The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Remcos for command and control.
IOC Summary
Malware Family: Remcos Total IOCs: 16 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 31[.]76[.]32[.]161:9405 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 198[.]23[.]177[.]222:14641 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 182[.]23[.]2[.]163:7649 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 172[.]245[.]195[.]233:14648 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 107[.]172[.]44[.]141:45699 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 101[.]99[.]92[.]220:8264 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 64[.]89[.]162[.]10:2404 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 64[.]89[.]162[.]178:5903 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 31[.]76[.]32[.]160:7716 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 193[.]163[.]203[.]183:2404 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 182[.]23[.]2[.]163:602 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 182[.]23[.]2[.]163:8206 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 182[.]23[.]2[.]163:49552 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 182[.]23[.]2[.]163:5137 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 182[.]23[.]2[.]163:12615 | botnet_cc | 2026-06-12 | 75% |
| ip:port | 144[.]31[.]236[.]19:3305 | botnet_cc | 2026-06-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["172.245.195.233", "198.23.177.222", "101.99.92.220", "31.76.32.160", "64.89.162.10", "31.76.32.161", "193.163.203.183", "182.23.2.163", "144.31.236.19", "107.172.44.141", "64.89.162.178"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.245.195.233", "198.23.177.222", "101.99.92.220", "31.76.32.160", "64.89.162.10", "31.76.32.161", "193.163.203.183", "182.23.2.163", "144.31.236.19", "107.172.44.141", "64.89.162.178"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate software update process
Description: A system is running a scheduled update for a legitimate software tool that includes a file or registry key matching one of the Remcos IOCs.
Filter/Exclusion: Check for file or registry entries associated with known software update tools (e.g., Microsoft Update, Adobe Update, Java Update) and exclude based on process.name or file.path.
Scenario: Admin task to configure scheduled jobs
Description: An administrator is using a legitimate tool like Task Scheduler or cron to create a job that includes a command or script matching a Remcos IOC.
Filter/Exclusion: Exclude events where process.name is schtasks.exe, task scheduler, or crontab, and filter by user to only include admin accounts performing known maintenance tasks.
Scenario: Legitimate remote management tool usage
Description: A remote management tool like PsExec, Powershell Remoting, or SSH is being used to execute a script or command that matches a Remcos IOC.
Filter/Exclusion: Exclude events where process.name is psexec.exe, powershell.exe, or sshd, and check for known remote management activity patterns (e.g., Invoke-Command, ssh -o).
Scenario: Malicious file analysis in a sandbox
Description: A security team is analyzing a suspected malicious file in a sandboxed environment, which results in a file or process matching a Remcos IOC.
Filter/Exclusion: Exclude events where the file.path or process.name is associated with sandboxing tools (e.g., Cuckoo, Binary Ninja, Hydra) or where the user is a security analyst account.