The ThreatFox: Quasar RAT IOCs rule detects potential adversary activity involving the Quasar Remote Access Trojan, which is commonly used for long-term persistence and command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage Quasar for covert data exfiltration and system compromise.
IOC Summary
Malware Family: Quasar RAT Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 111[.]170[.]164[.]98:8443 | botnet_cc | 2026-05-06 | 50% |
| ip:port | 176[.]65[.]132[.]246:9999 | botnet_cc | 2026-05-06 | 50% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Quasar RAT
let malicious_ips = dynamic(["176.65.132.246", "111.170.164.98"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["176.65.132.246", "111.170.164.98"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that matches the hash or file name of a Quasar RAT.
Filter/Exclusion: process.name != "schtasks.exe" or process.parent.name != "Task Scheduler"
Scenario: Admin Performing File Integrity Check
Description: An administrator uses a tool like Sysinternals Process Explorer or Process Monitor to inspect files that match Quasar RAT IOCs.
Filter/Exclusion: process.name contains "Process Explorer" or process.name contains "Procmon"
Scenario: Legitimate Software Update
Description: A software update from a trusted vendor (e.g., Microsoft, Adobe) includes a file that matches the Quasar RAT hash.
Filter/Exclusion: file.hash != "known_quasar_hash" or file.name contains "update"
Scenario: Network Monitoring Tool Generating Traffic
Description: A network monitoring tool like Wireshark or tcpdump generates traffic that matches the IOCs of Quasar RAT.
Filter/Exclusion: process.name contains "Wireshark" or process.name contains "tcpdump"
Scenario: Log Analysis Tool Parsing Logs
Description: A log analysis tool like ELK Stack or Splunk processes logs that include strings matching Quasar RAT IOCs.
Filter/Exclusion: process.name contains "splunkd" or process.name contains "logstash"