The ThreatFox: AsyncRAT IOCs rule detects potential command and control communications associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or network compromise.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 31[.]57[.]184[.]154:7006 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 31[.]171[.]131[.]118:7707 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 31[.]171[.]131[.]118:8808 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 193[.]93[.]194[.]31:50194 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 176[.]119[.]25[.]78:7707 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 104[.]37[.]174[.]36:7707 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 104[.]37[.]174[.]36:8808 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 45[.]154[.]98[.]84:1000 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 207[.]180[.]250[.]181:20700 | botnet_cc | 2026-05-22 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["193.93.194.31", "207.180.250.181", "104.37.174.36", "31.57.184.154", "31.171.131.118", "45.154.98.84", "176.119.25.78"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["193.93.194.31", "207.180.250.181", "104.37.174.36", "31.57.184.154", "31.171.131.118", "45.154.98.84", "176.119.25.78"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab for system maintenance
Description: A system administrator schedules a legitimate maintenance task using crontab that coincidentally matches one of the AsyncRAT IOCs (e.g., a script name or command line argument).
Filter/Exclusion: Check for crontab entries or processes with USER=root and COMMAND containing known legitimate maintenance scripts (e.g., logrotate, systemd-tmpfiles-setup).
Scenario: Use of wget or curl for legitimate software updates
Description: A system administrator uses wget or curl to download a legitimate software update from a trusted source, which may have a URL or filename matching an AsyncRAT IOC.
Filter/Exclusion: Filter out processes where COMMAND includes wget or curl and the URL domain is in a trusted list (e.g., example.com, updates.vendor.com).
Scenario: PowerShell script for automated reporting
Description: A PowerShell script used for generating automated reports or logs (e.g., using Out-File or Export-Csv) may contain strings that match AsyncRAT IOCs.
Filter/Exclusion: Exclude processes where ProcessName is powershell.exe and the script path is in a known trusted directory (e.g., C:\Windows\System32\ or C:\Program Files\).
Scenario: Use of rsync for data backups
Description: A backup process using rsync may have command-line arguments or filenames that resemble AsyncRAT IOCs, especially if the backup includes sensitive data.
Filter/Exclusion: Filter out rsync processes where the source or destination paths are known backup directories (e.g., `/