The ThreatFox: PureRAT IOCs rule detects potential indicators of compromise associated with the PureRAT malware, which is known for its persistence and command-and-control capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that may be leveraging PureRAT to exfiltrate data or maintain long-term access to compromised systems.
IOC Summary
Malware Family: PureRAT Total IOCs: 17 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 94[.]26[.]3[.]180:56002 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 94[.]26[.]3[.]180:56003 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 172[.]86[.]93[.]229:56003 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 209[.]99[.]185[.]216:1013 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 103[.]97[.]131[.]179:56002 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 94[.]26[.]3[.]52:56003 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 192[.]109[.]200[.]22:56001 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 193[.]202[.]84[.]1:8080 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 193[.]233[.]198[.]38:56002 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 45[.]156[.]87[.]169:5631 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 144[.]31[.]191[.]160:56002 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 116[.]213[.]43[.]144:444 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 45[.]138[.]16[.]104:56003 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 31[.]56[.]209[.]105:56001 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 151[.]243[.]250[.]237:56002 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 77[.]83[.]39[.]141:56002 | botnet_cc | 2026-06-07 | 100% |
| ip:port | 77[.]83[.]39[.]141:56003 | botnet_cc | 2026-06-07 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PureRAT
let malicious_ips = dynamic(["144.31.191.160", "192.109.200.22", "151.243.250.237", "209.99.185.216", "193.202.84.1", "94.26.3.52", "193.233.198.38", "116.213.43.144", "94.26.3.180", "77.83.39.141", "31.56.209.105", "172.86.93.229", "45.156.87.169", "45.138.16.104", "103.97.131.179"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["144.31.191.160", "192.109.200.22", "151.243.250.237", "209.99.185.216", "193.202.84.1", "94.26.3.52", "193.233.198.38", "116.213.43.144", "94.26.3.180", "77.83.39.141", "31.56.209.105", "172.86.93.229", "45.156.87.169", "45.138.16.104", "103.97.131.179"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system monitoring
Description: A scheduled PowerShell script runs as part of the enterprise’s system health monitoring, which includes checking for process activity and system logs.
Filter/Exclusion: Exclude processes executed by powershell.exe with the -Command parameter and a known monitoring script path (e.g., C:\Monitoring\HealthCheck.ps1).
Scenario: Admin task using certutil to import a trusted certificate
Description: A system administrator uses certutil to import a trusted certificate into the local machine store as part of a routine security update.
Filter/Exclusion: Exclude certutil.exe executions where the command line includes -addstore -user -trustedpublisher and the certificate file is located in a known enterprise certificate directory (e.g., C:\Certificates\Trusted\).
Scenario: Legitimate use of curl or wget for software updates
Description: A system administrator uses curl or wget to download and install a legitimate software update from a known internal or external repository.
Filter/Exclusion: Exclude commands executed by curl.exe or wget.exe where the URL matches a known enterprise update server (e.g., https://updates.enterprise.com/*).
Scenario: Use of taskkill to terminate a non-malicious process
Description: An administrator uses taskkill to terminate a non-malicious process that is consuming excessive resources, such as a stalled application or service.
Filter/Exclusion: Exclude taskkill.exe commands where the process name is known and legitimate (e.g., notepad.exe, explorer.exe, or svchost.exe) and the process ID is not associated with any known malicious behavior.
**Scenario: