The ThreatFox: AsyncRAT IOCs rule detects potential command and control activity associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 12 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 89[.]42[.]134[.]220:1803 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 87[.]182[.]39[.]55:51123 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 83[.]229[.]85[.]74:6606 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 31[.]6[.]11[.]162:7070 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 198[.]23[.]185[.]231:70 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 107[.]172[.]133[.]182:56002 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 89[.]42[.]134[.]220:8808 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 83[.]229[.]85[.]74:8808 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 213[.]152[.]161[.]157:18856 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 209[.]99[.]185[.]96:1002 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 204[.]194[.]54[.]9:2682 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 161[.]97[.]166[.]38:6006 | botnet_cc | 2026-06-14 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["204.194.54.9", "161.97.166.38", "198.23.185.231", "89.42.134.220", "209.99.185.96", "83.229.85.74", "213.152.161.157", "107.172.133.182", "31.6.11.162", "87.182.39.55"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["204.194.54.9", "161.97.166.38", "198.23.185.231", "89.42.134.220", "209.99.185.96", "83.229.85.74", "213.152.161.157", "107.172.133.182", "31.6.11.162", "87.182.39.55"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run a system cleanup tool
Description: A system administrator schedules a cleanup task using crontab that executes a legitimate tool like logrotate or systemd-tmpfiles-clean.
Filter/Exclusion: Exclude processes where the command line includes crontab or systemd-tmpfiles-clean.
Scenario: Admin using tar to archive logs for compliance
Description: An admin uses the tar command to archive log files for compliance or auditing purposes, which may include files with suspicious names.
Filter/Exclusion: Exclude processes where the command line includes tar and the destination path is within a known log directory (e.g., /var/log/).
Scenario: Use of wget to download a legitimate software update
Description: A system administrator uses wget to download a software update from a trusted internal repository, which may match some AsyncRAT IOCs.
Filter/Exclusion: Exclude processes where the URL contains internal IP addresses or internal domain names (e.g., internal-repo.example.com).
Scenario: PowerShell script for system monitoring
Description: A PowerShell script used for system monitoring or performance tracking may use similar command-line patterns to AsyncRAT.
Filter/Exclusion: Exclude processes where the executable is powershell.exe and the script path is within a known admin script directory (e.g., C:\scripts\).
Scenario: Use of rsync for data backup
Description: A backup process using rsync to transfer data between servers may involve file paths or commands that resemble AsyncRAT IOCs.
Filter/Exclusion: Exclude processes where the command line includes rsync and the source/destination