The detection identifies potential Venus Stealer malware activity through known IOCs, indicating an adversary is exfiltrating credentials from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate credential theft early in the attack lifecycle.
IOC Summary
Malware Family: Venus Stealer Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | f2b4f9ac25b35389294ade3fcfe8a8bb5dc1f0e283c5be145a28bd785e993906 | payload | 2026-06-26 | 95% |
| sha1_hash | c18fdfd1a053a9c408fb8ae563ea55684be5d4ab | payload | 2026-06-26 | 95% |
| md5_hash | 79c3344864afd83d6cfa95aa816e3286 | payload | 2026-06-26 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Venus Stealer
let malicious_hashes = dynamic(["f2b4f9ac25b35389294ade3fcfe8a8bb5dc1f0e283c5be145a28bd785e993906", "c18fdfd1a053a9c408fb8ae563ea55684be5d4ab", "79c3344864afd83d6cfa95aa816e3286"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Execution
Description: A system administrator schedules a legitimate script (e.g., PowerShell.exe) to run at specific intervals for routine maintenance or reporting.
Filter/Exclusion: Exclude processes associated with known legitimate scheduled tasks (e.g., schtasks.exe with known job names like DailyBackup or SystemReport). Use a filter like:
(process.name IN ("schtasks.exe", "task scheduler")) AND (process.command_line CONTAINS "DailyBackup")Scenario: Admin Using PowerShell for Configuration Management
Description: A system admin uses PowerShell (e.g., PowerShell.exe) to configure system settings, update policies, or manage services.
Filter/Exclusion: Exclude PowerShell commands that are part of known administrative tasks (e.g., Set-ItemProperty, Get-Service). Use a filter like:
(process.name = "powershell.exe") AND (process.command_line CONTAINS "Set-ItemProperty" OR CONTAINS "Get-Service")Scenario: Legitimate Software Installation via MSI
Description: A software deployment tool (e.g., msiexec.exe) is used to install a legitimate application, which may involve executing scripts or temporary files.
Filter/Exclusion: Exclude processes associated with known software installers (e.g., msiexec.exe with known package names or GUIDs). Use a filter like:
(process.name = "msiexec.exe") AND (process.command_line CONTAINS "PackageName" OR CONTAINS "GUID")Scenario: System Event Log Analysis with LogParser
Description: A security analyst uses LogParser.exe to analyze event logs for compliance or troubleshooting purposes.
*