The ThreatFox: Quasar RAT IOCs rule detects potential command and control communication associated with the Quasar RAT, a known remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate persistent, stealthy adversary activity that could exfiltrate data or execute arbitrary code.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 5 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]224[.]224[.]21:4782 | botnet_cc | 2026-06-04 | 100% |
| domain | contact.Fun88kyc.com | botnet_cc | 2026-06-04 | 75% |
| domain | contact.hitclub.ac | botnet_cc | 2026-06-04 | 75% |
| domain | contact.mansionbet.com | botnet_cc | 2026-06-04 | 75% |
| domain | contact.nhyouthclimatetownhall.com | botnet_cc | 2026-06-04 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["43.224.224.21"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.224.224.21"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Quasar RAT
let malicious_domains = dynamic(["contact.Fun88kyc.com", "contact.hitclub.ac", "contact.mansionbet.com", "contact.nhyouthclimatetownhall.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe to perform system maintenance (e.g., disk cleanup, log rotation) may trigger the rule if the task name or command line matches IOCs.
Filter/Exclusion: process.name != "schtasks.exe" OR process.command_line NOT LIKE '%schtasks.exe /create%'
Scenario: Admin Tool Usage for Configuration Management
Description: An administrator using PsExec or PSTools to remotely manage services or configure systems may trigger the rule if the tool is associated with the Quasar RAT IOC list.
Filter/Exclusion: process.name != "PsExec.exe" OR process.name != "psexec.exe"
Scenario: Legitimate Log Collection via LogParser
Description: A system administrator using LogParser.exe to aggregate and analyze logs may trigger the rule if the tool is mistakenly flagged as part of the Quasar RAT IOC set.
Filter/Exclusion: process.name != "LogParser.exe" OR process.name != "logparser.exe"
Scenario: Antivirus Quarantine Process
Description: A legitimate antivirus tool (e.g., Malwarebytes.exe, Windows Defender process) may trigger the rule if it is misidentified as part of the Quasar RAT IOC list during a scan or quarantine operation.
Filter/Exclusion: process.name IN ("mbam.exe", "MsMpEng.exe", "Windows Defender") OR process.parent.name IN ("taskeng.exe", "svchost.exe")
Scenario: Database Backup Job via SQLCMD
Description: A scheduled SQL backup job using sqlcmd.exe may trigger the rule if the command line or process name is similar to Quasar RAT IOCs.