The hunt hypothesis detects potential Remcos malware activity through known IOCs associated with command and control communication, indicating an adversary may be exfiltrating data or maintaining persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Remcos Total IOCs: 8 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 2[.]58[.]56[.]50:2404 | botnet_cc | 2026-06-01 | 75% |
| ip:port | 182[.]23[.]2[.]163:11327 | botnet_cc | 2026-06-01 | 75% |
| domain | www.jesusboyglobalbackup3.com | botnet_cc | 2026-06-01 | 75% |
| domain | www.jesusboyglobal.com | botnet_cc | 2026-06-01 | 75% |
| domain | www.jesusboyglobalbackup1.com | botnet_cc | 2026-06-01 | 75% |
| domain | www.jesusboyglobalbackup2.com | botnet_cc | 2026-06-01 | 75% |
| ip:port | 182[.]23[.]2[.]163:1477 | botnet_cc | 2026-05-31 | 75% |
| ip:port | 182[.]23[.]2[.]163:1135 | botnet_cc | 2026-05-31 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["2.58.56.50", "182.23.2.163"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["2.58.56.50", "182.23.2.163"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["www.jesusboyglobalbackup3.com", "www.jesusboyglobal.com", "www.jesusboyglobalbackup1.com", "www.jesusboyglobalbackup2.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the Remcos IOCs due to similar file names or paths.
Filter/Exclusion: Exclude files with a file extension of .ps1 or .bat that are located in the C:\Windows\Tasks\ directory.
Scenario: Admin Tool for Remote Management
Description: An IT admin uses a legitimate remote management tool (e.g., PsExec, PSTools) that has a similar command-line syntax to Remcos C2 commands.
Filter/Exclusion: Exclude processes initiated by the PsExec executable or those with a command line containing psexec or remotefile.
Scenario: Log Collection and Analysis Tool
Description: A log collection tool (e.g., LogParser, Splunk) is configured to parse logs and generates output that matches one of the Remcos IOCs.
Filter/Exclusion: Exclude processes with a parent process name of logparser.exe or splunkd.exe.
Scenario: Backup Job Using PowerShell
Description: A backup job uses PowerShell scripts that include commands resembling Remcos C2 communication patterns.
Filter/Exclusion: Exclude processes with a command line containing Backup or Restore and originating from the C:\Windows\System32\WindowsPowerShell\v1.0\ directory.
Scenario: Network Monitoring Tool with Alerting Logic
Description: A network monitoring tool (e.g., Wireshark, tcpdump) generates alerts that match the IOCs due to legitimate traffic patterns.
Filter/Exclusion: Exclude traffic originating from or destined to the internal network range (e.g., 10.0.0.0/8) or