The ThreatFox: AsyncRAT IOCs rule detects potential command and control activity associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or network compromise.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 10 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]138[.]16[.]56:6666 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 107[.]172[.]133[.]195:56001 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 102[.]220[.]160[.]222:6606 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 102[.]220[.]160[.]250:6606 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 102[.]220[.]160[.]250:7707 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 82[.]29[.]100[.]224:6666 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 45[.]138[.]16[.]56:8008 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 147[.]124[.]213[.]155:80 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 147[.]93[.]191[.]75:20500 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 102[.]220[.]160[.]250:8808 | botnet_cc | 2026-06-23 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["147.93.191.75", "147.124.213.155", "102.220.160.250", "102.220.160.222", "82.29.100.224", "45.138.16.56", "107.172.133.195"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["147.93.191.75", "147.124.213.155", "102.220.160.250", "102.220.160.222", "82.29.100.224", "45.138.16.56", "107.172.133.195"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system diagnostics
Description: A system administrator schedules a cron job to run a legitimate diagnostic tool like sar or iostat for performance monitoring.
Filter/Exclusion: Exclude processes initiated by crontab or filter by command-line arguments containing sar, iostat, or similar tools.
Scenario: Admin using AsyncRAT-like tools for network traffic analysis
Description: A security analyst uses a tool like tcpdump or Wireshark to capture and analyze network traffic, which may include similar command-line arguments to AsyncRAT.
Filter/Exclusion: Exclude processes with tcpdump, Wireshark, or tshark in the command line, or filter by user ID (e.g., root or security).
Scenario: Regular system update using yum or apt with temporary files
Description: A system update process creates temporary files in directories like /tmp or /var/tmp, which may be flagged due to their similarity to malicious IOCs.
Filter/Exclusion: Exclude processes initiated by yum, apt, or dnf, or filter by directory paths like /tmp or /var/tmp.
Scenario: Legitimate remote management tool like Ansible or SaltStack
Description: Ansible or SaltStack may execute commands that resemble malicious activity, such as scp, ssh, or rsync, which could trigger the rule.
Filter/Exclusion: Exclude processes initiated by Ansible or SaltStack, or filter by user agent or connection source IP ranges used by the tool.
Scenario: User running a legitimate script with async or rat in the name