The ThreatFox: Remcos IOCs rule detects potential Remcos malware activity by identifying known indicators associated with this remote access trojan. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Remcos for command and control.
IOC Summary
Malware Family: Remcos Total IOCs: 16 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]74[.]7[.]160:9405 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 217[.]60[.]195[.]194:14642 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 192[.]227[.]219[.]81:14644 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 185[.]115[.]164[.]59:30023 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 141[.]98[.]10[.]150:14647 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 107[.]173[.]9[.]99:14644 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 173[.]214[.]167[.]253:2404 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 45[.]74[.]7[.]161:4509 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 45[.]74[.]7[.]156:8015 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 45[.]74[.]7[.]159:5691 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 2[.]26[.]17[.]59:6448 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 192[.]227[.]219[.]81:14641 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 185[.]115[.]164[.]59:51227 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 103[.]11[.]41[.]20:5195 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 103[.]11[.]41[.]20:53523 | botnet_cc | 2026-06-23 | 75% |
| ip:port | 103[.]11[.]41[.]10:53496 | botnet_cc | 2026-06-23 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Remcos
let malicious_ips = dynamic(["173.214.167.253", "45.74.7.156", "103.11.41.10", "107.173.9.99", "45.74.7.161", "192.227.219.81", "103.11.41.20", "141.98.10.150", "185.115.164.59", "45.74.7.160", "217.60.195.194", "45.74.7.159", "2.26.17.59"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["173.214.167.253", "45.74.7.156", "103.11.41.10", "107.173.9.99", "45.74.7.161", "192.227.219.81", "103.11.41.20", "141.98.10.150", "185.115.164.59", "45.74.7.160", "217.60.195.194", "45.74.7.159", "2.26.17.59"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that imports a CSV file containing IP addresses from ThreatFox for network whitelisting.
Filter/Exclusion: Exclude processes with powershell.exe where the command line includes -Command and Import-Csv with a known ThreatFox CSV file path.
Scenario: A security tool like CrowdStrike Falcon is performing a scheduled endpoint scan that generates temporary files with hashes matching Remcos IOCs.
Filter/Exclusion: Exclude processes related to the CrowdStrike Falcon agent or any known security tool processes during scheduled scan times.
Scenario: An IT admin is using Task Scheduler to run a script that downloads and processes ThreatFox data for updating internal threat intelligence feeds.
Filter/Exclusion: Exclude tasks with a known Task Scheduler name or command line that includes threatfox or update-intel.
Scenario: A Windows Update task is running, and the update package contains a file with a hash that matches a Remcos IOC due to a known hash collision or false positive.
Filter/Exclusion: Exclude processes with wuauclt.exe or WindowsUpdate.exe during normal update windows.
Scenario: A SIEM or SOAR platform is ingesting logs from a Splunk Forwarder and the log content includes a hash from ThreatFox that is mistakenly flagged by the Remcos detection rule.
Filter/Exclusion: Exclude logs from known SIEM or SOAR components, or filter out any log entries that contain ThreatFox or hash in the message field.