The ThreatFox: Quasar RAT IOCs rule detects potential adversary activity associated with the Quasar RAT, a known remote access trojan, by identifying suspicious network traffic and file artifacts linked to its command and control infrastructure. SOC teams should proactively hunt for these indicators in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Quasar RAT for long-term system compromise and data exfiltration.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 3 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | screenshot[.]777x.you | botnet_cc | 2026-05-13 | 75% |
| domain | task[.]777x.you | botnet_cc | 2026-05-13 | 75% |
| domain | 1ss.giize.com | botnet_cc | 2026-05-12 | 75% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Quasar RAT
let malicious_domains = dynamic(["screenshot.777x.you", "task.777x.you", "1ss.giize.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Monitoring Tool Usage
Description: A security tool like OSSEC or Tripwire is performing a scheduled integrity check, which results in the detection of known Quasar RAT hashes due to false positives in the IOC database.
Filter/Exclusion: Exclude processes associated with the monitoring tool (e.g., ossecd, tripwire) or filter by process names matching known security tools.
Scenario: Scheduled Backup Job with Embedded Scripts
Description: A scheduled backup job (e.g., using Veeam, Commvault, or **rsync`) includes a script that contains a hash or string matching Quasar RAT IOCs due to a naming coincidence.
Filter/Exclusion: Exclude processes related to backup tools or filter by command-line arguments containing known backup tool identifiers.
Scenario: Admin Task Involving Known Malware Hashes
Description: An administrator is manually analyzing a known malicious file (e.g., a malware sample) using tools like Process Explorer or Wireshark, which inadvertently triggers the Quasar RAT IOC detection.
Filter/Exclusion: Exclude processes initiated by admin accounts or filter by user context (e.g., user = admin or user = root).
Scenario: Legitimate Software Update with Embedded Payloads
Description: A software update from a trusted vendor (e.g., Microsoft, VMware) includes a legitimate payload that coincidentally matches Quasar RAT IOCs due to similar string patterns.
Filter/Exclusion: Exclude processes related to software update tools or filter by IP addresses associated with known vendors.
Scenario: Network Traffic Analysis with Known Malicious IPs
Description: A network traffic analysis tool (e.g., Zeek, Snort) is inspect