← Back to SOC feed Coverage →

ThreatFox: NetSupportManager RAT IOCs

ioc-hunt HIGH ThreatFox
CommonSecurityLogDeviceNetworkEvents
backdooriocthreatfoxwin-netsupportmanager_rat
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at ThreatFox →
Retrieved: 2026-03-19T03:46:59Z · Confidence: high

Hunt Hypothesis

Hunt package for 2 IOCs associated with NetSupportManager RAT

IOC Summary

Malware Family: NetSupportManager RAT Total IOCs: 2 IOC Types: ip:port

TypeValueThreat TypeFirst SeenConfidence
ip:port102[.]98[.]215[.]238:443botnet_cc2026-03-19100%
ip:port46[.]149[.]76[.]140:5222botnet_cc2026-03-18100%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NetSupportManager RAT
let malicious_ips = dynamic(["102.98.215.238", "46.149.76.140"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["102.98.215.238", "46.149.76.140"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DeviceNetworkEventsEnsure this data connector is enabled

References

Original source: https://threatfox.abuse.ch/browse/malware/win.netsupportmanager_rat/