The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known malicious indicators associated with this remote access Trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration and persistent access.
IOC Summary
Malware Family: Remcos Total IOCs: 22 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 5[.]101[.]82[.]98:41843 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 46[.]29[.]234[.]94:1298 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 46[.]29[.]234[.]94:12639 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 2[.]59[.]162[.]106:6698 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 2[.]59[.]162[.]106:36125 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 2[.]59[.]162[.]106:12639 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 2[.]59[.]162[.]106:1298 | botnet_cc | 2026-05-22 | 75% |
| domain | www.danafilesbackup1.com | botnet_cc | 2026-05-22 | 75% |
| domain | www.danafilesbackup2.com | botnet_cc | 2026-05-22 | 75% |
| domain | www.danafilesbackup3.com | botnet_cc | 2026-05-22 | 75% |
| domain | www.danafiles.com | botnet_cc | 2026-05-22 | 75% |
| domain | j88t.club | botnet_cc | 2026-05-22 | 75% |
| domain | gowayofficemee.in.net | botnet_cc | 2026-05-22 | 75% |
| domain | weerterveldautos.nl | botnet_cc | 2026-05-22 | 75% |
| domain | vakgarageschaap.nl | botnet_cc | 2026-05-22 | 75% |
| domain | vankesseladvocatuur.nl | botnet_cc | 2026-05-22 | 75% |
| domain | sportsmodelagency.nl | botnet_cc | 2026-05-22 | 75% |
| domain | llwin.co.com | botnet_cc | 2026-05-22 | 75% |
| domain | scalpbrothers.nl | botnet_cc | 2026-05-22 | 75% |
| domain | 789cllub.co | botnet_cc | 2026-05-22 | 75% |
| domain | ambt24.nl | botnet_cc | 2026-05-22 | 75% |
| ip:port | 46[.]151[.]182[.]76:8080 | botnet_cc | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["2.59.162.106", "5.101.82.98", "46.151.182.76", "46.29.234.94"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["2.59.162.106", "5.101.82.98", "46.151.182.76", "46.29.234.94"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["www.danafilesbackup1.com", "www.danafilesbackup2.com", "www.danafilesbackup3.com", "www.danafiles.com", "j88t.club", "gowayofficemee.in.net", "weerterveldautos.nl", "vakgarageschaap.nl", "vankesseladvocatuur.nl", "sportsmodelagency.nl", "llwin.co.com", "scalpbrothers.nl", "789cllub.co", "ambt24.nl"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update or patching process using Remcos as part of a managed service provider (MSP) tool
Filter/Exclusion: Check for process.name containing “Remcos” and process.parent.name matching known MSP tools like “Microsoft Update” or “WSUS”
Example: process.parent.name == "WindowsUpdate" or process.parent.name == "WSUS"
Scenario: Scheduled backup job using Remcos as a remote management tool
Filter/Exclusion: Filter by process.name containing “Remcos” and process.command_line including backup-related keywords like “backup” or “snapshot”
Example: process.command_line contains "backup" or process.command_line contains "snapshot"
Scenario: Admin task involving remote management using Remcos for system monitoring
Filter/Exclusion: Exclude processes where process.user is a known admin account and process.name includes “Remcos” with a parent process like “Task Scheduler” or “PowerShell”
Example: process.user == "Administrator" and process.parent.name == "TaskScheduler" or process.parent.name == "PowerShell"
Scenario: Legitimate use of Remcos for remote desktop or remote support tools
Filter/Exclusion: Filter by process.name containing “Remcos” and process.parent.name matching remote access tools like “TeamViewer” or “AnyDesk”
Example: process.parent.name == "TeamViewer" or process.parent.name == "AnyDesk"
Scenario: False positive from a third-party security tool that includes Remcos in its own signature database
Filter/Exclusion: Exclude processes where process.name is “ThreatFox” or “Sigma” and check for process.parent.name matching known security tools
Example: `process.name == “Threat