The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage these IOCs to maintain stealthy, long-term access to compromised systems.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 89[.]40[.]31[.]128:7707 | botnet_cc | 2026-05-27 | 75% |
| ip:port | 157[.]254[.]223[.]135:2500 | botnet_cc | 2026-05-27 | 75% |
| ip:port | 45[.]202[.]1[.]50:12159 | botnet_cc | 2026-05-27 | 75% |
| ip:port | 50[.]114[.]179[.]165:8043 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 207[.]180[.]250[.]181:20600 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 124[.]198[.]132[.]98:5080 | botnet_cc | 2026-05-26 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["124.198.132.98", "50.114.179.165", "157.254.223.135", "89.40.31.128", "45.202.1.50", "207.180.250.181"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["124.198.132.98", "50.114.179.165", "157.254.223.135", "89.40.31.128", "45.202.1.50", "207.180.250.181"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system maintenance scripts
Filter/Exclusion: Exclude processes where the command line includes crontab or cron and the script path is within /etc/cron.d/ or /var/spool/cron/.
Scenario: Admin using ps or top to monitor system processes
Filter/Exclusion: Exclude processes where the command line includes ps, top, or htop and the user is a system administrator (e.g., root, admin, or sudo).
Scenario: Use of wget or curl to download legitimate software updates
Filter/Exclusion: Exclude processes where the command line includes wget or curl and the URL matches known enterprise update servers (e.g., *.example.com, *.companydomain.com).
Scenario: Running a legitimate forensic tool like tcpdump or Wireshark for network analysis
Filter/Exclusion: Exclude processes where the command line includes tcpdump, tshark, or Wireshark and the output is directed to a log file or analysis tool used by the SOC.
Scenario: Use of rsync for legitimate data backups
Filter/Exclusion: Exclude processes where the command line includes rsync and the destination path is a known backup directory (e.g., /backup/, /mnt/backups/, or /var/backups/).