The ThreatFox: DCRat IOCs rule detects potential adversary activity associated with the DCRat malware, leveraging known indicators of compromise to identify suspicious network traffic or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging DCRat for command and control or data exfiltration.
IOC Summary
Malware Family: DCRat Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 23[.]235[.]185[.]42:12159 | botnet_cc | 2026-06-14 | 75% |
| ip:port | 43[.]167[.]223[.]229:7001 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 72[.]51[.]57[.]131:5202 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 72[.]51[.]57[.]131:7997 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 46[.]246[.]4[.]9:8848 | botnet_cc | 2026-06-13 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["46.246.4.9", "72.51.57.131", "23.235.185.42", "43.167.223.229"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["46.246.4.9", "72.51.57.131", "23.235.185.42", "43.167.223.229"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task running schtasks.exe or Task Scheduler to perform system maintenance, such as disk cleanup or log rotation, may execute a file that matches a DCRat IOC.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or tasks with a known maintenance purpose (e.g., Cleanup, Logrotate, DiskDefrag).
Scenario: Admin Tool Execution
Description: An administrator may use tools like PsExec, PSTools, or WMIC to remotely execute scripts or utilities that may have a file name or hash matching DCRat IOCs.
Filter/Exclusion: Exclude processes launched by PsExec, WMIC, or psexec.exe and filter by user account (e.g., Administrator, SysAdmin).
Scenario: Antivirus Quarantine Scan
Description: During a full system scan, an antivirus tool like Bitdefender, Kaspersky, or Malwarebytes may quarantine a file that matches a DCRat IOC, leading to false positives.
Filter/Exclusion: Exclude processes associated with known antivirus tools (e.g., mbam.exe, kavsvc.exe, bdagent.exe) or files flagged as quarantined.
Scenario: PowerShell Script Execution
Description: A legitimate PowerShell script (e.g., PowerShell.exe or pwsh.exe) may use a command or module that has a hash or file name matching a DCRat IOC due to similar syntax or naming.
Filter/Exclusion: Exclude processes launched with powershell.exe or pwsh.exe and filter by script location (e.g., C:\Windows\System32\, `C:\Program Files