The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known indicators associated with this remote access Trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration and persistent access.
IOC Summary
Malware Family: Remcos Total IOCs: 11 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 5[.]101[.]83[.]143:7312 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 5[.]101[.]82[.]98:42859 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 45[.]154[.]98[.]254:2404 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 27[.]102[.]137[.]139:1243 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 178[.]16[.]54[.]208:61099 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 155[.]103[.]71[.]232:15406 | botnet_cc | 2026-05-25 | 75% |
| ip:port | 138[.]9[.]41[.]208:8015 | botnet_cc | 2026-05-25 | 75% |
| domain | yellowred.in | botnet_cc | 2026-05-25 | 75% |
| domain | tg77.it.com | botnet_cc | 2026-05-25 | 75% |
| domain | afun.it.com | botnet_cc | 2026-05-25 | 75% |
| domain | goldenscissoreindhoven.nl | botnet_cc | 2026-05-25 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["138.9.41.208", "5.101.83.143", "27.102.137.139", "5.101.82.98", "45.154.98.254", "178.16.54.208", "155.103.71.232"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["138.9.41.208", "5.101.83.143", "27.102.137.139", "5.101.82.98", "45.154.98.254", "178.16.54.208", "155.103.71.232"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["yellowred.in", "tg77.it.com", "afun.it.com", "goldenscissoreindhoven.nl"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate scheduled backup job using Veeam may include processes that match Remcos IOCs due to similar file names or network behavior.
Filter/Exclusion: Exclude processes where the full path contains C:\Program Files\Veeam\ or where the parent process is vmbackup.exe.
Scenario: Windows Task Scheduler Running Admin Tools
Description: A legitimate administrative task, such as running wbadmin or schtasks.exe, might trigger the rule if it matches Remcos IOCs due to similar command-line arguments or file names.
Filter/Exclusion: Exclude processes where the command line includes wbadmin or schtasks.exe and the user is a domain admin with known legitimate tasks.
Scenario: Microsoft Endpoint Configuration Manager (MECM) Deployment
Description: A deployment package from MECM (formerly SCCM) may include files or network connections that resemble Remcos IOCs due to shared infrastructure.
Filter/Exclusion: Exclude processes where the parent process is ccmexec.exe or where the file path includes C:\Windows\System32\ccm\.
Scenario: PowerShell Script for System Monitoring
Description: A PowerShell script used for system monitoring (e.g., using Get-EventLog or Get-Service) may generate network traffic or file activity that matches Remcos IOCs.
Filter/Exclusion: Exclude processes where the executable is powershell.exe and the command line includes Get-EventLog or Get-Service.
Scenario: Antivirus Software Performing Full System Scan
Description: Antivirus tools like Bitdefender or Kaspersky may temporarily create files or use network connections that resemble Remcos IOCs during a full system