The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is commonly used for persistent remote access and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage these IOCs to maintain stealthy, long-term access to compromised systems.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 13 IOC Types: ip:port, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 147[.]93[.]191[.]75:3000 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 147[.]93[.]191[.]75:3001 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 147[.]93[.]191[.]75:1008 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 147[.]93[.]191[.]75:2222 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 136[.]111[.]38[.]101:7707 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 136[.]111[.]38[.]101:8808 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 102[.]220[.]160[.]222:2026 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 154[.]29[.]72[.]62:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 102[.]220[.]160[.]222:8888 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 102[.]220[.]160[.]222:5222 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 102[.]220[.]160[.]222:8808 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 102[.]46[.]221[.]148:7707 | botnet_cc | 2026-06-15 | 75% |
| sha256_hash | c0d896e94c4dd8b64f400d16ec3cb59f3c51fc940d06241a028d0204d0407a94 | payload | 2026-06-15 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["154.29.72.62", "102.46.221.148", "136.111.38.101", "102.220.160.222", "147.93.191.75"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["154.29.72.62", "102.46.221.148", "136.111.38.101", "102.220.160.222", "147.93.191.75"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - AsyncRAT
let malicious_hashes = dynamic(["c0d896e94c4dd8b64f400d16ec3cb59f3c51fc940d06241a028d0204d0407a94"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system maintenance scripts
Filter/Exclusion: Check for crontab entries with known maintenance scripts (e.g., /usr/bin/logrotate, /usr/sbin/ntpdate) and exclude any IOCs associated with these paths.
Scenario: Use of wget or curl for legitimate software updates
Filter/Exclusion: Filter out IOCs that match known update URLs for enterprise software (e.g., https://download.example.com/update, https://repo.example.com/repo/).
Scenario: Admin task involving rsync for data replication between servers
Filter/Exclusion: Exclude IOCs that match rsync command-line arguments or paths used for internal data synchronization (e.g., /opt/data/backup/, rsync --archive).
Scenario: Use of tar or gzip for archiving log files
Filter/Exclusion: Filter out IOCs that match log archiving paths or commands (e.g., /var/log/, tar -czf /backup/logs.tar.gz /var/log/).
Scenario: Legitimate use of ssh for remote administration
Filter/Exclusion: Exclude IOCs that match known SSH server IPs or hostnames used for internal admin access (e.g., ssh.example.com, 10.0.0.10).