The ThreatFox: AsyncRAT IOCs rule detects potential command and control activity associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or network compromise.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 10 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 31[.]57[.]184[.]154:2505 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 172[.]81[.]61[.]108:2030 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 147[.]124[.]210[.]158:7707 | botnet_cc | 2026-06-07 | 75% |
| ip:port | 95[.]211[.]182[.]120:6794 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 5[.]230[.]201[.]36:6606 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 192[.]159[.]99[.]26:6969 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 157[.]254[.]223[.]135:2600 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 13[.]60[.]184[.]242:4444 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 64[.]176[.]189[.]40:8808 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 13[.]60[.]184[.]242:8000 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["31.57.184.154", "192.159.99.26", "64.176.189.40", "157.254.223.135", "13.60.184.242", "95.211.182.120", "5.230.201.36", "147.124.210.158", "172.81.61.108"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["31.57.184.154", "192.159.99.26", "64.176.189.40", "157.254.223.135", "13.60.184.242", "95.211.182.120", "5.230.201.36", "147.124.210.158", "172.81.61.108"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system diagnostics
Description: A system administrator schedules a cron job to run a diagnostic script that performs network checks or system health monitoring. This may involve IOCs similar to AsyncRAT, such as network connections to internal servers.
Filter/Exclusion: Exclude processes initiated by crontab or processes with USER field set to root and COMMAND containing cron or crontab.
Scenario: Use of PowerShell for legitimate remote management tasks
Description: An IT administrator uses PowerShell to remotely manage servers, which may involve IOCs like Invoke-WebRequest or Invoke-Command that resemble AsyncRAT behavior.
Filter/Exclusion: Exclude processes with USER field set to root or SYSTEM, or where the command line includes PowerShell and contains known admin management commands like Invoke-Command or Test-Connection.
Scenario: Legitimate software update process using wget or curl
Description: A system update process uses wget or curl to download patches or updates from an internal repository, which may involve URLs or IPs that match AsyncRAT IOCs.
Filter/Exclusion: Exclude processes where the command line includes wget or curl and the URL matches an internal update server or is signed by a known internal certificate.
Scenario: Use of rsync for data synchronization between servers
Description: A DevOps team uses rsync to synchronize data between servers, which may involve network connections or file transfers that resemble AsyncRAT IOCs.
Filter/Exclusion: Exclude processes with COMMAND containing rsync and where the source or destination is within the internal network or a known trusted server.