The ThreatFox: PureRAT IOCs rule detects potential adversary activity associated with the PureRAT malware, which is known for its persistence and remote command execution capabilities. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats that could exfiltrate data or compromise critical systems.
IOC Summary
Malware Family: PureRAT Total IOCs: 6 IOC Types: sha256_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 80[.]76[.]49[.]194:56003 | botnet_cc | 2026-06-11 | 75% |
| ip:port | 80[.]76[.]49[.]194:56002 | botnet_cc | 2026-06-11 | 75% |
| ip:port | 80[.]76[.]49[.]194:56001 | botnet_cc | 2026-06-11 | 75% |
| sha256_hash | 7e49b00bef718eb7e3645d8705e6521b011f66d10f06201e209a8a0511abc81a | payload | 2026-06-11 | 75% |
| sha256_hash | b50a05e38e9d04fd5c4dac4f29850649a77bb3ae443639206c908058e45593eb | payload | 2026-06-11 | 75% |
| sha256_hash | a05254840b45fcbfd12d09fd416ca860e2cfcab793f4780fa8f138b8f7a86aab | payload | 2026-06-11 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PureRAT
let malicious_ips = dynamic(["80.76.49.194"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["80.76.49.194"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - PureRAT
let malicious_hashes = dynamic(["7e49b00bef718eb7e3645d8705e6521b011f66d10f06201e209a8a0511abc81a", "b50a05e38e9d04fd5c4dac4f29850649a77bb3ae443639206c908058e45593eb", "a05254840b45fcbfd12d09fd416ca860e2cfcab793f4780fa8f138b8f7a86aab"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe to perform system maintenance (e.g., disk cleanup, log rotation) may trigger the rule if it matches PureRAT IOC patterns.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a known legitimate command line or check for Task Scheduler origin in the event log.
Scenario: Admin PowerShell Script Execution
Description: A system administrator might run a PowerShell script using powershell.exe that includes strings resembling PureRAT IOCs, such as Invoke-WebRequest or IEX, which could falsely trigger the rule.
Filter/Exclusion: Exclude processes where the parent process is a known administrative tool (e.g., taskmgr.exe, mmc.exe) or filter by user context (e.g., NT AUTHORITY\SYSTEM).
Scenario: Log Collection and Monitoring Tool
Description: A legitimate log collection tool like Splunk, ELK Stack, or Graylog may include PureRAT-related strings in its configuration or logs, leading to a false positive.
Filter/Exclusion: Exclude processes associated with log management tools or filter by process name (e.g., splunkd.exe, logstash.exe).
Scenario: Software Update or Patch Deployment
Description: A patching tool like Microsoft Update, WSUS, or Ansible might include strings that match PureRAT IOCs during deployment, especially if the update includes scripts or payloads.
Filter/Exclusion: Exclude processes initiated by patching tools or check for known update-related command lines (e.g., wusa.exe, msiexec.exe).
Scenario: Network Monitoring Tool with Custom Rules
Description: A network monitoring tool like