The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise sensitive data and network integrity.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 22 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | loganwolverin2040.duckdns.org | botnet_cc | 2026-06-03 | 75% |
| ip:port | 147[.]124[.]210[.]158:8808 | botnet_cc | 2026-06-03 | 75% |
| ip:port | 13[.]236[.]153[.]60:8888 | botnet_cc | 2026-06-03 | 100% |
| domain | yyyf168.com | botnet_cc | 2026-06-03 | 75% |
| domain | f168viet.com | botnet_cc | 2026-06-03 | 75% |
| domain | ff168.club | botnet_cc | 2026-06-03 | 75% |
| domain | f168lv.com | botnet_cc | 2026-06-03 | 75% |
| domain | f168news.com | botnet_cc | 2026-06-03 | 75% |
| domain | f168.gold | botnet_cc | 2026-06-03 | 75% |
| domain | f168.talk | botnet_cc | 2026-06-03 | 75% |
| domain | f168.download | botnet_cc | 2026-06-03 | 75% |
| domain | f168.futbol | botnet_cc | 2026-06-03 | 75% |
| domain | f168-v1.cheap | botnet_cc | 2026-06-03 | 75% |
| ip:port | 111[.]90[.]145[.]42:20 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 111[.]90[.]145[.]42:21 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 111[.]90[.]145[.]42:22 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 111[.]90[.]145[.]42:23 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 111[.]90[.]145[.]42:3306 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 111[.]90[.]145[.]42:443 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 111[.]90[.]145[.]42:7788 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 111[.]90[.]145[.]42:80 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 111[.]90[.]145[.]42:8888 | botnet_cc | 2026-06-03 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["111.90.145.42", "147.124.210.158", "13.236.153.60"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["111.90.145.42", "147.124.210.158", "13.236.153.60"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["loganwolverin2040.duckdns.org", "yyyf168.com", "f168viet.com", "ff168.club", "f168lv.com", "f168news.com", "f168.gold", "f168.talk", "f168.download", "f168.futbol", "f168-v1.cheap"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab for system maintenance
Description: A system administrator schedules a legitimate maintenance task using crontab that coincidentally matches one of the AsyncRAT IOCs (e.g., a script name or path).
Filter/Exclusion: Exclude processes or files where the command line includes crontab or the file path contains /etc/cron.d/ or /var/spool/cron/.
Scenario: Use of wget or curl for legitimate software updates
Description: A system administrator uses wget or curl to download a legitimate software update from a known internal or external repository, which may have a URL or filename matching an AsyncRAT IOC.
Filter/Exclusion: Exclude processes where the command line includes wget or curl and the URL matches a known internal update server or a whitelisted external source.
Scenario: PowerShell script for system monitoring (e.g., PowerShell.exe -Command)
Description: A system administrator runs a PowerShell script for system monitoring or log analysis that includes a command or file path matching an AsyncRAT IOC.
Filter/Exclusion: Exclude processes where the executable is PowerShell.exe and the command line includes -Command or -File with a path in a known admin script directory (e.g., C:\Windows\System32\ or C:\Program Files\).
Scenario: Use of tar or gzip for archiving logs or backups
Description: A backup process uses tar or gzip to archive logs or system files, and the resulting file or command line matches an AsyncRAT IOC.
Filter/Exclusion: Exclude processes where the command line includes tar or gzip and the output