The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise sensitive data and network integrity.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 11 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 157[.]20[.]182[.]17:6666 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 157[.]20[.]182[.]18:6666 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 192[.]3[.]176[.]241:8808 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 157[.]20[.]182[.]18:4444 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 157[.]20[.]182[.]17:1337 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 157[.]20[.]182[.]17:1338 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 157[.]20[.]182[.]17:4444 | botnet_cc | 2026-05-25 | 100% |
| ip:port | 197[.]147[.]49[.]135:5000 | botnet_cc | 2026-05-25 | 50% |
| domain | xn88.se.net | botnet_cc | 2026-05-25 | 75% |
| domain | soaprise.me | botnet_cc | 2026-05-25 | 75% |
| domain | server.us.org | botnet_cc | 2026-05-25 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["157.20.182.18", "197.147.49.135", "192.3.176.241", "157.20.182.17"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["157.20.182.18", "197.147.49.135", "192.3.176.241", "157.20.182.17"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["xn88.se.net", "soaprise.me", "server.us.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system maintenance scripts
Filter/Exclusion: Exclude processes where the command line includes crontab or systemd and the user is a system admin.
Example: process.user = "root" AND process.command_line CONTAINS "crontab"
Scenario: Use of wget or curl for legitimate software updates
Filter/Exclusion: Exclude network requests where the destination is a known internal update server or a trusted external repository.
Example: network.destination_ip = "10.0.0.100" OR network.destination_host = "updates.example.com"
Scenario: Admin task using ps or top for process monitoring
Filter/Exclusion: Exclude processes where the command line includes ps, top, or htop and the user is a system administrator.
Example: process.command_line CONTAINS "ps" AND process.user = "admin"
Scenario: Use of tar or gzip for archiving logs or backups
Filter/Exclusion: Exclude processes where the command line includes tar, gzip, or zip and the file paths are within a known backup directory.
Example: process.command_line CONTAINS "tar" AND file.path CONTAINS "/backups/"
Scenario: Legitimate use of rsync for data synchronization between servers
Filter/Exclusion: Exclude processes where the command line includes rsync and the source/destination are internal servers in the same domain.
Example: process.command_line CONTAINS "rsync" AND network.destination_ip IN ("10.0.0.50", "10.0.0.60")