The ThreatFox: DCRat IOCs rule detects potential adversary activity associated with the DCRat malware, leveraging known indicators of compromise to identify suspicious network traffic or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: DCRat Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 64[.]89[.]160[.]44:7777 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 217[.]145[.]227[.]149:7777 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 217[.]145[.]227[.]149:8888 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 106[.]55[.]237[.]60:6663 | botnet_cc | 2026-05-31 | 100% |
| ip:port | 172[.]81[.]61[.]226:5202 | botnet_cc | 2026-05-31 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["172.81.61.226", "106.55.237.60", "217.145.227.149", "64.89.160.44"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.81.61.226", "106.55.237.60", "217.145.227.149", "64.89.160.44"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using wbadmin
Description: A scheduled Windows backup task using wbadmin may generate network traffic that matches DCRat IOCs, such as connecting to a known C2 IP or domain.
Filter/Exclusion: Exclude traffic initiated by wbadmin.exe or tasks scheduled via Task Scheduler with the command line containing wbadmin.
Scenario: Admin task using PowerShell to manage remote servers
Description: An administrator may use PowerShell remoting (Invoke-Command) to execute scripts on remote servers, which could trigger network activity matching DCRat IOCs.
Filter/Exclusion: Exclude PowerShell remoting activity where the originating process is powershell.exe and the command includes Invoke-Command or Enter-PSSession.
Scenario: Legitimate software update using Windows Update
Description: A Windows Update process may communicate with Microsoft servers, which could be mistaken for DCRat C2 activity if the IOC list includes Microsoft IP addresses.
Filter/Exclusion: Exclude traffic from svchost.exe or wuauserv.exe destined for Microsoft update servers (e.g., update.microsoft.com).
Scenario: Log collection using LogParser or PowerShell scripts
Description: A log aggregation tool like LogParser or custom PowerShell scripts may connect to a central logging server, which could be flagged as DCRat C2 activity.
Filter/Exclusion: Exclude traffic from logparser.exe or PowerShell scripts that are known to be part of the organization’s log management system.
Scenario: Internal monitoring tool using Splunk or ELK stack
Description: A monitoring tool like Splunk or ELK stack may send data to an internal monitoring server, which could be mis