The androrat YARA rule detects potential Android malware that may exhibit behavior indicative of remote command execution or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage Android-based threats that could lead to persistent or stealthy adversary presence.
YARA Rule
rule androrat: amtrckr
{
meta:
family = "androrat"
condition:
androguard.url(/toyman6699\.no-ip\.info/) or
androguard.url(/aerror\.no-ip\.biz/) or
androguard.url(/androrat\.servegame\.com/) or
androguard.url(/197\.35\.22\.37/) or
androguard.url(/androrat1\.no-ip\.biz/) or
androguard.url(/151\.72\.17\.61/) or
androguard.url(/qwerty1212\.ddns\.net/) or
androguard.url(/recycled\.no-ip\.org/) or
androguard.url(/gert44\.duckdns\.org/) or
androguard.url(/78\.169\.63\.163/) or
androguard.url(/hash0r\.no-ip\.biz/) or
androguard.url(/alpheron\.duckdns\.org/) or
androguard.url(/cricbot\.no-ip\.info/) or
androguard.url(/hazhar77\.no-ip\.biz/) or
androguard.url(/aleem\.top7@gmail\.com/) or
androguard.url(/murryapplicazione\.no-ip\.org/) or
androguard.url(/helloandroid\.no-ip\.org/) or
androguard.url(/79\.170\.54\.154/) or
androguard.url(/mohammad2002\.no-ip\.biz/) or
androguard.url(/1756mostacc\.ddns\.net/) or
androguard.url(/shakaky\.ddns\.net/) or
androguard.url(/asadhashmi\.ddns\.net/) or
androguard.url(/174\.127\.99\.232/) or
androguard.url(/109\.95\.56\.22/) or
androguard.url(/dagohack\.no-ip\.me/) or
androguard.url(/pruebasernesto\.ddns\.net/) or
androguard.url(/zola123\.no-ip\.biz/) or
androguard.url(/mikestar\.no-ip\.biz/) or
androguard.url(/132\.72\.81\.164/) or
androguard.url(/zongkahani\.no-ip\.biz/) or
androguard.url(/florian-pc\.ksueyuj0mtxpt6gn\.myfritz\.net/) or
androguard.url(/kontolanime\.no-ip\.biz/) or
androguard.url(/41\.143\.69\.230/) or
androguard.url(/gentel901\.no-ip\.org/) or
androguard.url(/anonimousdre180\.ddns\.net/) or
androguard.url(/sajadianh\.ddns\.net/) or
androguard.url(/195\.2\.239\.147/) or
androguard.url(/vipmustafa\.no-ip\.info/) or
androguard.url(/alihoseini\.no-ip\.biz/) or
androguard.url(/aymen1852\.ddns\.net/) or
androguard.url(/danialmostafaei\.no-ip\.biz/) or
androguard.url(/100\.1\.254\.38/) or
androguard.url(/sabbah\.duckdns\.org/) or
androguard.url(/89\.95\.11\.159/) or
androguard.url(/telegram-tools\.no-ip\.biz/) or
androguard.url(/myonline\.no-ip\.biz/) or
androguard.url(/84\.241\.6\.106/) or
androguard.url(/linonymousami\.no-ip\.org/) or
androguard.url(/alldebrid\.duckdns\.org/) or
androguard.url(/187\.180\.186\.181/) or
androguard.url(/411022356/) or
androguard.url(/93\.82\.129\.5/) or
androguard.url(/androjan\.ddns\.net/) or
androguard.url(/adelxxbx\.no-ip\.biz/) or
androguard.url(/r3cxw\.ddns\.net/) or
androguard.url(/matgio\.duckdns\.org/) or
androguard.url(/glaive24\.no-ip\.biz/) or
androguard.url(/redcode\.ddns\.net/) or
androguard.url(/151\.56\.227\.79/) or
androguard.url(/shahabhacker\.ddns\.net/) or
androguard.url(/186\.81\.50\.145/) or
androguard.url(/kasofe123123aa\.no-ip\.biz/) or
androguard.url(/tanha\.sit@gmail\.com/) or
androguard.url(/persir\.no-ip\.biz/) or
androguard.url(/moha55\.no-ip\.biz/) or
androguard.url(/androidupdate\.ddns\.net/) or
androguard.url(/charifo1310tok\.no-ip\.biz/) or
androguard.url(/securepurpose\.no-ip\.info/) or
androguard.url(/vpn0\.ddns\.net/) or
androguard.url(/usa20002015\.ddns\.net/) or
androguard.url(/duyguseliberkay\.no-ip\.biz/) or
androguard.url(/miltin2\.no-ip\.org/) or
androguard.url(/droidjack228\.ddns\.net/) or
androguard.url(/mjhooollltuuu\.no-ip\.biz/) or
androguard.url(/nexmopro830\.ddns\.net/) or
androguard.url(/rustyash\.no-ip\.biz/) or
androguard.url(/atsizinoglu\.duckdns\.org/) or
androguard.url(/goog2\.no-ip\.biz/) or
androguard.url(/testan\.ddns\.net/) or
androguard.url(/androrat\.zapto\.org/) or
androguard.url(/blackghostdc\.duckdns\.org/) or
androguard.url(/191\.239\.107\.56/) or
androguard.url(/kalinne\.ddns\.net/) or
androguard.url(/hackcam\.zapto\.org/) or
androguard.url(/andro0161\.no-ip\.info/) or
androguard.url(/replace\.duckdns\.org/) or
androguard.url(/46\.223\.99\.222/) or
androguard.url(/karasqlee9\.no-ip\.org/) or
androguard.url(/kalizinho\.no-ip\.org/) or
androguard.url(/141\.255\.144\.72/) or
androguard.url(/84\.101\.0\.49/) or
androguard.url(/msupdate\.myvnc\.com/) or
androguard.url(/zal75zk\.ddns\.net/) or
androguard.url(/nassahsliman\.ddns\.net/) or
androguard.url(/mohsenfaz\.ddns\.net/) or
androguard.url(/saiber-far68\.ddns\.net/) or
androguard.url(/106\.219\.57\.228/) or
androguard.url(/android\.no-ip\.org/) or
androguard.url(/161\.202\.108\.108/) or
androguard.url(/hamker\.ddns\.net/) or
androguard.url(/92\.243\.68\.167/) or
androguard.url(/vikas\.no-ip\.biz/) or
androguard.url(/68\.189\.1\.254/) or
androguard.url(/bmt96\.noip\.me/) or
androguard.url(/newxor2\.no-ip\.org/) or
androguard.url(/2\.190\.167\.83/) or
androguard.url(/hackme\.no-ip\.org/) or
androguard.url(/mohammedwasib\.ddns\.net/) or
androguard.url(/24\.172\.28\.155/) or
androguard.url(/120\.0\.0\.1/) or
androguard.url(/simbabweratte\.hopto\.org/) or
androguard.url(/androrat143\.no-ip\.biz/) or
androguard.url(/222\.168\.1\.2/) or
androguard.url(/189\.174\.125\.60/) or
androguard.url(/suckmordecock\.duckdns\.org/) or
androguard.url(/201\.124\.95\.7/) or
androguard.url(/svn-01\.ddns\.net/) or
androguard.url(/jNkey\.ddns\.net/) or
androguard.url(/131\.117\.235\.35/) or
androguard.url(/justarat\.noip\.me/) or
androguard.url(/dangerlove\.no-ip\.biz/) or
androguard.url(/bahoom\.no-ip\.biz/) or
androguard.url(/183\.82\.99\.133/) or
androguard.url(/hatam\.no-ip\.org/) or
androguard.url(/37\.239\.8\.89/) or
androguard.url(/c1\.no-ip\.biz/) or
androguard.url(/samy777\.no-ip\.biz/) or
androguard.url(/juanblackhak\.ddns\.net/) or
androguard.url(/sherlockholmes\.duckdns\.org/) or
androguard.url(/martin123456\.no-ip\.org/) or
androguard.url(/androratbtas\.no-ip\.info/) or
androguard.url(/servidor23\.ddns\.net/) or
androguard.url(/xyz2145\.ddns\.net/) or
androguard.url(/war10ck\.serveftp\.com/) or
androguard.url(/androrat1226\.ddns\.net/) or
androguard.url(/anonsa\.ddns\.net/) or
androguard.url(/dogecoinspeed\.zapto\.org/) or
androguard.url(/61\.131\.121\.195/) or
androguard.url(/invisibleghost\.no-ip\.biz/) or
androguard.url(/elgen1\.no-ip\.biz/) or
androguard.url(/habbo\.no-ip\.org/) or
androguard.url(/thekillers\.ddns\.net/) or
androguard.url(/94\.212\.118\.115/) or
androguard.url(/41\.38\.56\.81/) or
androguard.url(/misty255\.no-ip\.org/) or
androguard.url(/volnado\.sytes\.net/) or
androguard.url(/haiderhacer12\.no-ip\.biz/) or
androguard.url(/asosha4ed\.no-ip\.biz/) or
androguard.url(/losever2\.no-ip\.biz/) or
androguard.url(/80\.136\.103\.51/) or
androguard.url(/drrazikhan\.no-ip\.info/) or
androguard.url(/makarand\.no-ip\.org/) or
androguard.url(/isamdonita\.no-ip\.org/) or
androguard.url(/anagliz\.ddns\.net/)
}This YARA rule can be deployed in the following contexts:
Scenario: Legitimate Android application using adb for debugging
Filter/Exclusion: Check for presence of adb in the command line and exclude if the process is associated with a known development tool (e.g., Android Studio).
Example Filter: process.name != "adb" OR process.parent.name == "Android Studio"
Scenario: System update or patching using adb to push system files
Filter/Exclusion: Exclude processes where the command line includes adb push and the destination path is a system directory (e.g., /system/bin/).
Example Filter: process.command_line contains "adb push" AND process.args contains "/system/bin/"
Scenario: Scheduled job using adb to collect logs or diagnostics
Filter/Exclusion: Exclude processes where the command line includes adb logcat and the job is scheduled via a known enterprise tool (e.g., Splunk, Datadog, or custom scripts).
Example Filter: process.command_line contains "adb logcat" AND process.parent.name == "splunk" OR process.parent.name == "datadog"
Scenario: Admin task using adb to install a legitimate app for internal use
Filter/Exclusion: Exclude processes where the command line includes adb install and the package name matches a known internal app (e.g., com.company.internal.tool).
Example Filter: process.command_line contains "adb install" AND process.args contains "com.company.internal.tool"
Scenario: Mobile device management (MDM) tool using adb to configure devices
Filter/Exclusion: Exclude processes where the command line includes adb and the process is associated with a known MDM solution (e.g., Microsoft Intune, VMware Workspace ONE).
Example Filter: `process.parent.name == “Int