The detection identifies potential DCRat malware activity by matching known IOCs associated with data exfiltration and remote access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that leverage DCRat for long-term data theft.
IOC Summary
Malware Family: DCRat Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]92[.]243[.]223:8090 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 91[.]214[.]78[.]65:7888 | botnet_cc | 2026-05-17 | 100% |
| ip:port | 91[.]214[.]78[.]65:4954 | botnet_cc | 2026-05-17 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["91.92.243.223", "91.214.78.65"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.92.243.223", "91.214.78.65"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup task using rsync may generate network traffic that resembles DCRat IOCs due to data transfer.
Filter/Exclusion: Check for process.name = rsync and process.args contains --backup or similar backup-specific flags.
Scenario: Admin using curl to fetch updates from internal repository
Description: System administrators may use curl to pull updates or configuration files from an internal artifact repository, which could be flagged as suspicious.
Filter/Exclusion: Filter by process.name = curl and destination.address contains internal-repo.domain.com.
Scenario: PowerShell script running a scheduled task for log rotation
Description: A PowerShell script used for log rotation or system maintenance might include network calls that match DCRat IOCs.
Filter/Exclusion: Use process.name = powershell and check for script.name contains logrotate.ps1 or similar maintenance scripts.
Scenario: Software update process using wget to download patches
Description: A legitimate software update process using wget may download files from a trusted internal server, which could be misidentified as DCRat activity.
Filter/Exclusion: Filter by process.name = wget and destination.address contains patchserver.internal.com.
Scenario: Database replication using pg_basebackup
Description: PostgreSQL database replication using pg_basebackup may generate network traffic that matches DCRat IOCs due to data transfer.
Filter/Exclusion: Check for process.name = pg_basebackup and process.args contains --pgdata or similar replication flags.