The ThreatFox: PureRAT IOCs rule detects potential adversary activity associated with the PureRAT malware, leveraging known indicators of compromise to identify suspicious network traffic or file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats that may be leveraging PureRAT for data exfiltration or command and control operations.
IOC Summary
Malware Family: PureRAT Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 151[.]243[.]109[.]130:9518 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 192[.]210[.]236[.]141:8443 | botnet_cc | 2026-05-21 | 75% |
| ip:port | 108[.]171[.]192[.]181:4477 | botnet_cc | 2026-05-21 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PureRAT
let malicious_ips = dynamic(["151.243.109.130", "108.171.192.181", "192.210.236.141"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["151.243.109.130", "108.171.192.181", "192.210.236.141"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a legitimate scheduled job that downloads a file from a known internal repository (e.g., internal-repo.example.com).
Filter/Exclusion: Exclude traffic originating from or destined to internal IP ranges, or filter by known internal repositories.
Scenario: A security tool like Microsoft Defender for Endpoint is performing a scheduled scan that temporarily downloads a known malicious file for analysis.
Filter/Exclusion: Exclude processes associated with security tools (e.g., MsDefender.exe, MsMpEng.exe) or filter by known security tool behaviors.
Scenario: A Windows Task Scheduler job is configured to run a script that connects to a remote PowerShell endpoint for legitimate system management (e.g., wsman.example.com).
Filter/Exclusion: Exclude connections to known management endpoints or filter by process name associated with scheduled tasks (e.g., schtasks.exe).
Scenario: A backup tool like Veeam or Commvault is transferring data over a secure connection (e.g., veeam-backup.example.com) and triggers an IOC match.
Filter/Exclusion: Exclude traffic from known backup tools or filter by domain names associated with backup services.
Scenario: A remote desktop session (e.g., mstsc.exe) is established to a server, and the connection is flagged due to a matching IOC in the session metadata.
Filter/Exclusion: Exclude connections initiated by RDP clients or filter by process names associated with remote access tools.