The ThreatFox: DCRat IOCs rule detects potential adversary activity associated with the DCRat malware, leveraging known indicators of compromise to identify malicious network traffic or file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: DCRat Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 46[.]246[.]82[.]4:8848 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 178[.]236[.]46[.]43:7912 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 158[.]94[.]210[.]30:8848 | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["178.236.46.43", "46.246.82.4", "158.94.210.30"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["178.236.46.43", "46.246.82.4", "158.94.210.30"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "task scheduler" or check for process.parent.name == "Windows Task Scheduler".
Scenario: Admin Performing Disk Cleanup or Log Rotation
Description: An admin uses a tool like Disk Cleanup or logrotate which may generate IOCs that match the DCRat signature.
Filter/Exclusion: process.name != "cleanmgr.exe" OR process.name != "logrotate" or check for user.name == "admin" AND process.parent.name == "explorer.exe".
Scenario: Legitimate Software Installation via Chocolatey
Description: A package installed via Chocolatey (e.g., choco install) may have a file name or hash that coincides with the DCRat IOC.
Filter/Exclusion: process.name != "choco.exe" OR file.path != "C:\ProgramData\chocolatey\bin\*".
Scenario: Database Backup Job Using SQL Server Agent
Description: A SQL Server Agent job backs up a database and the backup script or path may match the DCRat IOC pattern.
Filter/Exclusion: process.name != "sqlagent.exe" OR file.path != "C:\Program Files\Microsoft SQL Server\*".
Scenario: Network Monitoring Tool Generating False Positives
Description: A network monitoring tool like Wireshark or Microsoft Network Monitor may generate traffic or files that match the DCRat IOC.
Filter/Exclusion: process.name != "wireshark.exe" OR process.name != "nmtui.exe" or check for `process