The ThreatFox: Venus Stealer IOCs rule detects potential adversary activity linked to the Venus Stealer malware, which is known for exfiltrating sensitive data and establishing persistence. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant data breaches or operational disruption.
IOC Summary
Malware Family: Venus Stealer Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 7289458374e11e03123fcd18b3dc0a2583539ac4 | payload | 2026-06-17 | 95% |
| md5_hash | 4dbf036d9486c34dc26ae3316ae13073 | payload | 2026-06-17 | 95% |
| sha256_hash | 2e2544644c43e065078d1e9419123c1433aa418a1b5539804374c41f5d99433e | payload | 2026-06-17 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Venus Stealer
let malicious_hashes = dynamic(["7289458374e11e03123fcd18b3dc0a2583539ac4", "4dbf036d9486c34dc26ae3316ae13073", "2e2544644c43e065078d1e9419123c1433aa418a1b5539804374c41f5d99433e"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Update via Chocolatey
Description: A system administrator uses Chocolatey to install a legitimate package that matches one of the IOCs associated with Venus Stealer.
Filter/Exclusion: process.name != "choco.exe" or process.parent.name != "choco.exe"
Scenario: Scheduled Job for Log Collection
Description: A scheduled task runs a script using PowerShell to collect logs, which may include file paths or network connections that match the IOC patterns.
Filter/Exclusion: process.name != "powershell.exe" or process.command_line contains "log-collect"
Scenario: Admin Task for Patch Management
Description: An admin task uses a tool like Windows Update or WSUS to deploy patches, which may involve downloading files that match the IOC signatures.
Filter/Exclusion: process.name contains "wuau" or "wsus"
Scenario: Legitimate File Access via File Explorer
Description: A user accesses a file or folder that contains a name or path matching the IOC, such as C:\Windows\Temp\venus.exe, which is a known false positive.
Filter/Exclusion: process.name != "explorer.exe" or process.user != "[email protected]"
Scenario: Network Monitoring Tool Generating Traffic
Description: A network monitoring tool like Wireshark or Microsoft Network Monitor generates traffic that matches the IOC patterns due to normal network analysis.
Filter/Exclusion: process.name contains "wireshark" or "netmon" or process.parent.name contains "network-monitor.exe"