The detection identifies potential Remcos malware activity through known IOCs, indicating an adversary may be establishing persistence or exfiltrating data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats early.
IOC Summary
Malware Family: Remcos Total IOCs: 8 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 182[.]23[.]2[.]163:58222 | botnet_cc | 2026-06-05 | 75% |
| ip:port | 182[.]23[.]2[.]163:10401 | botnet_cc | 2026-06-05 | 75% |
| ip:port | 182[.]23[.]2[.]163:11742 | botnet_cc | 2026-06-05 | 75% |
| domain | demo212.jnirnportaciones.net | botnet_cc | 2026-06-05 | 75% |
| ip:port | 54[.]37[.]128[.]55:3041 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 37[.]120[.]206[.]165:56687 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 196[.]251[.]107[.]114:24031 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 172[.]111[.]163[.]172:29810 | botnet_cc | 2026-06-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["54.37.128.55", "37.120.206.165", "182.23.2.163", "172.111.163.172", "196.251.107.114"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["54.37.128.55", "37.120.206.165", "182.23.2.163", "172.111.163.172", "196.251.107.114"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["demo212.jnirnportaciones.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the Remcos IOCs (e.g., a PowerShell script used for system cleanup).
Filter/Exclusion: process.name != "schtasks.exe" or process.name != "powershell.exe" (if the script is known to be benign).
Scenario: Admin Tool Execution
Description: An administrator uses a legitimate tool like PsExec or WMIC to remotely execute a command that matches a Remcos IOC.
Filter/Exclusion: process.name != "psexec.exe" or process.name != "wmic.exe" (if the tool is known to be used for legitimate administrative tasks).
Scenario: Log Management Tool Deployment
Description: A log management tool like Splunk or ELK Stack is deployed using a script that includes a file path or command matching a Remcos IOC.
Filter/Exclusion: process.name != "splunk.exe" or process.name != "java.exe" (if the Java process is part of the ELK stack).
Scenario: Antivirus Quarantine Process
Description: An antivirus tool like Malwarebytes or Bitdefender quarantines a file that matches a Remcos IOC during a scan.
Filter/Exclusion: process.name != "mbam.exe" or process.name != "bdagent.exe" (if the process is known to be part of the antivirus tool).
Scenario: Cloud Backup Job Execution
Description: A cloud backup tool like Veeam or Duplicati runs a backup job that includes a file or command matching a Remcos IOC.
Filter/Exclusion: process.name != "veeam.exe" or `