The ThreatFox: DCRat IOCs rule detects potential remote access by the DCRat Trojan, which allows adversaries to execute commands, steal data, and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before data exfiltration or lateral movement occurs.
IOC Summary
Malware Family: DCRat Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]225[.]135[.]22:50001 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 46[.]246[.]14[.]2:9999 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 209[.]99[.]188[.]248:8080 | botnet_cc | 2026-05-28 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["45.225.135.22", "46.246.14.2", "209.99.188.248"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.225.135.22", "46.246.14.2", "209.99.188.248"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using DCRat’s signature in a script
Description: A system administrator uses a script that includes a string matching DCRat’s known IOC (e.g., a file name or hash) as part of a legitimate automation task.
Filter/Exclusion: Exclude processes initiated by cron or task scheduler with a known legitimate script path (e.g., /opt/scripts/legit_script.sh).
Scenario: False positive from a security tool’s test payload
Description: A security tool (e.g., Metasploit, Cobalt Strike) is used in a red team exercise, and its payload contains a string that matches DCRat’s IOC.
Filter/Exclusion: Exclude processes with parent process names like msfconsole, cobaltstrike, or metasploit and filter by user root or admin.
Scenario: Legitimate file named “dcrat.exe” in a shared folder
Description: A file named dcrat.exe exists in a shared folder used by multiple teams, and it is a legitimate tool (e.g., a custom application or a tool used by a specific department).
Filter/Exclusion: Exclude files located in known shared directories (e.g., /mnt/shared_tools/, \\server\shared\) or files with a known legitimate hash.
Scenario: Admin task using a tool with similar naming
Description: An administrator uses a tool with a similar name to DCRat (e.g., dcra.exe), which is a legitimate administrative tool used for system diagnostics.
Filter/Exclusion: Exclude processes with a known legitimate tool path (e.g., C:\Windows\System32\dcra.exe) or processes initiated by the Administrators group.
**Scenario: False positive