The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known malicious indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration and persistent access.
IOC Summary
Malware Family: Remcos Total IOCs: 14 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 96[.]44[.]167[.]215:14642 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 194[.]116[.]236[.]239:4099 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 182[.]23[.]2[.]163:8415 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 182[.]23[.]2[.]163:21845 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 64[.]89[.]160[.]219:8080 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 107[.]173[.]47[.]132:2404 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 91[.]92[.]120[.]98:2404 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 96[.]44[.]167[.]215:14647 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 2[.]27[.]5[.]220:2428 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 182[.]23[.]2[.]163:7563 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 182[.]23[.]2[.]163:54257 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 182[.]23[.]2[.]163:625 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 172[.]245[.]195[.]233:14646 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 144[.]31[.]236[.]223:9405 | botnet_cc | 2026-06-15 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["64.89.160.219", "2.27.5.220", "194.116.236.239", "182.23.2.163", "91.92.120.98", "144.31.236.223", "172.245.195.233", "96.44.167.215", "107.173.47.132"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["64.89.160.219", "2.27.5.220", "194.116.236.239", "182.23.2.163", "91.92.120.98", "144.31.236.223", "172.245.195.233", "96.44.167.215", "107.173.47.132"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches one of the Remcos IOCs due to similar file names or paths.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with TaskName containing “Maintenance” or “SystemCheck”.
Scenario: Admin Tool Usage - PowerShell Scripting
Description: An administrator uses PowerShell to execute a script that inadvertently matches a Remcos IOC, such as a file name or registry key.
Filter/Exclusion: Exclude processes with ProcessName equal to powershell.exe and User matching the admin account (e.g., Administrator).
Scenario: Log Management Tool Execution
Description: A log management tool like Splunk or ELK Stack runs a script that includes a file path or command line argument matching a Remcos IOC.
Filter/Exclusion: Exclude processes with ProcessName equal to splunkd.exe, java.exe (for ELK), or logstash.exe and filter by User or CommandLine.
Scenario: Backup Job with Similar File Names
Description: A backup job using Veeam or Commvault creates temporary files with names similar to Remcos IOCs.
Filter/Exclusion: Exclude processes with ProcessName equal to veeam.exe or cvbackup.exe and filter by CommandLine containing “backup” or “restore”.
Scenario: Network Monitoring Tool with Custom Scripts
Description: A network monitoring tool like PRTG or SolarWinds runs a custom script that includes a command or file path matching a Remcos IOC.
Filter/Exclusion: Exclude processes with ProcessName equal to prtg.exe or