The ThreatFox: Quasar RAT IOCs rule detects potential indicators of a Quasar RAT compromise, which is a high-impact remote access trojan used for persistent, stealthy network control. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they exfiltrate data or execute malicious payloads.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 7 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 188[.]114[.]97[.]3:4782 | botnet_cc | 2026-04-24 | 75% |
| ip:port | 188[.]114[.]96[.]3:4782 | botnet_cc | 2026-04-24 | 75% |
| ip:port | 172[.]67[.]174[.]168:64 | botnet_cc | 2026-04-24 | 75% |
| ip:port | 172[.]67[.]174[.]168:4782 | botnet_cc | 2026-04-24 | 75% |
| ip:port | 104[.]21[.]31[.]21:64 | botnet_cc | 2026-04-24 | 75% |
| ip:port | 104[.]21[.]31[.]21:4782 | botnet_cc | 2026-04-24 | 75% |
| ip:port | 103[.]227[.]176[.]9:4782 | botnet_cc | 2026-04-24 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["188.114.97.3", "103.227.176.9", "104.21.31.21", "172.67.174.168", "188.114.96.3"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["188.114.97.3", "103.227.176.9", "104.21.31.21", "172.67.174.168", "188.114.96.3"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Monitoring Tool Installation
Description: A security team installs a legitimate system monitoring tool (e.g., Splunk, SolarWinds, or Microsoft Endpoint Manager) that includes scripts or binaries matching Quasar RAT IOCs.
Filter/Exclusion: Exclude files signed by trusted vendors or check the file’s digital signature against known good hashes.
Scenario: Scheduled System Maintenance Job
Description: A scheduled job (e.g., PowerShell Task Scheduler or Windows Task Scheduler) runs a legitimate maintenance script that coincidentally matches Quasar RAT IOCs.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler or check the job’s origin against known legitimate maintenance tasks.
Scenario: Admin-Initiated Log Collection
Description: An admin uses a legitimate log collection tool (e.g., ELK Stack, Graylog, or Splunk) to gather logs, and the tool’s configuration or scripts match Quasar RAT IOCs.
Filter/Exclusion: Exclude processes initiated by admin accounts with known log collection privileges or check the process origin against trusted admin tools.
Scenario: Software Update or Patch Deployment
Description: A software update or patch (e.g., Microsoft Windows Update, Adobe Acrobat Update) includes a binary that matches Quasar RAT IOCs due to a false positive in the IOC list.
Filter/Exclusion: Exclude files signed by Microsoft, Adobe, or other trusted vendors, or use a file reputation check (e.g., Microsoft Defender ATP).
Scenario: Third-Party Security Tool Integration
Description: A third-party security tool (e.g., CrowdStrike, FireEye, or Kaspersky) is integrated into the environment and its internal components or logs match Quasar RAT IOCs.
*