The ThreatFox: AsyncRAT IOCs rule detects potential command and control activity associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or network compromise.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 12 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 89[.]42[.]134[.]220:1991 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 188[.]121[.]162[.]153:5000 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 107[.]173[.]9[.]88:8000 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 102[.]46[.]221[.]148:6606 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 45[.]156[.]87[.]226:8545 | botnet_cc | 2026-06-13 | 100% |
| ip:port | 102[.]46[.]221[.]148:8808 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 69[.]172[.]210[.]50:8808 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 172[.]94[.]18[.]103:72 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 158[.]220[.]96[.]15:3319 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 69[.]172[.]210[.]50:7001 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 83[.]142[.]209[.]7:8545 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 193[.]26[.]115[.]190:50050 | botnet_cc | 2026-06-12 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["188.121.162.153", "45.156.87.226", "69.172.210.50", "107.173.9.88", "193.26.115.190", "158.220.96.15", "89.42.134.220", "83.142.209.7", "102.46.221.148", "172.94.18.103"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["188.121.162.153", "45.156.87.226", "69.172.210.50", "107.173.9.88", "193.26.115.190", "158.220.96.15", "89.42.134.220", "83.142.209.7", "102.46.221.148", "172.94.18.103"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system diagnostics
Description: A system administrator schedules a cron job using crontab -e to run a legitimate diagnostic tool like smartmontools or iostat.
Filter/Exclusion: Exclude processes initiated by crontab or filter by command-line arguments containing known diagnostic tools.
Scenario: Use of async in Python scripts for asynchronous I/O operations
Description: A developer uses the async keyword in Python scripts for non-blocking I/O operations, such as fetching data from an internal API or database.
Filter/Exclusion: Exclude processes where the command line includes Python scripts with async and known internal service endpoints.
Scenario: Admin task using async in PowerShell for background processing
Description: An admin uses PowerShell scripts with async keywords to perform background tasks like log rotation or data aggregation.
Filter/Exclusion: Exclude processes where the command line includes PowerShell scripts with async and internal service hosts.
Scenario: Use of AsyncRAT-like names in internal tools or projects
Description: An internal tool or project uses the term “AsyncRAT” in its name (e.g., AsyncRAT-Scanner) as part of a naming convention.
Filter/Exclusion: Exclude processes where the command line or file name contains “AsyncRAT” and the process is known to be part of internal development or testing.
Scenario: Log file rotation using async in a log management tool
Description: A log management tool like logrotate or rsyslog uses asynchronous I/O to rotate and manage log files.
Filter/Exclusion: Exclude processes related to log rotation tools or those with command-line arguments containing log file