ThreatFox: AMOS IOCs | SOC Hunt Feed

Hunt Hypothesis

The ThreatFox: AMOS IOCs rule detects potential adversary activity linked to the AMOS threat group, leveraging known indicators of compromise to identify malicious behavior in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate advanced persistent threats that may be leveraging AMOS tactics to exfiltrate data or establish persistence.

IOC Summary

Malware Family: AMOS Total IOCs: 8 IOC Types: ip:port, domain, sha1_hash

Type	Value	Threat Type	First Seen	Confidence
domain	`anvil-89.com`	payload_delivery	2026-06-05	100%
domain	`bloomglow9.com`	payload_delivery	2026-06-05	100%
domain	`alragaa.com`	botnet_cc	2026-06-05	100%
domain	`data-hub-2312.com`	botnet_cc	2026-06-05	100%
ip:port	`167[.]71[.]70[.]184:80`	botnet_cc	2026-06-05	100%
sha1_hash	`c2b96ba6140ed15d46a7956ab2e590a39c164197`	payload	2026-06-05	100%
sha1_hash	`8a22239f95067a5a5a9520bfafa4c4b71b7cf828`	payload	2026-06-05	100%
sha1_hash	`85abca56aea793d8a45ddb747c4c4e7cf1ab21aa`	payload	2026-06-05	100%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AMOS
let malicious_ips = dynamic(["167.71.70.184"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["167.71.70.184"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - AMOS
let malicious_domains = dynamic(["anvil-89.com", "bloomglow9.com", "alragaa.com", "data-hub-2312.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Hash Hunt

// Hunt for files matching known malicious hashes
// Source: ThreatFox - AMOS
let malicious_hashes = dynamic(["c2b96ba6140ed15d46a7956ab2e590a39c164197", "8a22239f95067a5a5a9520bfafa4c4b71b7cf828", "85abca56aea793d8a45ddb747c4c4e7cf1ab21aa"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DeviceFileEvents`	Ensure this data connector is enabled
`DeviceNetworkEvents`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

ThreatFox — AMOS

False Positive Guidance

Scenario: Scheduled system backup using Veeam
Filter/Exclusion: process.parent_process_name:"veeam" or process.command_line:"veeam backup"
Scenario: Regularly executed admin task using PowerShell for log management
Filter/Exclusion: process.parent_process_name:"powershell.exe" and process.command_line:"*-log*"
Scenario: Automated deployment using Ansible with known benign scripts
Filter/Exclusion: process.parent_process_name:"ansible" or process.command_line:"ansible-playbook --extra-vars"
Scenario: Database maintenance job using SQL Server Agent
Filter/Exclusion: process.parent_process_name:"sqlservr.exe" or process.command_line:"sqlcmd -S"
Scenario: Endpoint protection scan using Microsoft Defender ATP
Filter/Exclusion: process.parent_process_name:"mpsvc.exe" or process.command_line:"mpcmdrun.exe -Scan"