The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises that could lead to data exfiltration and persistent access.
IOC Summary
Malware Family: Remcos Total IOCs: 13 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 182[.]23[.]2[.]163:47984 | botnet_cc | 2026-06-03 | 75% |
| ip:port | 192[.]227[.]219[.]79:4551 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 192[.]227[.]219[.]79:4553 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 209[.]54[.]103[.]156:465 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 31[.]56[.]209[.]70:3754 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 103[.]83[.]87[.]8:2404 | botnet_cc | 2026-06-03 | 50% |
| ip:port | 192[.]227[.]219[.]79:4550 | botnet_cc | 2026-06-03 | 50% |
| domain | 88j.co.com | botnet_cc | 2026-06-03 | 50% |
| domain | j88pro.club | botnet_cc | 2026-06-03 | 50% |
| domain | macat433.duckdns.org | botnet_cc | 2026-06-03 | 50% |
| domain | orche.duckdns.org | botnet_cc | 2026-06-03 | 50% |
| domain | urchlogs.duckdns.org | botnet_cc | 2026-06-03 | 50% |
| domain | www.consultarprocesosramajudicial.com.co | botnet_cc | 2026-06-03 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["209.54.103.156", "31.56.209.70", "182.23.2.163", "103.83.87.8", "192.227.219.79"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["209.54.103.156", "31.56.209.70", "182.23.2.163", "103.83.87.8", "192.227.219.79"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Remcos
let malicious_domains = dynamic(["88j.co.com", "j88pro.club", "macat433.duckdns.org", "orche.duckdns.org", "urchlogs.duckdns.org", "www.consultarprocesosramajudicial.com.co"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using Remcos
Description: A system administrator schedules a backup task using a legitimate backup tool like Veeam or Acronis, which may include Remcos as part of its execution chain.
Filter/Exclusion: Exclude processes initiated by the backup scheduler service (e.g., VeeamBackupService) or check for presence of backup tool artifacts in the command line.
Scenario: Admin task using PowerShell to execute a script
Description: An admin runs a PowerShell script using PowerShell.exe to perform routine system maintenance, which may inadvertently trigger the Remcos IOC due to similar command-line patterns.
Filter/Exclusion: Filter out processes initiated by PowerShell.exe with command lines containing known admin scripts or paths to trusted system directories.
Scenario: Legitimate software update using Remcos
Description: A software update process (e.g., Microsoft Update, Windows Update) may use Remcos as part of its deployment mechanism, especially in environments with custom update scripts.
Filter/Exclusion: Exclude processes associated with Windows Update services or check for presence of update-related artifacts in the execution context.
Scenario: Malware analysis environment using Remcos for testing
Description: A security team uses a malware analysis sandbox (e.g., Cuckoo Sandbox, Joe Sandbox) that includes Remcos as part of its testing environment to simulate real-world attack scenarios.
Filter/Exclusion: Exclude processes running in a sandboxed environment (e.g., check for presence of sandbox detection markers or virtualization indicators).
Scenario: Legitimate remote management tool using Remcos
Description: A remote management tool like Microsoft Remote Desktop Services or LogMeIn may use Remcos as part of its remote execution framework for legitimate administrative tasks.