The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is commonly used for persistent remote access and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage these IOCs to maintain stealthy, long-term access to compromised networks.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 64[.]89[.]162[.]82:6606 | botnet_cc | 2026-06-11 | 100% |
| ip:port | 41[.]234[.]41[.]113:8808 | botnet_cc | 2026-06-11 | 50% |
| ip:port | 87[.]182[.]39[.]55:51125 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 198[.]23[.]185[.]231:20200 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 198[.]23[.]185[.]231:20800 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 172[.]94[.]18[.]103:71 | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["198.23.185.231", "87.182.39.55", "64.89.162.82", "172.94.18.103", "41.234.41.113"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["198.23.185.231", "87.182.39.55", "64.89.162.82", "172.94.18.103", "41.234.41.113"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync with remote host
Description: A scheduled backup job uses rsync to transfer data to a remote server, which matches the IP address of a known AsyncRAT IOC.
Filter/Exclusion: Exclude traffic where the source process is rsync and the destination is a known backup server IP.
Scenario: Admin using wget to download a trusted internal script
Description: An administrator downloads a trusted internal script using wget from a company-owned server, which is flagged as an AsyncRAT IOC.
Filter/Exclusion: Exclude downloads initiated by users with admin privileges and originating from internal IP ranges.
Scenario: PowerShell script execution for system monitoring
Description: A PowerShell script used for system monitoring (e.g., Get-EventLog, Get-Service) is flagged due to its use of a command-line argument that matches an AsyncRAT IOC.
Filter/Exclusion: Exclude PowerShell scripts that contain known monitoring commands and are executed by the system admin account.
Scenario: Legitimate software update using curl to a known internal repository
Description: A software update process uses curl to fetch a package from an internal repository, which is mistakenly flagged as an AsyncRAT IOC.
Filter/Exclusion: Exclude traffic where the destination is an internal repository and the source is a known update management tool.
Scenario: Database backup using mysqldump with remote storage
Description: A database backup process uses mysqldump to export data to a remote storage system, which is flagged as an AsyncRAT IOC.
Filter/Exclusion: Exclude backups initiated by the database admin user and using a known internal storage endpoint.