The RapidStealer IOCs detected indicate potential exfiltration of sensitive data by an adversary leveraging compromised credentials and network communication. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: RapidStealer Total IOCs: 7 IOC Types: url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 46[.]151[.]182[.]157:1337 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 46[.]151[.]182[.]157:751 | payload_delivery | 2026-06-21 | 100% |
| url | hxxp://46[.]151[.]182[.]157:1337/api/ps | payload_delivery | 2026-06-21 | 100% |
| ip:port | 46[.]151[.]182[.]157:2008 | botnet_cc | 2026-06-21 | 100% |
| url | hxxp://46[.]151[.]182[.]157:751/download | payload_delivery | 2026-06-21 | 100% |
| url | hxxp://46[.]151[.]182[.]157:2008/api/forwarder | botnet_cc | 2026-06-21 | 100% |
| url | hxxp://46[.]151[.]182[.]157:1337/api/discord | payload_delivery | 2026-06-21 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - RapidStealer
let malicious_ips = dynamic(["46.151.182.157"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["46.151.182.157"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - RapidStealer
let malicious_urls = dynamic(["http://46.151.182.157:1337/api/ps", "http://46.151.182.157:751/download", "http://46.151.182.157:2008/api/forwarder", "http://46.151.182.157:1337/api/discord"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using psutil Module
Description: A system administrator schedules a Python script using psutil to monitor system resources, which may trigger the detection due to the presence of psutil in the process name or command line.
Filter/Exclusion: Exclude processes where the command line includes psutil or where the process is associated with a known administrative tool like psutil or system_monitor.py.
Scenario: Admin Task Using netsh to Configure Firewall Rules
Description: A system administrator uses netsh to configure firewall rules, which may be flagged due to the presence of netsh in the command line.
Filter/Exclusion: Exclude processes where the command line contains netsh and the user is a domain admin or has elevated privileges.
Scenario: Legitimate Use of schtasks for Job Scheduling
Description: A scheduled task created via schtasks to run a legitimate maintenance script may trigger the detection if the script name or path matches known IOC patterns.
Filter/Exclusion: Exclude processes where the command line includes schtasks and the task is owned by a known service account or admin user.
Scenario: Software Update Using msiexec
Description: A legitimate software update process using msiexec may be flagged if the update package name or path contains IOC strings associated with RapidStealer.
Filter/Exclusion: Exclude processes where the command line includes msiexec and the file path is within a known corporate software repository.
Scenario: Database Backup Using sqlcmd
Description: A database administrator runs a backup using sqlcmd, which may be flagged due to the presence of sqlcmd in the command line or file paths.