The ThreatFox: DCRat IOCs rule detects potential adversary activity associated with the DCRat malware, leveraging known indicators of compromise to identify suspicious network traffic or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: DCRat Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 23[.]235[.]185[.]46:8848 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 23[.]235[.]185[.]45:8848 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 23[.]235[.]185[.]43:8848 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 23[.]235[.]185[.]42:8848 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 172[.]86[.]75[.]140:5038 | botnet_cc | 2026-06-01 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["23.235.185.43", "172.86.75.140", "23.235.185.45", "23.235.185.42", "23.235.185.46"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["23.235.185.43", "172.86.75.140", "23.235.185.45", "23.235.185.42", "23.235.185.46"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using crontab to run system maintenance scripts
Filter/Exclusion: Exclude processes where the command line includes crontab or systemd and the user is a system admin (e.g., root, sysadmin).
Scenario: Use of tcpdump for network monitoring and packet capture
Filter/Exclusion: Exclude processes where the command line includes tcpdump and the user is a network operations team member (e.g., network_ops).
Scenario: Execution of rsync for routine data backups
Filter/Exclusion: Exclude processes where the command line includes rsync and the source/destination paths are known backup directories (e.g., /backup/ or /mnt/backup/).
Scenario: Use of logrotate for log file management
Filter/Exclusion: Exclude processes where the command line includes logrotate and the log files are located in standard log directories (e.g., /var/log/).
Scenario: Running of ansible for configuration management tasks
Filter/Exclusion: Exclude processes where the command line includes ansible and the playbook or inventory file is known to be part of the organization’s standard automation framework.