The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage AsyncRAT for long-term network compromise.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 20 IOC Types: sha1_hash, sha256_hash, md5_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 198[.]23[.]185[.]136:80 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 64[.]89[.]160[.]127:1960 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 147[.]93[.]191[.]75:7000 | botnet_cc | 2026-06-17 | 75% |
| sha1_hash | 096b1f15b8884bc396a5daaef50a90b4c5bb4fcd | payload | 2026-06-17 | 95% |
| md5_hash | a7b3e94a5fcd20c960c42426b7c9a0c9 | payload | 2026-06-17 | 95% |
| sha256_hash | 1dfe9be049f6bcad3caa8504dae4aad5e7e66d6e5ed8388478c7adb3de8d791a | payload | 2026-06-17 | 95% |
| sha1_hash | bde47864dd96a3108434ef675008716b9198854b | payload | 2026-06-17 | 95% |
| md5_hash | 8404ae737e2cf0dd72b36c9cede37a9f | payload | 2026-06-17 | 95% |
| sha256_hash | a951afc09aa3e8be61204a027c2cc0c141a64792a2022b8d6ebdf8e0e54a2279 | payload | 2026-06-17 | 95% |
| ip:port | 102[.]220[.]160[.]222:5333 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 147[.]93[.]191[.]75:3002 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 102[.]220[.]160[.]222:7001 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 147[.]93[.]191[.]75:3004 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 147[.]93[.]191[.]75:3005 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 147[.]93[.]191[.]75:6006 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 147[.]93[.]191[.]75:8808 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 157[.]20[.]182[.]18:1339 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 157[.]20[.]182[.]18:1997 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 157[.]20[.]182[.]18:1998 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 31[.]77[.]168[.]195:3009 | botnet_cc | 2026-06-17 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["198.23.185.136", "157.20.182.18", "64.89.160.127", "31.77.168.195", "102.220.160.222", "147.93.191.75"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["198.23.185.136", "157.20.182.18", "64.89.160.127", "31.77.168.195", "102.220.160.222", "147.93.191.75"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - AsyncRAT
let malicious_hashes = dynamic(["096b1f15b8884bc396a5daaef50a90b4c5bb4fcd", "a7b3e94a5fcd20c960c42426b7c9a0c9", "1dfe9be049f6bcad3caa8504dae4aad5e7e66d6e5ed8388478c7adb3de8d791a", "bde47864dd96a3108434ef675008716b9198854b", "8404ae737e2cf0dd72b36c9cede37a9f", "a951afc09aa3e8be61204a027c2cc0c141a64792a2022b8d6ebdf8e0e54a2279"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update package from Microsoft Update.
Filter/Exclusion: Exclude any IOCs that match known Microsoft update URLs or PowerShell scripts associated with standard administrative tasks.
Scenario: A Windows Task Scheduler job is configured to execute a PowerShell script that performs system diagnostics and logs to a Syslog server.
Filter/Exclusion: Exclude IOCs related to known system diagnostic tools or Syslog server IP addresses used within the enterprise.
Scenario: A remote management tool like Microsoft Intune or Microsoft Endpoint Manager is used to deploy a patching script that includes a known benign executable.
Filter/Exclusion: Exclude IOCs that match known enterprise management tools or patching scripts used in standard IT operations.
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to run a backup job that writes to a network share.
Filter/Exclusion: Exclude IOCs associated with SQL Server backup processes or network shares used for legitimate data storage.
Scenario: A DevOps pipeline is configured to pull code from a GitHub repository and execute a CI/CD script that includes a known benign dependency.
Filter/Exclusion: Exclude IOCs that match known CI/CD tools or GitHub URLs used in the organization’s development environment.