The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise sensitive data and network integrity.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 89[.]42[.]134[.]220:6606 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 45[.]81[.]243[.]44:7707 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 191[.]107[.]87[.]183:5010 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 191[.]107[.]87[.]183:8917 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 191[.]107[.]87[.]183:9140 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 147[.]93[.]191[.]75:1111 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 103[.]67[.]163[.]27:443 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 103[.]67[.]163[.]27:8080 | botnet_cc | 2026-06-21 | 75% |
| ip:port | 103[.]6[.]219[.]25:6745 | botnet_cc | 2026-06-21 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["45.81.243.44", "191.107.87.183", "89.42.134.220", "147.93.191.75", "103.6.219.25", "103.67.163.27"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.81.243.44", "191.107.87.183", "89.42.134.220", "147.93.191.75", "103.6.219.25", "103.67.163.27"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup task using rsync may trigger the rule due to command-line arguments resembling malicious activity.
Filter/Exclusion: Check for rsync in the command line and ensure the process is initiated by a known backup service (e.g., cron job with /usr/bin/rsync).
Scenario: Admin using wget to download a trusted update from internal repository
Description: System administrators may use wget to fetch internal software updates, which could match the IOCs if the internal repo is misconfigured or the command structure is similar.
Filter/Exclusion: Filter by source IP address (src_ip matches internal network) and verify the URL is from a trusted internal domain.
Scenario: PowerShell script using Invoke-WebRequest for legitimate configuration sync
Description: A PowerShell script that uses Invoke-WebRequest to pull configuration files from a central server might be flagged due to similar command patterns.
Filter/Exclusion: Check for script execution context (e.g., Invoke-WebRequest with uri pointing to a known internal server and User-Agent matching a legitimate tool).
Scenario: Logrotate job using gzip to compress logs
Description: The logrotate utility may use gzip to compress log files, and the command-line arguments could resemble malicious activity.
Filter/Exclusion: Filter by process name (process_name = gzip) and check for presence of logrotate in the command line or parent process.
Scenario: Database backup using mysqldump with custom options
Description: A database administrator may run mysqldump with custom options that include arguments similar to those seen in AsyncRAT IOCs.