The hunt hypothesis detects potential Remcos malware activity through known IOCs associated with command and control communication, indicating an adversary may be exfiltrating data or maintaining persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.
IOC Summary
Malware Family: Remcos Total IOCs: 14 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 31[.]76[.]87[.]188:4034 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 2[.]27[.]5[.]120:6448 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 2[.]27[.]5[.]236:1377 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 2[.]26[.]75[.]249:7312 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 198[.]23[.]177[.]222:14646 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 192[.]3[.]96[.]82:45683 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 182[.]23[.]2[.]163:12489 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 104[.]251[.]181[.]62:3421 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 107[.]175[.]246[.]11:2404 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 31[.]57[.]184[.]55:3001 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 102[.]220[.]160[.]101:2404 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 102[.]220[.]160[.]156:2404 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 66[.]63[.]170[.]28:2404 | botnet_cc | 2026-06-10 | 75% |
| domain | believedtobeclean.ddns.net | botnet_cc | 2026-06-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["66.63.170.28", "31.57.184.55", "31.76.87.188", "2.26.75.249", "2.27.5.236", "102.220.160.101", "198.23.177.222", "2.27.5.120", "182.23.2.163", "192.3.96.82", "104.251.181.62", "107.175.246.11", "102.220.160.156"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["66.63.170.28", "31.57.184.55", "31.76.87.188", "2.26.75.249", "2.27.5.236", "102.220.160.101", "198.23.177.222", "2.27.5.120", "182.23.2.163", "192.3.96.82", "104.251.181.62", "107.175.246.11", "102.220.160.156"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["believedtobeclean.ddns.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using Remcos Executable
Description: A system administrator schedules a task using the Remcos executable for legitimate system monitoring or log collection.
Filter/Exclusion: Exclude processes where the parent process is a known administrative tool (e.g., schtasks.exe, task scheduler, or powershell.exe) and the command line includes valid arguments for system monitoring.
Scenario: Antivirus or EDR Tool Using Remcos for Behavioral Analysis
Description: A security tool (e.g., CrowdStrike, SentinelOne) uses the Remcos framework for behavioral analysis or sandboxing.
Filter/Exclusion: Exclude processes where the parent process is a known EDR or antivirus tool (e.g., csws.exe, sophosagent.exe, bitdefender.exe) and the process is running in a sandboxed or isolated environment.
Scenario: System Update or Patching Tool Using Remcos
Description: A patching tool (e.g., Microsoft Update, SCCM, or WSUS) uses the Remcos framework to execute updates or scripts during maintenance windows.
Filter/Exclusion: Exclude processes where the parent process is a known patching or update tool (e.g., wusa.exe, msiexec.exe, ccmexec.exe) and the execution occurs during scheduled maintenance windows.
Scenario: Log Collection or Monitoring Tool Using Remcos
Description: A log collection tool (e.g., Splunk, Logstash, or ELK stack) uses the Remcos framework to gather logs or perform monitoring tasks.
Filter/Exclusion: Exclude processes where the parent process is a known log collection tool (e.g., splunkd.exe, logstash.exe, elasticsearch.exe) and the command line includes valid log collection parameters.
**Scenario: