The ThreatFox: AsyncRAT IOCs rule detects potential command and control activity associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise sensitive data and network integrity.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 12 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]154[.]98[.]84:100 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 45[.]154[.]98[.]84:8808 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 192[.]109[.]200[.]183:5566 | botnet_cc | 2026-05-22 | 75% |
| domain | dozie.io | botnet_cc | 2026-05-22 | 75% |
| ip:port | 38[.]146[.]25[.]232:8808 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 207[.]180[.]250[.]181:111 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 207[.]180[.]250[.]181:70 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 31[.]57[.]184[.]154:7006 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 31[.]171[.]131[.]118:7707 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 31[.]171[.]131[.]118:8808 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 193[.]93[.]194[.]31:50194 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 176[.]119[.]25[.]78:7707 | botnet_cc | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["31.57.184.154", "38.146.25.232", "45.154.98.84", "31.171.131.118", "193.93.194.31", "207.180.250.181", "176.119.25.78", "192.109.200.183"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["31.57.184.154", "38.146.25.232", "45.154.98.84", "31.171.131.118", "193.93.194.31", "207.180.250.181", "176.119.25.78", "192.109.200.183"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["dozie.io"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup job using rsync may trigger the rule due to network IOCs or command-line arguments resembling malicious activity.
Filter/Exclusion: Check for rsync in the command line and filter by process name or parent process. Example: process.name = rsync or parent.process.name = cron
Scenario: Admin using wget to download a trusted internal artifact
Description: An administrator may use wget to download a legitimate internal tool or configuration file, which could match an IOC from AsyncRAT.
Filter/Exclusion: Filter by source IP or domain, e.g., source.ip = 10.0.0.1 or domain = internal-artifact.repo
Scenario: PowerShell script execution for system monitoring
Description: A PowerShell script used for system monitoring (e.g., Get-EventLog, Get-Service) may trigger the rule due to similar command patterns.
Filter/Exclusion: Filter by script path or user context, e.g., script.path = C:\Windows\System32\ or user.name = admin
Scenario: Log shipping using logrotate with custom scripts
Description: A log rotation setup using logrotate with custom scripts may generate IOCs that match AsyncRAT indicators.
Filter/Exclusion: Filter by process name or script location, e.g., process.name = logrotate or script.path = /etc/logrotate.d/
Scenario: Internal tool deployment using scp with known hosts
Description: An internal deployment tool using scp to transfer files between servers may trigger the rule due to network IOCs.
Filter/Exclusion: Filter by destination