The ThreatFox: Quasar RAT IOCs rule detects potential command and control activity associated with the Quasar RAT, indicating an adversary may be exfiltrating data or maintaining persistent access. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 38[.]45[.]126[.]242:47788 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 43[.]224[.]224[.]19:4782 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 43[.]224[.]224[.]17:4782 | botnet_cc | 2026-06-06 | 100% |
| ip:port | 43[.]224[.]224[.]18:4782 | botnet_cc | 2026-06-06 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["43.224.224.18", "38.45.126.242", "43.224.224.17", "43.224.224.19"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.224.224.18", "38.45.126.242", "43.224.224.17", "43.224.224.19"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update using Chocolatey installs a package that matches one of the Quasar RAT IOCs due to a naming coincidence.
Filter/Exclusion: process.name != "choco.exe" OR process.parent.name != "choco.exe"
Scenario: Scheduled Job for Log Collection
Description: A scheduled task runs a script that uses a tool like logparser.exe or PowerShell to collect logs, which coincidentally matches a Quasar RAT IOC.
Filter/Exclusion: process.name != "logparser.exe" AND process.name != "powershell.exe" OR process.parent.name != "schtasks.exe"
Scenario: Admin Task for Patch Management
Description: An admin uses PsExec or WMIC to deploy patches, and one of the command-line arguments matches a Quasar RAT IOC.
Filter/Exclusion: process.name != "psexec.exe" AND process.name != "wmic.exe" OR process.parent.name != "explorer.exe"
Scenario: Legitimate Use of PowerShell for Automation
Description: A legitimate PowerShell script (e.g., using Invoke-Command) is executed by a user with administrative rights and includes a string that matches a Quasar IOC.
Filter/Exclusion: process.name != "powershell.exe" OR user.name != "admin_user" OR process.parent.name != "explorer.exe"
Scenario: Network Monitoring Tool Generating Alerts
Description: A network monitoring tool like Wireshark or tcpdump is used to capture traffic, and one of the captured payloads matches a Quasar IOC.
Filter/Exclusion: process.name != "wireshark.exe" AND `process.name