ThreatFox: DCRat IOCs | SOC Hunt Feed

Hunt Hypothesis

The detection identifies potential DCRat malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.

IOC Summary

Malware Family: DCRat Total IOCs: 3 IOC Types: ip:port

Type	Value	Threat Type	First Seen	Confidence
ip:port	`190[.]255[.]90[.]152:6010`	botnet_cc	2026-05-29	75%
ip:port	`158[.]94[.]208[.]29:207`	botnet_cc	2026-05-29	75%
ip:port	`45[.]202[.]1[.]100:12159`	botnet_cc	2026-05-29	100%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["190.255.90.152", "158.94.208.29", "45.202.1.100"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["190.255.90.152", "158.94.208.29", "45.202.1.100"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DeviceNetworkEvents`	Ensure this data connector is enabled

References

ThreatFox — DCRat

False Positive Guidance

Scenario: Scheduled system backup using Veeam Backup & Replication
- Description: The backup process may generate network traffic that matches the DCRat IOCs, such as connecting to a known C2 server.
- Filter/Exclusion: process.name != "VeeamBackup.exe" or destination_ip != "known-backup-server-ip"
Scenario: Windows Update task via Group Policy
- Description: A Group Policy Object (GPO) may trigger a scheduled task that connects to Microsoft’s update servers, which could be misidentified as DCRat C2.
- Filter/Exclusion: destination_ip != "13.107.6.50" (Microsoft’s public IP for Windows Update) or process.name != "wuauclt.exe"
Scenario: Log collection using Splunk Forwarder
- Description: The Splunk Universal Forwarder may send logs to a central Splunk server, which could be flagged due to similar network behavior.
- Filter/Exclusion: process.name != "splunkforwarder.exe" or destination_ip != "splunk-server-ip"
Scenario: Database backup using SQL Server Agent Job
- Description: A SQL Server Agent job may initiate a connection to a remote database server, which could be mistaken for DCRat C2 activity.
- Filter/Exclusion: process.name != "sqlservr.exe" or destination_ip != "sql-server-ip"
Scenario: Remote desktop session using Microsoft Remote Desktop
- Description: A legitimate RDP session may involve network traffic that resembles C2 communication patterns.
- Filter/Exclusion: process.name != "mstsc.exe" or destination_ip != "rdp-server-ip"