The ThreatFox: Quasar RAT IOCs rule detects potential indicators of a Quasar RAT deployment, which is a high-impact remote access trojan used for persistent, stealthy control over compromised systems. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats that could exfiltrate data or execute arbitrary commands undetected.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 123[.]113[.]14[.]21:4285 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 213[.]232[.]236[.]4:49680 | botnet_cc | 2026-05-19 | 50% |
| ip:port | 118[.]107[.]3[.]198:4782 | botnet_cc | 2026-05-19 | 50% |
| ip:port | 103[.]253[.]73[.]180:9999 | botnet_cc | 2026-05-19 | 100% |
| ip:port | 178[.]16[.]54[.]156:61541 | botnet_cc | 2026-05-19 | 99% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["118.107.3.198", "213.232.236.4", "103.253.73.180", "178.16.54.156", "123.113.14.21"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["118.107.3.198", "213.232.236.4", "103.253.73.180", "178.16.54.156", "123.113.14.21"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Monitoring Tool Installation
Description: A security team installs a legitimate system monitoring tool (e.g., Splunk, SolarWinds, or Microsoft Monitoring Agent) that includes binaries with similar file names or hashes to Quasar RAT.
Filter/Exclusion: Exclude files signed by known vendors (e.g., Microsoft, Splunk) or use a file hash whitelist for trusted monitoring tools.
Scenario: Scheduled System Maintenance Job
Description: A scheduled job (e.g., PowerShell script or Task Scheduler task) runs a legitimate maintenance script that temporarily creates files or processes matching Quasar RAT IOCs.
Filter/Exclusion: Exclude processes initiated by scheduled tasks or filter based on process parent process (e.g., schtasks.exe or taskhost.exe).
Scenario: Admin Task for Log Collection
Description: An administrator uses a legitimate log collection tool (e.g., Logstash, Fluentd, or ELK stack) that generates temporary files or processes that match Quasar RAT IOCs.
Filter/Exclusion: Exclude files or processes associated with log collection tools or filter based on user context (e.g., admin accounts performing log management tasks).
Scenario: Software Update or Patch Deployment
Description: A software update or patch deployment (e.g., Microsoft Update, Windows Update, or Ansible playbook) temporarily creates files or processes that match Quasar RAT IOCs.
Filter/Exclusion: Exclude files or processes associated with known update mechanisms or use a timestamp filter to exclude recent, legitimate update activities.
Scenario: Network Monitoring Tool with Packet Capture
Description: A network monitoring tool (e.g., Wireshark, tcpdump, or Microsoft Network Monitor) captures packets that include traffic patterns similar to Qu