ThreatFox: Mozi IOCs | SOC Hunt Feed

Hunt Hypothesis

The ThreatFox: Mozi IOCs rule detects potential adversary activity linked to the Mozi malware family by identifying known malicious indicators associated with its command and control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises from advanced persistent threats leveraging Mozi.

IOC Summary

Malware Family: Mozi Total IOCs: 19 IOC Types: ip:port

Type	Value	Threat Type	First Seen	Confidence
ip:port	`111[.]55[.]74[.]100:52721`	payload_delivery	2026-06-05	100%
ip:port	`110[.]38[.]254[.]160:50664`	payload_delivery	2026-06-05	100%
ip:port	`223[.]123[.]42[.]237:53019`	payload_delivery	2026-06-05	100%
ip:port	`153[.]117[.]37[.]25:36970`	payload_delivery	2026-06-05	100%
ip:port	`202[.]70[.]139[.]56:60896`	payload_delivery	2026-06-05	100%
ip:port	`189[.]174[.]142[.]184:56193`	payload_delivery	2026-06-05	100%
ip:port	`72[.]255[.]18[.]214:36405`	payload_delivery	2026-06-05	100%
ip:port	`124[.]229[.]33[.]220:50854`	payload_delivery	2026-06-05	100%
ip:port	`223[.]123[.]35[.]47:54367`	payload_delivery	2026-06-05	100%
ip:port	`105[.]186[.]143[.]24:59469`	payload_delivery	2026-06-05	100%
ip:port	`103[.]176[.]16[.]78:51683`	payload_delivery	2026-06-05	100%
ip:port	`124[.]29[.]194[.]26:42356`	payload_delivery	2026-06-05	100%
ip:port	`95[.]82[.]118[.]182:44093`	payload_delivery	2026-06-05	100%
ip:port	`58[.]65[.]216[.]9:58090`	payload_delivery	2026-06-05	100%
ip:port	`103[.]181[.]160[.]22:37187`	payload_delivery	2026-06-05	100%
ip:port	`110[.]38[.]218[.]245:48087`	payload_delivery	2026-06-05	100%
ip:port	`119[.]189[.]212[.]129:44218`	payload_delivery	2026-06-05	100%
ip:port	`202[.]9[.]122[.]145:56390`	payload_delivery	2026-06-05	100%
ip:port	`153[.]117[.]32[.]174:49040`	payload_delivery	2026-06-05	100%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Mozi
let malicious_ips = dynamic(["153.117.37.25", "110.38.254.160", "202.9.122.145", "58.65.216.9", "111.55.74.100", "103.181.160.22", "124.229.33.220", "153.117.32.174", "189.174.142.184", "95.82.118.182", "124.29.194.26", "110.38.218.245", "103.176.16.78", "223.123.42.237", "119.189.212.129", "105.186.143.24", "202.70.139.56", "72.255.18.214", "223.123.35.47"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["153.117.37.25", "110.38.254.160", "202.9.122.145", "58.65.216.9", "111.55.74.100", "103.181.160.22", "124.229.33.220", "153.117.32.174", "189.174.142.184", "95.82.118.182", "124.29.194.26", "110.38.218.245", "103.176.16.78", "223.123.42.237", "119.189.212.129", "105.186.143.24", "202.70.139.56", "72.255.18.214", "223.123.35.47"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DeviceNetworkEvents`	Ensure this data connector is enabled

References

ThreatFox — Mozi

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses a tool like PowerShell or Task Scheduler to perform system maintenance, which may trigger the Mozi IOC due to similar command-line patterns.
Filter/Exclusion: Exclude processes initiated by Task Scheduler or schtasks.exe with known maintenance scripts.
Scenario: Admin Using Process Explorer to Analyze Processes
Description: An admin uses Process Explorer (from Sysinternals) to investigate suspicious processes, which may include commands or paths that match Mozi IOCs.
Filter/Exclusion: Exclude processes with Process Explorer (procexp.exe) or Process Monitor (ProcMon.exe) in their call stack.
Scenario: Log Collection and Analysis Tool (e.g., Splunk, ELK) Running Queries
Description: A log analysis tool like Splunk or ELK Stack runs queries that involve command-line tools such as grep, awk, or find, which may resemble Mozi IOCs.
Filter/Exclusion: Exclude processes associated with log analysis tools or system monitoring tools like splunkd.exe, logstash, or kibana.
Scenario: Database Backup Job Using SQLCMD
Description: A scheduled SQL backup job uses sqlcmd to execute T-SQL scripts, which may include command-line arguments that match Mozi IOCs.
Filter/Exclusion: Exclude processes initiated by sqlcmd.exe or related to SQL Server backup jobs.
Scenario: Security Software Performing Full System Scan
Description: Antivirus or endpoint protection software (e.g., Windows Defender, McAfee, Kaspersky) performs a full system scan, which may trigger IOCs due to scanning behaviors.