Known Indicators of Compromise Associated with Androxgh0st Malware

    Friday, August 23, 2024 In: Threat Research Print

    Date: 08/23/2024

    Severity: Medium

    Summary

    Androxgh0st is a type of malware designed for stealthy operations and advanced cyber attacks. It typically functions as a remote access trojan (RAT), allowing attackers to gain unauthorized control over infected systems. Its capabilities often include data exfiltration, keystroke logging, and the manipulation of system files. Androxgh0st is known for its ability to evade detection and maintain persistence on compromised systems, making it a significant threat to cybersecurity.

    Indicators of Compromise (IOC) List

    URL/Domain

    download.asyncfox.xyz

    chainventures.co.uk

    asyncfox.xyz

    mc.rockylinux.si

    tangible-drink.surge.sh

    dsn.ovh

    attack.mitre.org

    IP Address

    149.50.102.48

    103.96.40.38

    45.95.147.236

    185.16.39.37

    38.175.192.78

    109.123.229.56

    77.90.185.106

    180.101.88.230

    176.113.115.184

    213.109.202.145

    45.134.26.85

    45.135.232.19

    91.240.118.224

    141.98.11.107

    77.90.185.102

    173.199.117.55

    91.92.245.67

    172.98.33.153

    185.161.248.148

    194.26.135.68

    91.240.118.228

    155.138.245.246

    64.225.6.114

    45.143.200.14

    5.255.115.40

    213.109.202.167

    200.54.189.98

    45.129.14.224

    80.66.66.225

    155.248.212.175

    122.189.200.188

    80.66.76.80

    118.31.17.168

    66.135.11.147

    180.101.88.237

    176.113.115.220

    Hash

    62a06bea8c6e276b5e532944cfc863e5

9039ae16e5aaa63d9ffe88dfaf0f5108

95f745a5db131b1ca34e44848fd52edb

6e793efe40e355643423f53de43952d3

1fb78440dc44b0900b27260a16d9771e

06641b9b3b5088c48c7660ad3bf160bc87a929fd

452ec481734a78597b928e29c834d0e43fb2c7e2

270e1c883b498eaff08550e823f5cac21bff54e5

5fae94432540ade68eabce94140c9a5be153b3c8

7d1beb03c32db43f5edd4c28f3c905954e40dbd6

09bd9b17a64b20ba66582dbc3ce08169697177a8

79d3143a47dc02768ff5fda8dbcf464c5cdf115b

3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a

6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc

f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88

ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72

0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef

dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6

23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066

bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "download.asyncfox.xyz" or url like "download.asyncfox.xyz" or userdomainname like "chainventures.co.uk" or url like "chainventures.co.uk" or userdomainname like "asyncfox.xyz" or url like "asyncfox.xyz" or userdomainname like "mc.rockylinux.si" or url like "mc.rockylinux.si" or userdomainname like "tangible-drink.surge.sh" or url like "tangible-drink.surge.sh" or userdomainname like "dsn.ovh" or url like "dsn.ovh" or userdomainname like "attack.mitre.org" or url like "attack.mitre.org"

    Detection Query 2

    dstipaddress IN ("149.50.102.48","103.96.40.38","45.95.147.236","185.16.39.37","38.175.192.78","109.123.229.56","77.90.185.106","180.101.88.230","176.113.115.184","213.109.202.145","45.134.26.85","45.135.232.19","91.240.118.224","141.98.11.107","77.90.185.102","173.199.117.55","91.92.245.67","172.98.33.153","185.161.248.148","194.26.135.68","91.240.118.228","155.138.245.246","64.225.6.114","45.143.200.14","5.255.115.40","213.109.202.167","200.54.189.98","45.129.14.224","80.66.66.225","155.248.212.175","122.189.200.188","80.66.76.80","118.31.17.168","66.135.11.147","180.101.88.237","176.113.115.220") or ipaddress IN ("149.50.102.48","103.96.40.38","45.95.147.236","185.16.39.37","38.175.192.78","109.123.229.56","77.90.185.106","180.101.88.230","176.113.115.184","213.109.202.145","45.134.26.85","45.135.232.19","91.240.118.224","141.98.11.107","77.90.185.102","173.199.117.55","91.92.245.67","172.98.33.153","185.161.248.148","194.26.135.68","91.240.118.228","155.138.245.246","64.225.6.114","45.143.200.14","5.255.115.40","213.109.202.167","200.54.189.98","45.129.14.224","80.66.66.225","155.248.212.175","122.189.200.188","80.66.76.80","118.31.17.168","66.135.11.147","180.101.88.237","176.113.115.220") or publicipaddress IN ("149.50.102.48","103.96.40.38","45.95.147.236","185.16.39.37","38.175.192.78","109.123.229.56","77.90.185.106","180.101.88.230","176.113.115.184","213.109.202.145","45.134.26.85","45.135.232.19","91.240.118.224","141.98.11.107","77.90.185.102","173.199.117.55","91.92.245.67","172.98.33.153","185.161.248.148","194.26.135.68","91.240.118.228","155.138.245.246","64.225.6.114","45.143.200.14","5.255.115.40","213.109.202.167","200.54.189.98","45.129.14.224","80.66.66.225","155.248.212.175","122.189.200.188","80.66.76.80","118.31.17.168","66.135.11.147","180.101.88.237","176.113.115.220") or srcipaddress IN ("149.50.102.48","103.96.40.38","45.95.147.236","185.16.39.37","38.175.192.78","109.123.229.56","77.90.185.106","180.101.88.230","176.113.115.184","213.109.202.145","45.134.26.85","45.135.232.19","91.240.118.224","141.98.11.107","77.90.185.102","173.199.117.55","91.92.245.67","172.98.33.153","185.161.248.148","194.26.135.68","91.240.118.228","155.138.245.246","64.225.6.114","45.143.200.14","5.255.115.40","213.109.202.167","200.54.189.98","45.129.14.224","80.66.66.225","155.248.212.175","122.189.200.188","80.66.76.80","118.31.17.168","66.135.11.147","180.101.88.237","176.113.115.220")

    Detection Query 3

    md5hash IN ("62a06bea8c6e276b5e532944cfc863e5","9039ae16e5aaa63d9ffe88dfaf0f5108","95f745a5db131b1ca34e44848fd52edb","6e793efe40e355643423f53de43952d3","1fb78440dc44b0900b27260a16d9771e")

    Detection Query 4

    sha1hash IN ("06641b9b3b5088c48c7660ad3bf160bc87a929fd","452ec481734a78597b928e29c834d0e43fb2c7e2","270e1c883b498eaff08550e823f5cac21bff54e5","5fae94432540ade68eabce94140c9a5be153b3c8","7d1beb03c32db43f5edd4c28f3c905954e40dbd6","09bd9b17a64b20ba66582dbc3ce08169697177a8","79d3143a47dc02768ff5fda8dbcf464c5cdf115b")

    Detection Query 5

    sha256hash IN ("3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a","6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc","f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88","ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72","0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef","dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6","23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066","bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7")

    Reference:

    https://gurucul.com/blog/gurucul-threat-research-androxgh0st-malware

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

    https://github.com/Juniper-ThreatLabs/IoC/blob/main/AndroxGhost%20Indicators.txt

     

     


    Tags

    MalwareAPTCISARATGurucul

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.