The ThreatFox: Quasar RAT IOCs rule detects potential indicators of a Quasar RAT compromise, which is a sophisticated remote access trojan used for persistent, stealthy network infiltration. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that could exfiltrate data or execute arbitrary commands undetected.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 16 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 102[.]205[.]170[.]10:27775 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:31224 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:31862 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:40000 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:20000 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:10202 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:9876 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:6513 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:3390 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:2628 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:4897 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:3299 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:2181 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:502 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 102[.]205[.]170[.]10:2052 | botnet_cc | 2026-05-29 | 100% |
| ip:port | 5[.]189[.]132[.]160:13 | botnet_cc | 2026-05-29 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["5.189.132.160", "102.205.170.10"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.189.132.160", "102.205.170.10"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate software update process
Description: A system administrator is deploying a legitimate software update that includes a file matching a Quasar RAT IOC.
Filter/Exclusion: Exclude files signed by known vendors (e.g., Microsoft, Adobe) or files that match known update packages (e.g., setup.exe from a trusted source).
Example Filter: file.hash.sha256 != "known_vendor_hash"
Scenario: Scheduled system backup job
Description: A scheduled backup job is copying files to a remote server, and one of the files matches a Quasar RAT IOC due to similar naming or structure.
Filter/Exclusion: Exclude files that match known backup job patterns (e.g., backup_*.zip, snapshot_*.tar.gz) or files originating from a known backup server.
Example Filter: file.name contains "backup" or source_ip in (backup_server_ip)
Scenario: Admin task using PowerShell for log analysis
Description: A system administrator is using PowerShell to analyze logs and the script includes a file or command that matches a Quasar RAT IOC.
Filter/Exclusion: Exclude processes running under admin accounts or scripts that match known administrative tools (e.g., PowerShell.exe, logparser.exe).
Example Filter: process.name == "PowerShell.exe" and user_account == "admin"
Scenario: Legitimate remote management tool usage
Description: A remote management tool like PsExec or WinRM is being used to execute commands on a remote system, and the command string matches a Quasar RAT IOC.
Filter/Exclusion: Exclude commands that are part of known remote management workflows (e.g., psexec.exe, winrm.cmd).
Example Filter: `process.name contains