2.10, it indicates a\r\ndate in the format YYYYMMDD, as can be seen in Figure 14. In other instances, this tag represents a hard-coded\r\nrandom number. The latest observed 'bid' in version 2.10 is 22 May 2017, which suggests that development stopped\r\nthen.\r\nFigure 14: 'bid' value in version 2.10.\r\nAfter version 2.08, 'bv', which indicates the bot version, is removed from the request message. However, in the two\r\nlatest versions, there remains a clue as to the bot version, which is a hard-coded xor key. This xor key is used in five\r\ndifferent places in version 2.09 and twice in version 2.10. In all cases, it xors the 'id' and will be further manipulated to\r\nbe used as the file name or registry value (see Figures 15 and 16).\r\nFigure 15: The bot version is represented as a hard-coded xor key and used as a file name.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 11 of 16\n\nFigure 16:\r\nThe bot version is represented as a hard-coded xor key and used in registries.\r\nWhen the message is prepared for the required information, in all versions except the most recent one, the string is\r\nencrypted in two steps. The first step uses a 20-byte hard‑coded RC4 key and the second step uses base64 encoding.\r\nVersion 2.10 encrypts the message only using the RC4 algorithm. After posting the message to the server, the bot\r\nreceives a message from the server. The bot validates the message by calculating its CRC32 hash excluding the first\r\nDWORD, which serves as a checksum. If the hash equals this excluded DWORD, it proceeds to decrypt the message\r\nusing the 'id' value as the RC4 key.\r\nNext, it decodes the base64 string and obtains a plain text message. Received messages have the following structure:\r\nstruct RecvBlock {\r\n uint8_t cmd_id;\r\n uint32_t tid;\r\n char cmd_param[];\r\n};\r\nAccording to the communicated cmd_id, the bot carries out a designated command which could be any number from\r\nthe following: 1, 2, 3, 4, 5, 6, 9. In versions prior to 2.09, the bot is capable of performing all seven tasks. But in\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 12 of 16\n\nversions 2.09 and 2.10, it discards commands 4 and 5.\r\nIn Table 4 we take a look at each task and describe it further using static analysis of the code.\r\ncmd_id Task type Description\r\n1\r\nDownload\r\nEXE\r\nUsing the domain provided in the command_parameter, the bot downloads an exe, saves\r\nit in the temp folder with a random name, and executes it.\r\n2\r\nInstall\r\nplug-in\r\nUsing the domain provided in the command_parameter, the bot installs and loads plug-ins.\r\n3 Update bot\r\nUsing the domain provided in the command_parameter, the bot gets the exe file to\r\nupdate itself. If a file named ‘Volume Serial Number’ exists in the registry, the bot drops\r\nthe update in the temp folder and gives it a random name. Otherwise, the file is dropped\r\nin the current directory.\r\nThis task is followed by cmd_id=9, which kills the older bot.\r\n4 Install DLL\r\nUsing the domain provided in the command_parameter, the bot downloads a DLL into\r\nthe %alluserprofile% folder with a random name and .dat extension.\r\n5\r\nDelete\r\nDLLs\r\nThe DLL loaded in cmd_id=4 is uninstalled.\r\n6\r\nDelete\r\nplug-ins\r\nThe plug-ins loaded in cmd_id=3 are uninstalled.\r\n9 Kill bot All threads are suspended and the bot is uninstalled.\r\nTable 4: The seven command IDs and their tasks.\r\nIt is interesting to note that the cmd_id value changes a little in versions 2.09 and 2.10. As a result, the bot first\r\ndownloads the plug-in and later finds three plug-in exports, aStart, aUpdate and aReport, using a call to the\r\nGetProcAddress API (Figure 17).\r\nFigure 17:\r\nThe payload also searches for plug-in exports aStart and aUpdate.\r\nTo summarize, Andromeda normally spreads via exploit kits located on compromised websites. The primary sample is\r\npacked and drops the loader after the unpacking stage. In the earlier versions of the bot the loader contains anti-VM and\r\nanti-analysis tricks. In all versions, the loader decrypts the payload and resolves APIs for indirect calls in the payload.\r\nAs a result, using an anti-API hooking trick, the loader saves the first instruction of the API call into memory and jumps\r\nto the second instruction.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 13 of 16\n\nIn the last two versions of the bot (2.09 and 2.10) the payload contains anti-VM and anti-analysis features. In version\r\n2.07 and later versions, the payload leverages an inline hooking technique and hooks selected APIs. For example, in\r\nversions 2.07 and 2.08 the bot hooks GetAddrInfoW, ZwMapViewOfSection and ZwUnmapViewOfSection; in version\r\n2.09 it hooks GetAddrInfoW and NtOpenSection; and in version 2.10 it hooks GetAddrInfoW and\r\nNtMapViewOfSection. In all versions, the bot steals information from the compromised system, sends the information\r\nto the server (after encryption), and waits for a command from the server.\r\nUpon receiving a command from the server, the bot acts accordingly, installing plug-ins and downloading other\r\nmalware. Finally, the bot sends a report about its mission to the server.\r\nFigure 18: Andromeda at a glance.\r\nSide note\r\nIt has been a while since the last version of Andromeda was released. We have been waiting a long time for a new\r\nvariant to emerge, but Reuters reported recently:\r\n'National police in Belarus, working with the U.S. Federal Bureau of Investigation, said they had arrested a citizen of\r\nBelarus on suspicion of selling malicious software who they described as administrator of the Andromeda network.' [3]\r\nBased on that, we can tentatively call this the end of the Andromeda era, and conclude that there won't be any further\r\nreleases.\r\nConclusion\r\nFrom 2011 to 2015, Andromeda kept analysts busy with its compelling features and functionality, and it remains among\r\nthe most prevalent malware families today. Over the course of four years, five major versions were released, each new\r\nversion being more complex than its predecessor. This guaranteed that Andromeda remained a sophisticated threat. A\r\nflexible C\u0026C provided a wide range of functionality and efficiency, increasing the power of the threat by installing\r\nvarious modules. Meanwhile, it integrated several RC4 keys to encrypt data for C\u0026C communications, thus making\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 14 of 16\n\ndetection a significantly more complex challenge. Fortunately, however, analysts have become sufficiently familiar with\r\nAndromeda's ecosystem over the years to learn how to navigate all of its challenges.\r\nReferences\r\n[1] Tan, N. Andromeda 2.7 features. Fortinet blog. 23 April 2014. https://blog.fortinet.com/2014/04/23/andromeda-2-7-\r\nfeatures.\r\n[2] Xu, H. A good look at the Andromeda botnet. Virus Bulletin. May 2013.\r\nhttps://www.virusbulletin.com/virusbulletin/2013/05/good-look-andromeda-botnet.\r\n[3] Sterling, T.; Auchard, E. Belarus arrests suspected ringleader of global cyber crime network. Reuters. 5 December\r\n2017. https://ca.reuters.com/article/technologyNews/idCAKBN1DZ1VY-OCATC.\r\n[4] Xu, H. Cracked Andromeda 2.06 spreads bitcoinn miner. Fortinet blog. 7 January 2015.\r\nhttps://blog.fortinet.com/2015/01/07/cracked-andromeda-2-06-spreads-bitcoin-miner.\r\nSample information\r\nVersion 2.06\r\nMD5: 73564f834fd0f61c8b5d67b1dae19209\r\nSHA256: 4ad4752a0dcaf3bb7dd3d03778a149ef1cf6a8237b21abcb525b9176c003ac3a\r\nFortinet detection name: W32/Kryptik.AFJS!tr\r\nVersion 2.07\r\nMD5: d7c00d17e7a36987a359d77db4568df0\r\nSHA256: 44950952892d394e5cbe9dcc7a0db0135a21027a0bf937ed371bb6b8565ff678\r\nFortinet detection name: W32/Injector.ZVR!tr\r\nVersion 2.08\r\nMD5: b4d37eff59a820d9be2db1ac23fe056e\r\nSHA256: 92d25f2feb6ca7b3e0d921ace8560160e1bfccb0beeb6b27f914a5930a33e316\r\nFortinet detection name: W32/Tepfer.ASYP!tr.pws\r\nVersion 2.09\r\nMD5: 3f2762d18c1abc67e21a7f9ad4fa67fd\r\nSHA256: 2f44d884c9d358130050a6d4f89248a314b6c02d40b5c3206e86ddb834e928f6\r\nFortinet detection name: W32/BLDZ!tr\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 15 of 16\n\nVersion 2.10\r\nMD5: fb0a6857c15a1f596494a28c3cf7379d\r\nSHA256: 73802eaa46b603575216fb212bcc18c895f4c03b47c9706cde85368c0334e0cd\r\nFortinet detection name: W32/Malicious_Behavior.VEX\r\nSource: https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nhttps://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/"
	],
	"report_names": [
		"review-evolution-andromeda-over-years-we-say-goodbye"
	],
	"threat_actors": [],
	"ts_created_at": 1775434484,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd94e8489de566b94134b310206b1fee6ca1836f.pdf",
		"text": "https://archive.orkl.eu/dd94e8489de566b94134b310206b1fee6ca1836f.txt",
		"img": "https://archive.orkl.eu/dd94e8489de566b94134b310206b1fee6ca1836f.jpg"
	}
}