← Back to SOC feed Coverage →

ThreatFox: AsyncRAT IOCs

ioc-hunt HIGH ThreatFox
CommonSecurityLogDeviceNetworkEvents
backdooriocthreatfoxwin-asyncrat
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at ThreatFox →
Retrieved: 2026-03-19T03:46:59Z · Confidence: high

Hunt Hypothesis

Hunt package for 2 IOCs associated with AsyncRAT

IOC Summary

Malware Family: AsyncRAT Total IOCs: 2 IOC Types: ip:port

TypeValueThreat TypeFirst SeenConfidence
ip:port206[.]123[.]152[.]144:5900botnet_cc2026-03-19100%
ip:port46[.]109[.]51[.]69:8808botnet_cc2026-03-18100%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["46.109.51.69", "206.123.152.144"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["46.109.51.69", "206.123.152.144"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DeviceNetworkEventsEnsure this data connector is enabled

References

Original source: https://threatfox.abuse.ch/browse/malware/win.asyncrat/