The ThreatFox: DCRat IOCs rule detects potential adversary activity associated with the DCRat malware, leveraging known indicators of compromise to identify suspicious network traffic or file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: DCRat Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 23[.]235[.]185[.]46:8848 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 23[.]235[.]185[.]45:8848 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 23[.]235[.]185[.]43:8848 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 23[.]235[.]185[.]42:8848 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 172[.]86[.]75[.]140:5038 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 103[.]85[.]225[.]97:5566 | botnet_cc | 2026-06-01 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["103.85.225.97", "172.86.75.140", "23.235.185.46", "23.235.185.45", "23.235.185.43", "23.235.185.42"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["103.85.225.97", "172.86.75.140", "23.235.185.46", "23.235.185.45", "23.235.185.43", "23.235.185.42"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Exclude processes initiated by the veeam user or with Veeam in the command line arguments.
Scenario: System update using Chocolatey package manager
Filter/Exclusion: Exclude processes with choco in the command line and associated with known Chocolatey update scripts.
Scenario: Administrative task using PowerShell to manage Active Directory
Filter/Exclusion: Exclude processes with PowerShell and AD in the command line, or run by the Administrators group.
Scenario: Log file rotation using logrotate on Linux systems
Filter/Exclusion: Exclude processes with logrotate in the command line or associated with /etc/logrotate.d/ configuration files.
Scenario: Database maintenance task using SQL Server Agent Job
Filter/Exclusion: Exclude processes with sqlagent in the process name or associated with known SQL Server maintenance tasks.