The ThreatFox: AsyncRAT IOCs rule detects potential command and control activity associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or network compromise.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 19 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | malware.sv388tong.cyou | botnet_cc | 2026-05-11 | 75% |
| ip:port | 89[.]42[.]134[.]220:7707 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 31[.]57[.]184[.]154:7007 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 168[.]222[.]97[.]106:8808 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 158[.]94[.]210[.]70:22532 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 137[.]184[.]38[.]192:8808 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 130[.]12[.]182[.]209:1525 | botnet_cc | 2026-05-11 | 75% |
| domain | app.qq8893.com | botnet_cc | 2026-05-11 | 75% |
| domain | holidayonid.com.co | botnet_cc | 2026-05-11 | 75% |
| domain | cooltool.jp.net | botnet_cc | 2026-05-11 | 75% |
| domain | ok99.jp.net | botnet_cc | 2026-05-10 | 75% |
| ip:port | 46[.]109[.]239[.]103:8808 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 31[.]57[.]184[.]154:443 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 130[.]49[.]214[.]74:50194 | botnet_cc | 2026-05-10 | 75% |
| domain | zsyp.cn.com | botnet_cc | 2026-05-10 | 75% |
| domain | wplog.jp.net | botnet_cc | 2026-05-10 | 75% |
| domain | roofing.gb.net | botnet_cc | 2026-05-10 | 75% |
| domain | deepsteam.sa.com | botnet_cc | 2026-05-10 | 75% |
| domain | admingdtg.vn | botnet_cc | 2026-05-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["137.184.38.192", "130.49.214.74", "158.94.210.70", "168.222.97.106", "31.57.184.154", "89.42.134.220", "46.109.239.103", "130.12.182.209"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["137.184.38.192", "130.49.214.74", "158.94.210.70", "168.222.97.106", "31.57.184.154", "89.42.134.220", "46.109.239.103", "130.12.182.209"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["malware.sv388tong.cyou", "app.qq8893.com", "holidayonid.com.co", "cooltool.jp.net", "ok99.jp.net", "zsyp.cn.com", "wplog.jp.net", "roofing.gb.net", "deepsteam.sa.com", "admingdtg.vn"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate software update from a known internal repository.
Filter/Exclusion: Exclude any IOCs that match internal update servers or known internal repositories (e.g., *.internal.updates.company.com).
Scenario: A security analyst is performing a Windows Task Scheduler job to collect system logs for forensic analysis, which includes writing to a log file on the local disk.
Filter/Exclusion: Exclude IOCs related to Task Scheduler or log file paths like C:\Windows\System32\logfiles\ or C:\ProgramData\.
Scenario: A developer is using Git to clone a repository from a public GitHub mirror, which includes downloading files that match some of the AsyncRAT IOCs due to similar file names or structures.
Filter/Exclusion: Exclude IOCs that match GitHub URLs or file paths containing github.com or git@github.com.
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to run a script that connects to a remote database and writes to a temporary file on the server.
Filter/Exclusion: Exclude IOCs that match SQL Server binaries or temporary file paths like C:\Windows\Temp\ or C:\Program Files\Microsoft SQL Server\.
Scenario: A DevOps engineer is deploying a Docker container that includes a base image with known binaries that match some AsyncRAT IOCs due to shared libraries or dependencies.
Filter/Exclusion: Exclude IOCs that match Docker image repositories (e.g., docker.io/library/ubuntu, docker.io/library/nginx) or common shared libraries like libc.so.6.