The ThreatFox: AsyncRAT IOCs rule detects potential command and control communication associated with the AsyncRAT malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that could compromise sensitive data and network integrity.
IOC Summary
Malware Family: AsyncRAT Total IOCs: 5 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 198[.]23[.]185[.]234:7707 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 194[.]26[.]192[.]229:50 | botnet_cc | 2026-05-10 | 75% |
| domain | hm88athen.com | botnet_cc | 2026-05-10 | 75% |
| domain | jogoforuma.com | botnet_cc | 2026-05-10 | 75% |
| domain | hm888.online | botnet_cc | 2026-05-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AsyncRAT
let malicious_ips = dynamic(["198.23.185.234", "194.26.192.229"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["198.23.185.234", "194.26.192.229"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AsyncRAT
let malicious_domains = dynamic(["hm88athen.com", "jogoforuma.com", "hm888.online"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup task using rsync may trigger the rule if it coincidentally matches an IOC associated with AsyncRAT.
Filter/Exclusion: process.name != "rsync" or process.command_line contains "rsync"
Scenario: Admin using wget to download a legitimate software update
Description: An administrator may use wget to fetch a legitimate software update from a known server, which could match an IOC in the AsyncRAT list.
Filter/Exclusion: process.name != "wget" or destination_ip in whitelist
Scenario: PowerShell script running a legitimate system cleanup task
Description: A PowerShell script used for system cleanup or log rotation may contain strings that match AsyncRAT IOCs.
Filter/Exclusion: process.name != "powershell.exe" or script_name contains "cleanup"
Scenario: Docker container running a legitimate application with known command-line arguments
Description: A Docker container may execute commands that match AsyncRAT IOCs due to similar command-line structures.
Filter/Exclusion: process.parent_process contains "docker" or process.name contains "containerd"
Scenario: User executing a legitimate tool like curl for API testing
Description: A developer may use curl to interact with an internal API, which could trigger the rule if the request URL matches an AsyncRAT IOC.
Filter/Exclusion: process.name != "curl" or destination_ip in internal_network