The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 10 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 5[.]40[.]229[.]236:6379 | payload_delivery | 2026-06-20 | 80% |
| ip:port | 39[.]34[.]134[.]209:6379 | payload_delivery | 2026-06-20 | 80% |
| ip:port | 103[.]217[.]176[.]73:6379 | payload_delivery | 2026-06-20 | 80% |
| ip:port | 213[.]209[.]159[.]66:5432 | payload_delivery | 2026-06-20 | 80% |
| ip:port | 64[.]89[.]163[.]82:5432 | payload_delivery | 2026-06-20 | 80% |
| ip:port | 80[.]96[.]113[.]59:8060 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 64[.]89[.]163[.]212:8060 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 64[.]89[.]163[.]212:8058 | botnet_cc | 2026-06-20 | 100% |
| domain | coldtechreview.vip | botnet_cc | 2026-06-20 | 100% |
| ip:port | 64[.]89[.]163[.]212:8057 | botnet_cc | 2026-06-20 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["213.209.159.66", "64.89.163.212", "39.34.134.209", "80.96.113.59", "103.217.176.73", "5.40.229.236", "64.89.163.82"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["213.209.159.66", "64.89.163.212", "39.34.134.209", "80.96.113.59", "103.217.176.73", "5.40.229.236", "64.89.163.82"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - XMRIG
let malicious_domains = dynamic(["coldtechreview.vip"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Setup
Description: A system administrator is deploying XMRIG as part of a legitimate cryptocurrency mining setup for a sanctioned use case (e.g., a mining pool or a test environment).
Filter/Exclusion: Check for presence of mining.conf or config.json files in known mining directories, and ensure the process is running under a dedicated mining user account.
Scenario: Scheduled System Maintenance Job
Description: A scheduled task is running a script that uses find or grep to search for files containing the string “XMRIG” as part of a system audit or compliance check.
Filter/Exclusion: Filter out processes associated with the crontab or at scheduler, and exclude file system scanning tools like find, grep, or rsync.
Scenario: Admin Task for Log Analysis
Description: A security analyst is reviewing logs using logrotate or journalctl and manually searching for “XMRIG” in log files to investigate potential misconfigurations or errors.
Filter/Exclusion: Exclude processes related to log management tools (logrotate, journalctl, rsyslog) and filter out manual command-line searches using grep or cat.
Scenario: Package Installation or Update
Description: A system update or package installation (e.g., via apt, yum, or dnf) includes a package that contains the string “XMRIG” in its metadata or description.
Filter/Exclusion: Filter out package managers (apt, yum, dnf, zypper) and exclude package metadata or description fields.
Scenario: False Positive from Threat Intelligence Feed
Description: A threat intelligence feed incorrectly lists a legitimate tool or file (e.g.,