The ThreatFox: DCRat IOCs rule detects potential adversary activity associated with the DCRat malware, leveraging known indicators of compromise to identify suspicious network traffic or system behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that may be exfiltrating data or establishing command and control channels.
IOC Summary
Malware Family: DCRat Total IOCs: 8 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 194[.]182[.]79[.]61:5038 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 1[.]14[.]59[.]224:8888 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 69[.]167[.]11[.]229:443 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 5[.]230[.]201[.]242:1994 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 46[.]151[.]182[.]243:55380 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 185[.]192[.]124[.]218:2177 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 158[.]94[.]211[.]253:7777 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 142[.]44[.]247[.]175:9999 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["5.230.201.242", "194.182.79.61", "142.44.247.175", "46.151.182.243", "69.167.11.229", "185.192.124.218", "1.14.59.224", "158.94.211.253"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.230.201.242", "194.182.79.61", "142.44.247.175", "46.151.182.243", "69.167.11.229", "185.192.124.218", "1.14.59.224", "158.94.211.253"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using wbadmin
Description: A scheduled Windows Backup job using wbadmin may execute similar command-line arguments to those associated with DCRat.
Filter/Exclusion: Exclude processes where the command line contains wbadmin or C:\Windows\System32\wbadmin.exe.
Scenario: System update using Windows Update
Description: A system update process may trigger IOCs related to DCRat due to similar network activity or file access patterns.
Filter/Exclusion: Exclude processes with svchost.exe or wuauserv as the parent process, or where the command line includes wuauclt.exe.
Scenario: Admin task using PowerShell for log management
Description: A legitimate PowerShell script run by an admin for log rotation or analysis may match DCRat IOCs due to similar file access or command execution.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes -File or -Command and the script path is known to be admin-owned (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\).
Scenario: Network monitoring tool using Wireshark
Description: A network monitoring tool like Wireshark may generate traffic patterns that resemble DCRat IOCs, especially when capturing or analyzing network packets.
Filter/Exclusion: Exclude processes with wireshark.exe or tshark.exe in the command line, or where the process is running under a known network monitoring user account.
Scenario: Antivirus scan using Windows Defender
Description: A full system scan by Windows Defender may trigger IOCs related to DCRat due to similar file access or process execution patterns