The ThreatFox: AsyncRAT IOCs rule detects potential command and control activity associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 14 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 198[.]23[.]185[.]136:20600 | botnet_cc | 2026-06-20 | 75% |
| ip:port | 188[.]253[.]104[.]174:2026 | botnet_cc | 2026-06-20 | 75% |
| ip:port | 147[.]93[.]191[.]75:30400 | botnet_cc | 2026-06-20 | 75% |
| ip:port | 13[.]62[.]76[.]12:9000 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 13[.]62[.]76[.]12:8000 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 198[.]23[.]185[.]136:6006 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 45[.]81[.]243[.]44:7089 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 211[.]235[.]43[.]192:7707 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 205[.]209[.]106[.]158:5228 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 198[.]23[.]185[.]136:60 | botnet_cc | 2026-06-19 | 75% |
| ip:port | 102[.]220[.]160[.]222:2025 | botnet_cc | 2026-06-19 | 75% |
| domain | tasknew35630.duckdns.org | botnet_cc | 2026-06-19 | 75% |
| domain | bogota123.duckdns.org | botnet_cc | 2026-06-19 | 75% |
| ip:port | 66[.]118[.]237[.]171:8808 | botnet_cc | 2026-06-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["13.62.76.12", "147.93.191.75", "205.209.106.158", "188.253.104.174", "45.81.243.44", "102.220.160.222", "211.235.43.192", "66.118.237.171", "198.23.185.136"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["13.62.76.12", "147.93.191.75", "205.209.106.158", "188.253.104.174", "45.81.243.44", "102.220.160.222", "211.235.43.192", "66.118.237.171", "198.23.185.136"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["tasknew35630.duckdns.org", "bogota123.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled PowerShell script is running a legitimate system cleanup or patching task that coincidentally matches one of the AsyncRAT IOCs.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with the command line containing powershell.exe -Command and a known maintenance script path (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
Scenario: Admin using Cobalt Strike for red team exercise
Description: A red team administrator is using Cobalt Strike for a controlled penetration test, and the tool’s internal components or network traffic may resemble AsyncRAT IOCs.
Filter/Exclusion: Exclude processes with the parent process cobaltstrike.exe or those running from a known red team lab directory (e.g., C:\RedTeam\).
Scenario: Legitimate software update using a known downloader tool
Description: A legitimate software update process is using a downloader tool like wget or curl to fetch updates from a trusted internal repository.
Filter/Exclusion: Exclude network connections to internal update servers (e.g., 10.0.0.0/8) or processes initiated by a known update management tool (e.g., wsusoffline.exe).
Scenario: System backup using Veeam or similar tool
Description: A system backup process using Veeam or another backup tool may generate network traffic that matches AsyncRAT IOCs due to similar communication patterns.
Filter/Exclusion: Exclude processes with the parent process veeam.exe or those running from a known backup directory (e.g., C:\Program Files\Veeam\).
Scenario: User downloading a legitimate file from a public repository