The ThreatFox: DCRat IOCs rule detects potential command and control activity associated with the DCRat malware, which is known for persistent, stealthy network infiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the network.
IOC Summary
Malware Family: DCRat Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 156[.]247[.]54[.]11:12159 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 154[.]198[.]50[.]38:8848 | botnet_cc | 2026-06-15 | 100% |
| ip:port | 156[.]247[.]54[.]10:12159 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 156[.]247[.]54[.]10:8848 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 156[.]247[.]54[.]12:12159 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 156[.]247[.]54[.]13:12159 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 156[.]247[.]54[.]14:12159 | botnet_cc | 2026-06-15 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["156.247.54.12", "154.198.50.38", "156.247.54.10", "156.247.54.11", "156.247.54.14", "156.247.54.13"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["156.247.54.12", "154.198.50.38", "156.247.54.10", "156.247.54.11", "156.247.54.14", "156.247.54.13"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job running dcron or cron tasks that use dcron as part of the job name
Filter/Exclusion: Exclude processes where the command line includes dcron and the process is associated with a known legitimate cron job (e.g., /etc/cron.d/ or /var/spool/cron/)
Scenario: System administration task using dc (data compression) tool for file archiving
Filter/Exclusion: Exclude processes where the command line includes dc and the file paths are within standard archive directories (e.g., /home/user/backups/, /var/backups/)
Scenario: Development environment using dc (decimal calculator) for numerical computations
Filter/Exclusion: Exclude processes where the command line includes dc and the process is running in a development directory (e.g., /opt/dev/, /home/dev/)
Scenario: Legitimate use of dc (Docker Compose) in a containerized environment
Filter/Exclusion: Exclude processes where the command line includes docker-compose or dc and the process is running in a known Docker environment (e.g., /var/lib/docker/, /etc/docker/)
Scenario: System log parsing tool using dc (data conversion) for log normalization
Filter/Exclusion: Exclude processes where the command line includes dc and the process is associated with a known log parsing tool (e.g., logrotate, rsyslog, or logstash)