← Back to SOC feed Coverage →

ThreatFox: stealler IOCs

ioc-hunt HIGH ThreatFox
DeviceFileEvents
iocpy-steallerthreatfox
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at ThreatFox →
Retrieved: 2026-06-26T23:00:00Z · Confidence: high

Hunt Hypothesis

The ThreatFox: stealler IOCs rule detects potential adversary activity involving known malicious indicators linked to the stealler malware, which is commonly used for credential theft and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by threat actors leveraging these IOCs.

IOC Summary

Malware Family: stealler Total IOCs: 167 IOC Types: sha1_hash, sha256_hash, md5_hash

TypeValueThreat TypeFirst SeenConfidence
sha256_hashb6acdce1f0bf857ab01659840e683c2b9c0a6d92d40ce20f6853123e2a08b8adpayload2026-06-2695%
sha1_hashbe456fe6ab331084ed9e22e935b8b10bbc086dfcpayload2026-06-2695%
md5_hash98df75fde3c6ce76573002cba98f8279payload2026-06-2695%
md5_hash8cd1ed35cc813729823da0630d57808dpayload2026-06-2695%
sha256_hashba394c1dc1c059a38ee415ef860286b425af60cc76fc74c768c6fa146cb6cc94payload2026-06-2695%
sha1_hashacb9d85117fe4483d99e089c272a00ff846f0895payload2026-06-2695%
md5_hashc524874b75254cb431a7d9ef4980018cpayload2026-06-2695%
md5_hash06acc48e71d65bbfe3806548a516c5b7payload2026-06-2695%
sha256_hash45c93c7aa3c228704da86609c949a466c49ddb25d3b9647283f9b5ad77b88df5payload2026-06-2695%
sha1_hash643fa77d5b6eef7fc5050abcd7b3b69a97908109payload2026-06-2695%
md5_hashede8ec7dd17d6a4337e9480f32ab3556payload2026-06-2695%
sha256_hash95752f1cd35d41c1b16a36cde5fa89773aed1705730ff3b2a40078c1583a098cpayload2026-06-2695%
sha1_hashac00c922bd38503e0e6598ee30d5c7182d2ef544payload2026-06-2695%
md5_hash6349de7a2dde48ba850d2b9fbae1703bpayload2026-06-2695%
sha256_hash349a1d1f52f1efb7ca65a9f18c4b5f5a5ac6cb8fea801053d6ee3acd3f8e2b2apayload2026-06-2695%
sha1_hashb0047f0f91b11915cde2d30dacbce3da53d07282payload2026-06-2695%
sha256_hashf3deff6d564ca838ad782a3a2b77c5bc510160c104f50b2016b1f10d90ad28b5payload2026-06-2695%
sha1_hash0d45c202e18303b12ee50df797f1bc7babbd2500payload2026-06-2695%
sha1_hash23873ddbc77bb57622a6268e615fad409c94a26dpayload2026-06-2695%
md5_hash16ed0d418245c47341c71db17b7b92f7payload2026-06-2695%
sha256_hasha493e6d90938bbe5efe425f644c4041d0a0c74404c8b73f489d33d328d1501eapayload2026-06-2695%
sha256_hashe09d248d6bdb9485c97ac15eb33c7bf6ae991d1c3a95f5c51e7bf1833639b96cpayload2026-06-2695%
sha1_hash9c29b28dfbc33d42b1050215094260023de75fbcpayload2026-06-2695%
md5_hashaf206791419453501fe13d086252f629payload2026-06-2695%
sha1_hash38da022cf8af1169cea91fb86fa7ab5ca2e512f9payload2026-06-2695%

KQL: Hash Hunt

// Hunt for files matching known malicious hashes
// Source: ThreatFox - stealler
let malicious_hashes = dynamic(["b6acdce1f0bf857ab01659840e683c2b9c0a6d92d40ce20f6853123e2a08b8ad", "be456fe6ab331084ed9e22e935b8b10bbc086dfc", "98df75fde3c6ce76573002cba98f8279", "8cd1ed35cc813729823da0630d57808d", "ba394c1dc1c059a38ee415ef860286b425af60cc76fc74c768c6fa146cb6cc94", "acb9d85117fe4483d99e089c272a00ff846f0895", "c524874b75254cb431a7d9ef4980018c", "06acc48e71d65bbfe3806548a516c5b7", "45c93c7aa3c228704da86609c949a466c49ddb25d3b9647283f9b5ad77b88df5", "643fa77d5b6eef7fc5050abcd7b3b69a97908109", "ede8ec7dd17d6a4337e9480f32ab3556", "95752f1cd35d41c1b16a36cde5fa89773aed1705730ff3b2a40078c1583a098c", "ac00c922bd38503e0e6598ee30d5c7182d2ef544", "6349de7a2dde48ba850d2b9fbae1703b", "349a1d1f52f1efb7ca65a9f18c4b5f5a5ac6cb8fea801053d6ee3acd3f8e2b2a", "b0047f0f91b11915cde2d30dacbce3da53d07282", "f3deff6d564ca838ad782a3a2b77c5bc510160c104f50b2016b1f10d90ad28b5", "0d45c202e18303b12ee50df797f1bc7babbd2500", "23873ddbc77bb57622a6268e615fad409c94a26d", "16ed0d418245c47341c71db17b7b92f7", "a493e6d90938bbe5efe425f644c4041d0a0c74404c8b73f489d33d328d1501ea", "e09d248d6bdb9485c97ac15eb33c7bf6ae991d1c3a95f5c51e7bf1833639b96c", "9c29b28dfbc33d42b1050215094260023de75fbc", "af206791419453501fe13d086252f629", "38da022cf8af1169cea91fb86fa7ab5ca2e512f9", "e407d70eb9f90af6103fc71519a0d454", "a65d0888e130eac4d2f7e160f52df4c8", "893ea837583c9ad2775a5f907b817cb411dfd12057846ad09360d38c59edb39e", "254f91bb40539160b6e5cf91d17f4c22", "88c9d78237aef1714c18d8c9a02b53f3c22165171071bae7c8bea99dc875c3f6", "6288f79ca523a8d8897356fbd357daf467116d8e", "f25762e88d91d3a353ad95cfd958f411e9979626d101f99cd8b5a09da8004ca3", "c059daa4452164f35b321bb303fc53fbd92ea933", "5d6e64c2e229f0c18bedf78483cf6560539a87a31fec009a205cd369fcc7ddb6", "cf580e95d3f29da1f273166bb2b341105dcf163b", "f6d811e5e564b528eadd6bd2440d4ff4", "b9a711023cde48ebef1937edd6dfad98382fffca3cd538691a3933921f987d2b", "f7892b8553a93de8679228ecf1ca6f0de7855b46", "38261bfbfa59d9af40a0686529dc2262", "2f5413d9e5f3f2a1da5dba06b64a362f5a89584e1c4f2a164711d6d63cbe7648", "7bd82372c2cd370aa2cfea08fea735f5766f1bc6", "95f7327a2dd6ad35a7363ac72c0a3472", "9aef1f496e5c3cc1ba187fdeb1865b2cb112e71316062913be88e8eba219c417", "bc285df2b57842713075ce1ffc30823146a4a028", "d17b005f6c28c7875294028f7a8595d9", "a0f009b91a76d602d781aa9fff9522289769513b5c9ec10ece9f4891aafc6684", "8e8dead8cbc6a79939760f7b0915e139effa4b2f", "bd760e634620513016f5d3db47f4eda9", "cd861121f29f14fb75db0ce73b979b86fe4eb3c019cd0bd83683786f9af26dd6", "d68cd664051e64aea45b844bdcc38af3460d1359"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Required Data Sources

Sentinel TableNotes
DeviceFileEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://threatfox.abuse.ch/browse/malware/py.stealler/