The ThreatFox: Quasar RAT IOCs rule detects potential indicators of a Quasar RAT compromise by identifying suspicious network traffic and file artifacts associated with this advanced persistent threat. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage malware activity before it leads to data exfiltration or lateral movement.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 4 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]224[.]224[.]15:4782 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 43[.]224[.]224[.]20:4782 | botnet_cc | 2026-06-05 | 100% |
| domain | branleet.duckdns.org | botnet_cc | 2026-06-05 | 75% |
| ip:port | 95[.]70[.]188[.]185:1337 | botnet_cc | 2026-06-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["43.224.224.20", "43.224.224.15", "95.70.188.185"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.224.224.20", "43.224.224.15", "95.70.188.185"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Quasar RAT
let malicious_domains = dynamic(["branleet.duckdns.org"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using psutil library
Description: A system administrator schedules a job using Python’s psutil library to monitor system resources, which may trigger the detection due to similar process names or behaviors.
Filter/Exclusion: Exclude processes where the full path contains /usr/bin/python or /opt/python and the command line includes psutil.
Scenario: Admin task using netstat for network monitoring
Description: A system administrator runs netstat -an to monitor active network connections, which may be flagged due to similar command-line arguments or process names.
Filter/Exclusion: Exclude processes where the command line includes netstat and the user is a member of the sudo or admin group.
Scenario: Legitimate use of curl for API calls
Description: A developer uses curl to interact with an internal API, which may be flagged due to the presence of URLs or command-line arguments similar to those seen in malicious activity.
Filter/Exclusion: Exclude processes where the command line includes --request or --url and the domain is within the organization’s internal DNS or IP range.
Scenario: System update using yum or apt
Description: A package manager like yum or apt is used to install updates, which may trigger the rule due to similar process names or command-line arguments.
Filter/Exclusion: Exclude processes where the command line includes update, upgrade, or install and the package name is a known system package.
Scenario: Log analysis using grep with custom regex
Description: A security analyst uses grep with a custom regular expression to search through log files, which may be flagged due to similar command-line arguments or