AsyncRAT is likely establishing command-and-control communication through suspicious IP:port connections, indicating potential remote access and data exfiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 198[.]167[.]212[.]165:73 | botnet_cc | 2026-05-09 | 75% |
| ip:port | 194[.]26[.]192[.]229:100 | botnet_cc | 2026-05-09 | 75% |
| ip:port | 194[.]26[.]192[.]229:7707 | botnet_cc | 2026-05-09 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["194.26.192.229", "198.167.212.165"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["194.26.192.229", "198.167.212.165"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task Using Known Port
Description: A legitimate system maintenance task, such as Task Scheduler running a script that uses a known AsyncRAT port (e.g., 80, 443, 8080) for communication with a remote server.
Filter/Exclusion: destination_port != 80,443,8080 or process_name == "schtasks.exe" or process_name == "taskhost.exe"
Scenario: Admin Using PowerShell for Remote Management
Description: A system administrator using PowerShell to remotely manage a server, which may involve outbound connections to a known AsyncRAT port.
Filter/Exclusion: process_name == "powershell.exe" and user == "admin_user" or destination_port != 80,443,8080
Scenario: Database Backup Job Using Secure Tunnel
Description: A database backup job using a secure tunnel (e.g., ssh -L or OpenSSH) that connects to a remote server on a non-standard port, which may be flagged as suspicious.
Filter/Exclusion: process_name == "ssh.exe" or process_name == "sshd.exe" or destination_port == 22
Scenario: Log Collection via Syslog Server
Description: A log collection process using a syslog server (e.g., rsyslog, syslog-ng) that sends logs to a remote server on a port commonly used by AsyncRAT.
Filter/Exclusion: process_name == "rsyslogd.exe" or process_name == "syslog-ng.exe" or destination_port == 514
Scenario: Cloud Sync Tool Using Non-Standard Port
Description: