The ThreatFox: DCRat IOCs rule detects potential Remote Access Trojan activity indicative of data exfiltration and command execution by adversaries leveraging phishing or exploit kits to compromise systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate persistent threats before significant data loss or lateral movement occurs.
IOC Summary
Malware Family: DCRat Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]92[.]241[.]80:8848 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 82[.]23[.]246[.]160:8848 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 185[.]72[.]9[.]227:8848 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 156[.]247[.]40[.]190:8848 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 140[.]235[.]16[.]223:7203 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 172[.]94[.]9[.]104:8090 | botnet_cc | 2026-06-04 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["172.94.9.104", "82.23.246.160", "185.72.9.227", "156.247.40.190", "140.235.16.223", "91.92.241.80"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.94.9.104", "82.23.246.160", "185.72.9.227", "156.247.40.190", "140.235.16.223", "91.92.241.80"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Execution
Description: A system administrator schedules a legitimate script or job that uses a tool like PsExec or SchTasks to run a remote command for system maintenance.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known legitimate command-line arguments or associated with trusted system services.
Scenario: Admin Using Cobalt Strike for Red Team Exercise
Description: A red team member uses Cobalt Strike to simulate a DC Rat attack during a security training exercise.
Filter/Exclusion: Exclude processes originating from known red team tools or executed within a controlled environment with a specific source IP or user context.
Scenario: Malicious Attachment from Trusted Vendor
Description: An employee receives a phishing email from a trusted vendor containing a legitimate attachment (e.g., a PDF or Word document) that is mistakenly flagged as malicious.
Filter/Exclusion: Exclude emails from known vendors or domains with a trusted sender reputation, or filter based on email headers and sender validation.
Scenario: System Update via Microsoft Endpoint Manager
Description: A system update is deployed via Microsoft Endpoint Manager (Intune) using a tool like Msiexec.exe or Windows Update.
Filter/Exclusion: Exclude processes initiated by known system update tools or executed during scheduled maintenance windows.
Scenario: Log Collection via Splunk or ELK Stack
Description: A log collection agent (e.g., Splunk Universal Forwarder or Fluentd) is configured to collect logs from remote systems, which may involve similar network activity to DC Rat.
Filter/Exclusion: Exclude traffic from known log collection agents or processes associated with log management tools.