← Back to SOC feed Coverage →

ThreatFox: Mirai IOCs

ioc-hunt HIGH ThreatFox
CommonSecurityLogDeviceNetworkEventsUrlClickEvents
elf-miraiiocthreatfox
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at ThreatFox →
Retrieved: 2026-06-06T11:00:00Z · Confidence: high

Hunt Hypothesis

The ThreatFox: Mirai IOCs rule detects potential compromise indicators linked to the Mirai botnet, which is commonly used to launch large-scale DDoS attacks. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage Mirai-based threats before they can be leveraged for widespread network disruption.

IOC Summary

Malware Family: Mirai Total IOCs: 14 IOC Types: url, ip:port

TypeValueThreat TypeFirst SeenConfidence
urlhxxp://45[.]205[.]1[.]59/okpayload_delivery2026-06-0680%
ip:port45[.]205[.]1[.]59:80payload_delivery2026-06-0680%
ip:port188[.]54[.]47[.]14:2375payload_delivery2026-06-0680%
ip:port172[.]104[.]241[.]98:2375payload_delivery2026-06-0680%
ip:port180[.]189[.]174[.]146:80payload_delivery2026-06-0680%
ip:port83[.]229[.]8[.]197:80payload_delivery2026-06-0680%
ip:port150[.]241[.]98[.]49:80payload_delivery2026-06-0680%
ip:port165[.]154[.]46[.]183:80payload_delivery2026-06-0680%
ip:port185[.]177[.]125[.]71:2375payload_delivery2026-06-0680%
ip:port143[.]198[.]199[.]73:2375payload_delivery2026-06-0680%
ip:port34[.]173[.]83[.]139:2375payload_delivery2026-06-0680%
ip:port94[.]124[.]119[.]36:2375payload_delivery2026-06-0680%
ip:port167[.]71[.]47[.]6:80payload_delivery2026-06-0680%
urlhxxp://45[.]198[.]224[.]5/okpayload_delivery2026-06-0680%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mirai
let malicious_ips = dynamic(["172.104.241.98", "34.173.83.139", "45.205.1.59", "167.71.47.6", "188.54.47.14", "185.177.125.71", "165.154.46.183", "94.124.119.36", "83.229.8.197", "180.189.174.146", "143.198.199.73", "150.241.98.49"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.104.241.98", "34.173.83.139", "45.205.1.59", "167.71.47.6", "188.54.47.14", "185.177.125.71", "165.154.46.183", "94.124.119.36", "83.229.8.197", "180.189.174.146", "143.198.199.73", "150.241.98.49"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Mirai
let malicious_urls = dynamic(["http://45.205.1.59/ok", "http://45.198.224.5/ok"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
CommonSecurityLogEnsure this data connector is enabled
DeviceNetworkEventsEnsure this data connector is enabled
UrlClickEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://threatfox.abuse.ch/browse/malware/elf.mirai/