The detection identifies potential Quasar RAT activity through known IOCs, indicating an adversary may be establishing persistence and command-and-control communication. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Quasar RAT in their Azure Sentinel environment.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 4 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | qinerdime.servehalflife.com | botnet_cc | 2026-05-22 | 75% |
| domain | qinerdime.ydns.eu | botnet_cc | 2026-05-22 | 75% |
| ip:port | 47[.]239[.]50[.]7:443 | botnet_cc | 2026-05-22 | 100% |
| domain | iotonton.io | botnet_cc | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["47.239.50.7"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.239.50.7"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Quasar RAT
let malicious_domains = dynamic(["qinerdime.servehalflife.com", "qinerdime.ydns.eu", "iotonton.io"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system update using Chocolatey installs a legitimate package that matches the hash of a Quasar RAT IOC.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled Job for Log Rotation
Description: A scheduled task runs a script that writes to a log file, which coincidentally matches a file name or path IOC associated with Quasar RAT.
Filter/Exclusion: file.path != "C:\\Windows\\Temp\\*" or file.name != "logrotate.exe"
Scenario: Admin Task for Patch Management
Description: An administrator uses a tool like Microsoft Endpoint Manager (MEM) to deploy patches, and the deployment script or tool name matches a Quasar RAT IOC.
Filter/Exclusion: process.name != "setup.exe" or process.parent.name != "MEM.exe"
Scenario: Legitimate Third-Party Software Installation
Description: A legitimate third-party application, such as Wireshark or Process Monitor, is installed and its executable matches a hash or file name IOC from Quasar RAT.
Filter/Exclusion: file.name != "wireshark.exe" or file.name != "procmon.exe"
Scenario: User-Initiated File Download for Research
Description: A user downloads a file for research purposes (e.g., malware analysis) that matches a Quasar RAT IOC.
Filter/Exclusion: user.name != "research_user" or file.path != "C:\\Users\\research_user\\Downloads\\*"