The ThreatFox: PureRAT IOCs rule detects potential adversary activity associated with the PureRAT malware, which is known for its persistence and remote command execution capabilities. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: PureRAT Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 185[.]136[.]15[.]2:56001 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 185[.]136[.]15[.]2:56002 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 185[.]136[.]15[.]2:56003 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 64[.]89[.]160[.]73:443 | botnet_cc | 2026-05-19 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PureRAT
let malicious_ips = dynamic(["185.136.15.2", "64.89.160.73"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["185.136.15.2", "64.89.160.73"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script to clean temporary files or update system settings.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "schtasks.exe"
Scenario: Admin using Process Explorer to monitor processes
Description: A system administrator uses Microsoft Process Explorer to inspect running processes for troubleshooting.
Filter/Exclusion: process.name != "procexp.exe" OR process.parent.name != "explorer.exe"
Scenario: Deployment of a legitimate third-party tool with known hashes
Description: A security tool like OSSEC or Splunk is deployed, and its binaries match the PureRAT IOC hashes.
Filter/Exclusion: file.name != "ossec.exe" AND file.name != "splunk.exe"
Scenario: User running a legitimate script for data backup
Description: A user runs a backup script using Robocopy or PowerShell to copy files to a network share.
Filter/Exclusion: process.name != "robocopy.exe" AND process.name != "powershell.exe" AND process.parent.name != "explorer.exe"
Scenario: System update using Windows Update or Microsoft Endpoint Manager
Description: A system update is initiated via Windows Update or Microsoft Intune, which may include binaries with matching hashes.
Filter/Exclusion: process.name != "wuauclt.exe" AND process.name != "msiexec.exe" AND process.parent.name != "svchost.exe"