The ThreatFox: Quasar RAT IOCs rule detects potential adversary activity associated with the Quasar RAT, a sophisticated remote access trojan known for persistence and command-and-control capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that could exfiltrate data or execute malicious payloads within their environment.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 5 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 74[.]234[.]184[.]70:7000 | botnet_cc | 2026-05-28 | 100% |
| ip:port | 74[.]234[.]184[.]70:8080 | botnet_cc | 2026-05-28 | 100% |
| domain | malwawre.xoilactvqq.live | botnet_cc | 2026-05-28 | 75% |
| domain | data.xoilactvqq.live | botnet_cc | 2026-05-28 | 75% |
| domain | ddos.xoilactvqq.live | botnet_cc | 2026-05-28 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["74.234.184.70"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["74.234.184.70"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Quasar RAT
let malicious_domains = dynamic(["malwawre.xoilactvqq.live", "data.xoilactvqq.live", "ddos.xoilactvqq.live"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the IOC pattern due to similar file names or paths.
Filter/Exclusion: Exclude files with the Task Scheduler service or those located in the System32 directory with a .ps1 or .bat extension.
Scenario: Admin Performing PowerShell Script for Log Collection
Description: An admin uses a PowerShell script (e.g., Get-EventLog) that includes a command similar to Quasar RAT’s IOCs.
Filter/Exclusion: Exclude processes initiated by the Administrators group or those with a command line containing Get-EventLog, Export-EventLog, or Get-WinEvent.
Scenario: Software Deployment via SCCM or Intune
Description: A deployment package from SCCM or Intune includes a file that matches the IOC due to similar naming or content.
Filter/Exclusion: Exclude files with a Deployment or Patch prefix, or those associated with the SCCM or Intune service.
Scenario: Network Monitoring Tool Generating Traffic
Description: A network monitoring tool (e.g., Wireshark, Microsoft Network Monitor) generates traffic that matches the IOC due to similar protocol or port usage.
Filter/Exclusion: Exclude traffic originating from or destined to the Network Monitor service, or from processes with the Wireshark or Npcap executable.
Scenario: Legitimate File Access by Security Tools
Description: A security tool (e.g., CrowdStrike, SentinelOne) accesses a file that matches the IOC due to its internal operations.
Filter/Exclusion: Exclude processes with the CrowdStrike, SentinelOne, or Microsoft Defender executable names.