The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise critical systems.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 7 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 31[.]57[.]184[.]154:2503 | botnet_cc | 2026-05-31 | 75% |
| ip:port | 20[.]88[.]55[.]168:8080 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 45[.]32[.]64[.]21:8808 | botnet_cc | 2026-05-31 | 50% |
| ip:port | 64[.]89[.]160[.]44:1000 | botnet_cc | 2026-05-31 | 50% |
| ip:port | 157[.]20[.]182[.]17:1997 | botnet_cc | 2026-05-30 | 75% |
| domain | climacoolllll202620262026.dynuddns.net | botnet_cc | 2026-05-30 | 75% |
| ip:port | 178[.]16[.]55[.]121:1990 | botnet_cc | 2026-05-30 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["64.89.160.44", "45.32.64.21", "31.57.184.154", "157.20.182.17", "20.88.55.168", "178.16.55.121"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["64.89.160.44", "45.32.64.21", "31.57.184.154", "157.20.182.17", "20.88.55.168", "178.16.55.121"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["climacoolllll202620262026.dynuddns.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system maintenance scripts
Filter/Exclusion: Exclude processes where the command line includes /usr/bin/crontab or /etc/crontab, or where the user is a system admin (e.g., root, sysadmin).
Scenario: Use of wget or curl for legitimate software updates or package downloads
Filter/Exclusion: Exclude traffic where the URL domain is a known enterprise software repository (e.g., repo.example.com, artifactory.example.com) or where the command includes --no-check-certificate or --user-agent.
Scenario: Admin task involving async or await keywords in Python scripts for asynchronous processing
Filter/Exclusion: Exclude processes where the Python script is located in a known admin directory (e.g., /opt/admin/scripts/) or where the script is signed by a trusted internal CA or signed by an admin user.
Scenario: Use of asyncio in a legitimate DevOps tool like ansible or terraform for parallel task execution
Filter/Exclusion: Exclude processes where the command line includes ansible-playbook or terraform apply, or where the user is part of the DevOps team (e.g., devops, infra).
Scenario: Legitimate use of async in a cloud provider’s CLI tool (e.g., AWS CLI with async features)
Filter/Exclusion: Exclude commands where the tool is known to be part of the cloud provider’s official CLI (e.g., aws or gcloud) or where the command includes --async or --parallel.