The ThreatFox: Xloader IOCs rule detects potential adversary activity associated with the Xloader malware, which is known for its persistence and data exfiltration capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromises before significant data loss or network infiltration occurs.
IOC Summary
Malware Family: Xloader Total IOCs: 6 IOC Types: md5_hash, sha1_hash, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | f545a0384505117c03a33842384f9ea397ffc835 | payload | 2026-06-20 | 95% |
| md5_hash | f2a520db47f163760eef8629fc4a92e2 | payload | 2026-06-20 | 95% |
| sha256_hash | 0aa7360574fed7f19d3c1b9c12e0e3e90f0b415eab4d0901559fbe7703dfe939 | payload | 2026-06-20 | 95% |
| sha256_hash | 0c620497c06028c783050d81daf378edc7c0cfba3977f0137ebc3ffdd8765a56 | payload | 2026-06-20 | 95% |
| sha1_hash | afca972d30b80f02e2a2abc4d653cb1579cb509b | payload | 2026-06-20 | 95% |
| md5_hash | 349e9cfa230a379f16ba28418a73d3bf | payload | 2026-06-20 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Xloader
let malicious_hashes = dynamic(["f545a0384505117c03a33842384f9ea397ffc835", "f2a520db47f163760eef8629fc4a92e2", "0aa7360574fed7f19d3c1b9c12e0e3e90f0b415eab4d0901559fbe7703dfe939", "0c620497c06028c783050d81daf378edc7c0cfba3977f0137ebc3ffdd8765a56", "afca972d30b80f02e2a2abc4d653cb1579cb509b", "349e9cfa230a379f16ba28418a73d3bf"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using wget to download a package from a trusted internal repository
Filter/Exclusion: Exclude traffic to internal repositories (e.g., internal-repo.example.com) using the destination_ip or destination_domain field.
Scenario: Scheduled job running psql to back up a PostgreSQL database
Filter/Exclusion: Exclude processes with psql and the command line argument --dbname=backup_db using the process_arguments field.
Scenario: Admin task using tar to archive log files for retention
Filter/Exclusion: Exclude processes with tar and the argument --exclude='*.log' using the process_arguments field.
Scenario: Regular use of curl to fetch configuration files from a secure internal API
Filter/Exclusion: Exclude traffic to internal APIs (e.g., api.config.example.com) using the destination_domain field.
Scenario: Use of rsync to synchronize files between servers in a multi-node environment
Filter/Exclusion: Exclude processes with rsync and the argument --exclude='*.tmp' using the process_arguments field.