The ThreatFox: PureRAT IOCs rule detects potential indicators of a remote access trojan used for data exfiltration and command execution, commonly delivered through phishing emails. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage PureRAT infections before they lead to data breaches or persistent threats.
IOC Summary
Malware Family: PureRAT Total IOCs: 38 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 104[.]245[.]104[.]38:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 31[.]56[.]209[.]63:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 141[.]98[.]191[.]36:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 193[.]233[.]19[.]233:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 130[.]12[.]182[.]209:3418 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 31[.]57[.]184[.]154:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 2[.]27[.]59[.]167:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 45[.]145[.]43[.]251:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 178[.]16[.]53[.]254:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 2[.]26[.]54[.]202:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 64[.]120[.]94[.]198:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 104[.]156[.]154[.]148:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 209[.]87[.]166[.]249:56831 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 2[.]27[.]59[.]193:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 31[.]56[.]209[.]62:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 93[.]123[.]109[.]129:8080 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 135[.]136[.]129[.]123:4444 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 46[.]247[.]108[.]81:55931 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 216[.]250[.]253[.]108:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 165[.]140[.]167[.]209:5555 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 213[.]209[.]159[.]91:56056 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 23[.]160[.]168[.]167:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 103[.]17[.]38[.]43:56001 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 185[.]254[.]97[.]103:56002 | botnet_cc | 2026-05-26 | 75% |
| ip:port | 216[.]126[.]225[.]226:7222 | botnet_cc | 2026-05-26 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PureRAT
let malicious_ips = dynamic(["104.156.154.148", "95.85.251.14", "104.245.104.38", "31.56.209.62", "2.27.59.167", "209.87.166.249", "216.250.253.108", "194.50.94.26", "2.27.59.193", "185.254.97.103", "23.160.168.172", "2.27.59.164", "93.123.109.129", "92.118.39.64", "132.243.221.253", "45.89.53.162", "103.17.38.43", "135.136.129.123", "31.57.184.154", "141.98.191.36", "23.160.168.167", "45.145.43.251", "193.233.19.233", "23.94.252.223", "153.80.249.20", "104.194.152.199", "192.109.200.233", "178.16.53.254", "46.247.108.81", "64.120.94.198", "213.209.159.91", "130.12.182.209", "104.152.187.59", "151.242.170.220", "2.26.54.202", "216.126.225.226", "31.56.209.63", "165.140.167.209"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["104.156.154.148", "95.85.251.14", "104.245.104.38", "31.56.209.62", "2.27.59.167", "209.87.166.249", "216.250.253.108", "194.50.94.26", "2.27.59.193", "185.254.97.103", "23.160.168.172", "2.27.59.164", "93.123.109.129", "92.118.39.64", "132.243.221.253", "45.89.53.162", "103.17.38.43", "135.136.129.123", "31.57.184.154", "141.98.191.36", "23.160.168.167", "45.145.43.251", "193.233.19.233", "23.94.252.223", "153.80.249.20", "104.194.152.199", "192.109.200.233", "178.16.53.254", "46.247.108.81", "64.120.94.198", "213.209.159.91", "130.12.182.209", "104.152.187.59", "151.242.170.220", "2.26.54.202", "216.126.225.226", "31.56.209.63", "165.140.167.209"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using PowerShell
Description: A scheduled task runs a PowerShell script to back up user data to a network share. The script may use powershell.exe and include base64 encoded commands, which could trigger the PureRAT IOC rule.
Filter/Exclusion: Check for the presence of known backup tools (e.g., Veeam, Commvault) or use a filter like process.name != "powershell.exe" or process.args not containing "base64".
Scenario: Admin using PowerShell for system monitoring
Description: An administrator uses PowerShell to monitor system performance, which may involve executing scripts that resemble malicious activity, such as querying event logs or registry keys.
Filter/Exclusion: Filter by user context (e.g., user.name == "admin") or check for known administrative tools (e.g., PowerShell, Task Scheduler, Windows Event Viewer).
Scenario: Legitimate email attachment processing by a M365 admin
Description: A Microsoft 365 admin receives a legitimate email with an attachment (e.g., a PDF or document) and processes it using a script or tool like Outlook.exe or Exchange Online.
Filter/Exclusion: Filter by user role (e.g., user.role == "admin") or check for known email processing tools (e.g., Outlook.exe, Exchange Online).
Scenario: Automated report generation using a script
Description: A script runs on a schedule to generate reports using tools like Power BI, SQL Server Reporting Services, or Python scripts that interact with databases. These scripts may include base64 or encoded commands.
Filter/Exclusion: Filter by known reporting tools (e.g., Power BI, `SSRS