ThreatFox: Remcos IOCs

Hunt Hypothesis

Hunt package for 9 IOCs associated with Remcos

IOC Summary

Malware Family: Remcos Total IOCs: 9 IOC Types: domain, ip:port

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["107.189.23.49", "45.59.163.56", "147.45.179.125", "172.111.232.233", "45.74.48.103", "141.98.10.162"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["107.189.23.49", "45.59.163.56", "147.45.179.125", "172.111.232.233", "45.74.48.103", "141.98.10.162"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["www.crysaltimedubai.com", "www.crysaltimedubaibackup1.com", "www.crysaltimedubaibackup2.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

Required Data Sources

References

• ThreatFox — Remcos