The ThreatFox: AsyncRAT IOCs rule detects potential command and control activity associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant data loss or system compromise.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 8 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]111[.]233[.]80:8808 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 172[.]111[.]233[.]80:8888 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 172[.]111[.]233[.]80:5900 | botnet_cc | 2026-05-20 | 100% |
| ip:port | 66[.]42[.]54[.]228:8808 | botnet_cc | 2026-05-20 | 50% |
| domain | dagatructiep.fashion | botnet_cc | 2026-05-19 | 75% |
| ip:port | 83[.]136[.]211[.]194:6606 | botnet_cc | 2026-05-19 | 75% |
| ip:port | 31[.]57[.]184[.]154:2502 | botnet_cc | 2026-05-19 | 75% |
| ip:port | 172[.]111[.]233[.]80:6666 | botnet_cc | 2026-05-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["83.136.211.194", "66.42.54.228", "172.111.233.80", "31.57.184.154"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["83.136.211.194", "66.42.54.228", "172.111.233.80", "31.57.184.154"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["dagatructiep.fashion"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab or at
Description: A system administrator schedules a legitimate maintenance task using crontab or at which coincidentally matches one of the AsyncRAT IOCs (e.g., a script name or path).
Filter/Exclusion: Check for crontab or at job entries in the command line history or logs, and exclude entries where the IOC is used in a known legitimate scheduling context.
Scenario: Use of wget or curl for software updates
Description: A system administrator uses wget or curl to download a legitimate software update from a known internal or external repository, which may contain a URL or filename matching an AsyncRAT IOC.
Filter/Exclusion: Filter out traffic from known update servers or internal repositories, and exclude URLs that match known legitimate software update endpoints.
Scenario: PowerShell script for system monitoring
Description: A PowerShell script, such as PSMonitor or Sysmon, is used for system monitoring and includes a command or file path that matches an AsyncRAT IOC.
Filter/Exclusion: Exclude PowerShell scripts that are part of known monitoring or security tools, and verify the script’s source and integrity using digital signatures or hash comparisons.
Scenario: Admin task involving tar or gzip for archive management
Description: An admin task uses tar or gzip to create or extract archives, and the command line includes a filename or path that matches an AsyncRAT IOC.
Filter/Exclusion: Exclude commands that are part of standard archive operations, and verify the context of the command using process tree or user context (e.g., admin user performing archive tasks).
Scenario: Use of rsync for data synchronization
*