The ThreatFox: Quasar RAT IOCs rule detects potential indicators of a Quasar RAT compromise by identifying suspicious network traffic and file artifacts associated with known malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Quasar RAT for command and control.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 207[.]246[.]97[.]43:1 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 82[.]135[.]30[.]235:10206 | botnet_cc | 2026-06-02 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["82.135.30.235", "207.246.97.43"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["82.135.30.235", "207.246.97.43"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using Quasar RAT-related tools
Description: A system update or patching process may include tools or scripts that have names or hashes similar to those associated with Quasar RAT.
Filter/Exclusion: process.name != "quasar_update.exe" OR file.hash != "known_quasar_update_hash"
Scenario: Scheduled job for log collection using Quasar RAT-like scripts
Description: A scheduled task may be configured to collect logs or perform monitoring, using scripts that resemble Quasar RAT IOCs.
Filter/Exclusion: process.name != "log_collector.exe" OR process.parent_process != "task scheduler"
Scenario: Admin task using PowerShell for configuration management
Description: An administrator may use PowerShell scripts to configure systems, which could include commands or scripts that match Quasar RAT IOCs.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent_process != "eventvwr.exe"
Scenario: Legitimate software deployment with embedded payloads
Description: Some legitimate software may include embedded payloads or scripts for configuration, which could be flagged by the detection rule.
Filter/Exclusion: file.path != "C:\\Program Files\\legitimate_software\\*" OR file.name != "setup.exe"
Scenario: False positive from third-party security tool integration
Description: A third-party security tool may generate IOCs that are mistakenly associated with Quasar RAT due to shared attributes.
Filter/Exclusion: process.name != "third_party_tool.exe" OR file.source != "third_party_tool"