The ThreatFox: AsyncRAT IOCs rule detects potential command and control activity associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 17 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 31[.]57[.]184[.]48:7456 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 104[.]243[.]248[.]63:1803 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 103[.]143[.]207[.]71:443 | botnet_cc | 2026-05-12 | 75% |
| domain | x88.run | botnet_cc | 2026-05-12 | 75% |
| domain | sc88885.com | botnet_cc | 2026-05-12 | 75% |
| ip:port | 139[.]99[.]131[.]177:8000 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 94[.]154[.]172[.]236:8080 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 94[.]154[.]172[.]236:8888 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 94[.]154[.]172[.]236:53 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 94[.]154[.]172[.]236:80 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 91[.]195[.]240[.]123:8888 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 94[.]154[.]172[.]236:43 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 94[.]154[.]172[.]236:443 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 91[.]195[.]240[.]123:53 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 91[.]195[.]240[.]123:80 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 91[.]195[.]240[.]123:8080 | botnet_cc | 2026-05-11 | 75% |
| ip:port | 91[.]195[.]240[.]123:43 | botnet_cc | 2026-05-11 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["94.154.172.236", "104.243.248.63", "91.195.240.123", "103.143.207.71", "139.99.131.177", "31.57.184.48"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["94.154.172.236", "104.243.248.63", "91.195.240.123", "103.143.207.71", "139.99.131.177", "31.57.184.48"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["x88.run", "sc88885.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled PowerShell task is configured to run a script that performs system cleanup or log rotation, which coincidentally uses a file or command that matches an AsyncRAT IOC.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with the Microsoft or System user context, and filter out PowerShell scripts located in the C:\Windows\System32\ directory.
Scenario: Admin using Process Monitor (ProcMon) for troubleshooting
Description: A system administrator is using Process Monitor (ProcMon) to investigate a performance issue, and the tool’s logging or filtering actions trigger an IOC associated with AsyncRAT.
Filter/Exclusion: Exclude processes with the ProcMon.exe executable path or those running under the LocalSystem account with a command line containing ProcMon.
Scenario: Legitimate use of certutil for certificate management
Description: An administrator is using certutil to import or export a certificate, which may result in a command or file path that matches an AsyncRAT IOC.
Filter/Exclusion: Exclude processes where the command line contains certutil and the file path includes .cer, .pfx, or .crt extensions.
Scenario: Software update or patching tool executing a script
Description: A third-party patching tool (e.g., Microsoft Update, SCCM, or a custom deployment tool) runs a script that temporarily uses a file or command matching an AsyncRAT IOC during an update process.
Filter/Exclusion: Exclude processes initiated by known patching tools (e.g., msiexec.exe, setup.exe, or patch.exe) or those running under a service account associated with the patching tool.
**Scenario: Legitimate use