The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is commonly used for persistent remote access and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that may have already established a foothold in the network.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 8 IOC Types: sha256_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]82[.]64[.]235:444 | botnet_cc | 2026-05-29 | 75% |
| ip:port | 157[.]254[.]223[.]135:2700 | botnet_cc | 2026-05-29 | 75% |
| ip:port | 157[.]20[.]182[.]17:1339 | botnet_cc | 2026-05-29 | 75% |
| ip:port | 157[.]20[.]182[.]17:1992 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 15[.]235[.]9[.]17:8000 | botnet_cc | 2026-05-29 | 100% |
| sha256_hash | ada3a2598dc763b860c98236f6ff09f8be2890da1c5fb53539a6d19b065d9620 | payload | 2026-05-29 | 50% |
| ip:port | 31[.]57[.]184[.]154:7005 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 157[.]20[.]182[.]18:1444 | botnet_cc | 2026-05-28 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["31.57.184.154", "157.20.182.17", "172.82.64.235", "15.235.9.17", "157.20.182.18", "157.254.223.135"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["31.57.184.154", "157.20.182.17", "172.82.64.235", "15.235.9.17", "157.20.182.18", "157.254.223.135"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - AsyncRAT
let malicious_hashes = dynamic(["ada3a2598dc763b860c98236f6ff09f8be2890da1c5fb53539a6d19b065d9620"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab for system maintenance
Description: A system administrator schedules a legitimate maintenance task using crontab that coincidentally matches one of the AsyncRAT IOCs (e.g., a script name or command).
Filter/Exclusion: Check for crontab entries or use a filter like process.parent_process_name : "crontab" or process.command_line : "crontab".
Scenario: Use of wget or curl for legitimate software updates
Description: A system administrator or automated process uses wget or curl to download a legitimate software update or configuration file, which may match an AsyncRAT IOC.
Filter/Exclusion: Filter by process.name : "wget" or process.name : "curl" and check for known legitimate update URLs or domains.
Scenario: Admin task using ps or top for process monitoring
Description: A system administrator runs ps or top to monitor running processes, which may include command-line arguments that match AsyncRAT IOCs.
Filter/Exclusion: Use a filter like process.name : "ps" or process.name : "top" to exclude legitimate administrative tasks.
Scenario: Use of tar or gzip for archiving logs or backups
Description: A backup process uses tar or gzip to archive logs or system files, and the command line or file names may match AsyncRAT IOCs.
Filter/Exclusion: Filter by process.name : "tar" or process.name : "gzip" and check for known backup directories or file patterns.
Scenario: Legitimate use of rsync for data synchronization
Description: A system uses `rsync