The hunt hypothesis detects potential Remcos malware activity through known IOCs associated with command and control communication, indicating an adversary may be exfiltrating data or maintaining persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: Remcos Total IOCs: 10 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 192[.]30[.]243[.]28:36812 | botnet_cc | 2026-05-29 | 75% |
| ip:port | 192[.]30[.]243[.]28:8638 | botnet_cc | 2026-05-29 | 75% |
| ip:port | 182[.]23[.]2[.]163:2345 | botnet_cc | 2026-05-29 | 75% |
| domain | stonehill.sa.com | botnet_cc | 2026-05-29 | 75% |
| domain | e2bet-games.org | botnet_cc | 2026-05-29 | 75% |
| domain | fly88-l.com | botnet_cc | 2026-05-29 | 75% |
| ip:port | 182[.]23[.]2[.]163:5013 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 182[.]23[.]2[.]163:58008 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 182[.]23[.]2[.]163:7615 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 182[.]23[.]2[.]163:13846 | botnet_cc | 2026-05-28 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["192.30.243.28", "182.23.2.163"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["192.30.243.28", "182.23.2.163"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["stonehill.sa.com", "e2bet-games.org", "fly88-l.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using Remcos for System Monitoring
Description: A system administrator schedules a task using Remcos to monitor system performance or collect logs.
Filter/Exclusion: Exclude processes initiated by the system scheduler (e.g., schtasks.exe or at.exe) or filter by known admin tools like task scheduler or log collection scripts.
Scenario: Security Tool Using Remcos for Network Traffic Analysis
Description: A network monitoring tool (e.g., Wireshark, tcpdump) is configured to capture and analyze traffic, and it uses Remcos for packet capture.
Filter/Exclusion: Exclude processes running under the security tool’s service account or filter by known network analysis tools.
Scenario: System Update or Patching Process Using Remcos
Description: A patching tool (e.g., Microsoft Update, SCCM) uses Remcos to execute scripts or install updates.
Filter/Exclusion: Exclude processes associated with patching tools or filter by known update mechanisms like wuauclt.exe or msiexec.exe.
Scenario: Backup Job Using Remcos for Data Transfer
Description: A backup solution (e.g., Veeam, Acronis) uses Remcos to transfer data between servers during a scheduled backup.
Filter/Exclusion: Exclude processes initiated by backup tools or filter by known backup services like VeeamBackupService or AcronisAgent.
Scenario: Admin Task Using Remcos for Log Collection
Description: An admin uses Remcos to collect logs from multiple endpoints for centralized logging (e.g., using Splunk or ELK stack).
Filter/Exclusion: Exclude processes initiated by log collection tools or filter by known log management services like splunkforwarder or logstash.