The hunt hypothesis detects potential Venus Stealer malware activity through known IOCs, indicating an adversary may be exfiltrating sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before significant data loss occurs.
IOC Summary
Malware Family: Venus Stealer Total IOCs: 3 IOC Types: sha1_hash, md5_hash, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 63ffc60f431eb604910d605d8d72754b | payload | 2026-06-20 | 95% |
| sha256_hash | d34be339fd8c47756de5b4e6c402612a333c50b9e1fa4bffdd32cb3f9d5c1d74 | payload | 2026-06-20 | 95% |
| sha1_hash | e2b60f4ee39925843ad191a57064d35055d0cf02 | payload | 2026-06-20 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Venus Stealer
let malicious_hashes = dynamic(["63ffc60f431eb604910d605d8d72754b", "d34be339fd8c47756de5b4e6c402612a333c50b9e1fa4bffdd32cb3f9d5c1d74", "e2b60f4ee39925843ad191a57064d35055d0cf02"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Maintenance
Description: A scheduled task runs a PowerShell script to clean temporary files or update system settings.
Filter/Exclusion: Exclude any process initiated by a scheduled task with a known legitimate name (e.g., Cleanup-SystemTemp.ps1) or with a command line containing powershell.exe -Command followed by a benign script path.
Scenario: Admin Performing Remote PowerShell Management
Description: An administrator uses PowerShell Remoting to manage remote servers, which may include commands that resemble malicious activity.
Filter/Exclusion: Exclude processes initiated from a trusted IP address or originating from a known admin workstation. Use a filter like source_ip != 192.168.1.100 or user = admin_user.
Scenario: Legitimate Use of WMI for System Monitoring
Description: A monitoring tool uses WMI to collect system performance data, which may trigger the rule due to similar command structures.
Filter/Exclusion: Exclude processes with a command line containing wmic or winmgmt and associated with a known monitoring tool (e.g., System Center or SolarWinds).
Scenario: Software Update Deployment via Group Policy
Description: A group policy update deploys a legitimate software package that includes a script or executable with similar IOCs.
Filter/Exclusion: Exclude processes initiated by gpupdate.exe or associated with a known update management tool (e.g., Microsoft Endpoint Manager).
Scenario: Legitimate Use of PowerShell for Configuration Management
Description: A configuration management tool (e.g., Chef, Puppet, or Ansible) runs PowerShell scripts to configure systems, which may include IOCs from the rule.
Filter/Exclusion: Exclude processes