The ThreatFox: XMRIG IOCs rule detects potential cryptocurrency mining malware activity by identifying known indicators associated with the XMRIG miner, which is commonly used in ransomware and malware campaigns. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise attempts that could lead to data exfiltration or system degradation.
IOC Summary
Malware Family: XMRIG Total IOCs: 13 IOC Types: sha256_hash, ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 195[.]181[.]245[.]252:9443 | payload_delivery | 2026-06-05 | 80% |
| url | hxxp://195[.]181[.]245[.]252:9443/xmrig | payload_delivery | 2026-06-05 | 80% |
| ip:port | 57[.]128[.]171[.]186:2375 | payload_delivery | 2026-06-05 | 80% |
| ip:port | 71[.]6[.]239[.]181:5432 | botnet_cc | 2026-06-05 | 80% |
| ip:port | 45[.]156[.]87[.]119:5432 | botnet_cc | 2026-06-05 | 80% |
| ip:port | 66[.]240[.]223[.]240:5432 | botnet_cc | 2026-06-05 | 80% |
| ip:port | 124[.]90[.]54[.]135:5432 | botnet_cc | 2026-06-05 | 80% |
| ip:port | 66[.]132[.]224[.]234:5432 | botnet_cc | 2026-06-05 | 80% |
| sha256_hash | b0e1ae6d73d656b203514f498b59cbcf29f067edf6fbd3803a3de7d21960848d | payload | 2026-06-05 | 80% |
| sha256_hash | f38504f53f6a25c405cfa272572eb0ededbbb4b9399b8aec1706d5e2b990f1c9 | payload | 2026-06-05 | 80% |
| ip:port | 92[.]60[.]77[.]99:8888 | payload_delivery | 2026-06-05 | 80% |
| url | hxxp://92[.]60[.]77[.]99:8888/xmrig-x86 | payload_delivery | 2026-06-05 | 80% |
| ip:port | 189[.]110[.]239[.]137:2375 | payload_delivery | 2026-06-05 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - XMRIG
let malicious_ips = dynamic(["57.128.171.186", "45.156.87.119", "71.6.239.181", "189.110.239.137", "66.240.223.240", "92.60.77.99", "124.90.54.135", "66.132.224.234", "195.181.245.252"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["57.128.171.186", "45.156.87.119", "71.6.239.181", "189.110.239.137", "66.240.223.240", "92.60.77.99", "124.90.54.135", "66.132.224.234", "195.181.245.252"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - XMRIG
let malicious_urls = dynamic(["http://195.181.245.252:9443/xmrig", "http://92.60.77.99:8888/xmrig-x86"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - XMRIG
let malicious_hashes = dynamic(["b0e1ae6d73d656b203514f498b59cbcf29f067edf6fbd3803a3de7d21960848d", "f38504f53f6a25c405cfa272572eb0ededbbb4b9399b8aec1706d5e2b990f1c9"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate XMRIG Mining Software Installation
Description: A system administrator installs the XMRIG mining software as part of a legitimate cryptocurrency mining setup for a data center.
Filter/Exclusion: Exclude processes related to xmrig or minerd if they are associated with known mining software versions (e.g., xmrig-4.0.0).
Scenario: Scheduled System Maintenance Job
Description: A scheduled task runs a script that uses find or grep commands to search for files, which may match XMRIG IOCs due to similar command-line syntax.
Filter/Exclusion: Exclude processes with command lines containing find, grep, or ls if they are part of a known system maintenance script (e.g., /etc/cron.daily/logrotate).
Scenario: Admin Task for Log Analysis
Description: A system administrator uses tcpdump or Wireshark to capture and analyze network traffic for security audits, which may include traffic patterns similar to XMRIG.
Filter/Exclusion: Exclude processes with tcpdump or wireshark if they are associated with known audit tools or scripts (e.g., /usr/bin/tcpdump -i eth0).
Scenario: Legitimate Software Update Process
Description: A package manager (e.g., apt, yum, or dnf) downloads a file that has a filename or checksum matching XMRIG IOCs due to naming conventions.
Filter/Exclusion: Exclude files with checksums or filenames that match known package managers (e.g., *.deb, *.rpm, or *.tar.gz).
Scenario: Security Tool Integration Test
Description: A security tool (e.g., OSSEC, `Sn