The ThreatFox: DCRat IOCs rule detects potential remote access and data exfiltration activities by identifying C2 communication patterns associated with the DCRat malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage network-based C2 channels for command and control.
IOC Summary
Malware Family: DCRat Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 91[.]92[.]243[.]38:35630 | botnet_cc | 2026-05-12 | 75% |
| ip:port | 91[.]215[.]85[.]121:6466 | botnet_cc | 2026-05-12 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - DCRat
let malicious_ips = dynamic(["91.215.85.121", "91.92.243.38"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["91.215.85.121", "91.92.243.38"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using DCRat IP/port
Description: A system administrator schedules a legitimate job (e.g., schtasks.exe) that connects to a known IP:port pair used by DCRat.
Filter/Exclusion: Exclude connections initiated by schtasks.exe with a scheduled task name containing “backup” or “maintenance”.
Scenario: Network monitoring tool using DCRat IP/port
Description: A network monitoring tool (e.g., Wireshark, tcpdump) is configured to capture traffic on a specific IP:port pair that coincidentally matches DCRat C2 patterns.
Filter/Exclusion: Exclude traffic originating from or destined to Wireshark.exe or tcpdump processes.
Scenario: Admin task using PowerShell to connect to a remote server
Description: An administrator uses PowerShell (powershell.exe) to connect to a remote server (e.g., for remote management) using an IP:port pair that matches DCRat C2.
Filter/Exclusion: Exclude connections made by powershell.exe with a command line containing Enter-PSSession or Invoke-Command.
Scenario: Internal service discovery using DCRat IP/port
Description: A service discovery tool (e.g., nslookup, nmap) is used internally to resolve or scan IP addresses that happen to match DCRat C2 IP:port pairs.
Filter/Exclusion: Exclude traffic initiated by nslookup.exe or nmap.exe and filter by internal IP ranges.
Scenario: False positive from a third-party software update
Description: A third-party software update (e.g., from Microsoft, Adobe) includes a binary that connects to an IP:port pair matching DCRat C2.