The ThreatFox: DCRat IOCs rule detects potential adversary activity associated with the DCRat malware, leveraging known indicators of compromise to identify suspicious network traffic or system artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: DCRat Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 72[.]51[.]57[.]131:5202 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 72[.]51[.]57[.]131:7997 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 46[.]246[.]4[.]9:8848 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 144[.]91[.]78[.]57:207 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 23[.]235[.]185[.]44:12159 | botnet_cc | 2026-06-13 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["46.246.4.9", "23.235.185.44", "72.51.57.131", "144.91.78.57"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["46.246.4.9", "23.235.185.44", "72.51.57.131", "144.91.78.57"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system monitoring scripts
Filter/Exclusion: Exclude processes initiated by crontab using the parent_process_name field (parent_process_name = "crontab")
Scenario: System update or patching process using yum or apt that temporarily executes known IOCs
Filter/Exclusion: Exclude processes with process_name containing "yum" or "apt" and check for process_owner being a system user (e.g., root, systemd, root)
Scenario: Security tool or EDR agent (e.g., CrowdStrike, SentinelOne) performing routine IOC collection or threat intelligence lookup
Filter/Exclusion: Exclude processes with process_name matching the EDR agent name (e.g., crowdstrike.sh, sentinelone.exe) or check for process_owner being the EDR service account
Scenario: Admin task using ps or top to monitor running processes, which may include known IOCs in command lines
Filter/Exclusion: Exclude processes with process_name matching "ps" or "top" and check for process_owner being a system admin or service account
Scenario: Log analysis tool (e.g., logrotate, rsyslog) processing logs that include IOCs in log messages
Filter/Exclusion: Exclude processes with process_name matching "logrotate" or "rsyslog" and filter by log_source or message_content to identify log processing activity