The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving previously unidentified malicious indicators, suggesting the presence of unknown malware in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 55 IOC Types: domain, url, ip:port, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | coffeefromarabica.monster | payload_delivery | 2026-06-04 | 100% |
| domain | lskannsserv.beer | payload_delivery | 2026-06-04 | 100% |
| ip:port | 206[.]238[.]68[.]33:8383 | botnet_cc | 2026-06-04 | 75% |
| domain | tfx-test-1780560802405.xyz | botnet_cc | 2026-06-04 | 100% |
| ip:port | 135[.]181[.]2[.]236:443 | botnet_cc | 2026-06-04 | 75% |
| domain | numerosoftware.click | botnet_cc | 2026-06-04 | 100% |
| domain | cloud.white-monster.xyz | botnet_cc | 2026-06-04 | 100% |
| domain | human2nd-confirm.top | botnet_cc | 2026-06-04 | 100% |
| domain | regularizarcadastral.online | payload_delivery | 2026-06-04 | 100% |
| domain | 5qynbyjl4u6vbtnmpokslaxaknyicdvty7vn2qgxmaty3lb7wwxpkbid.onion | botnet_cc | 2026-06-04 | 100% |
| domain | diyr2bnty7iktyxfd4kz65uigcfappjvux73dpgkkeocp3fmlgnuzyyd.onion | botnet_cc | 2026-06-04 | 100% |
| domain | e7a6zgqfijn2ko6lzkz53tysjpnf22fxj4h2f3saufrmsts5pbul5eid.onion | botnet_cc | 2026-06-04 | 100% |
| domain | yxwomyfmexm3bfcuumnugrzwluol5qwsw6pmne7jklgmzthkp35l2jqd.onion | botnet_cc | 2026-06-04 | 100% |
| domain | etus2tmakckdlkyjpevoyciuao7er5fj3qm26aev3nch4fusptefiayd.onion | botnet_cc | 2026-06-04 | 100% |
| domain | csxilwnl7orv6rwfjen5ye3tefk5shjtr4tysuykgxjsyngpvoqrvbid.onion | botnet_cc | 2026-06-04 | 100% |
| domain | psvrn6ahevi6dgf55bzc26q3gjc7s6n7vcth34rmkl2y7e7dijhjfiqd.onion | botnet_cc | 2026-06-04 | 100% |
| domain | xsomiaq5awxh3zkzn334s3dgwuvngy6z2to7265exgovnkwk66hjypid.onion | botnet_cc | 2026-06-04 | 100% |
| domain | m3wwhkus4dxbnxbtihexlyd2cv63qrvex6jiebc4vqe22kg2z3udebid.onion | botnet_cc | 2026-06-04 | 100% |
| domain | glheoet37vdimgho57tqj76v7fnebnbqxn65bounxyt6hduilkso4yyd.onion | botnet_cc | 2026-06-04 | 100% |
| domain | aw6wb6lmqbtp5po7qrmvmujulbxw4eeeolpg3byva2bgoj44psdugmid.onion | botnet_cc | 2026-06-04 | 100% |
| domain | mejouwrwja4iou7myj34rqi7cixyhn7vsa42e2n2dhxzc5mmkiaki3yd.onion | botnet_cc | 2026-06-04 | 100% |
| domain | ltxnzpfvmr3c3rcbw5x4q2ejy6fmbp7kc35oql3gooyydg7belfmnyad.onion | botnet_cc | 2026-06-04 | 100% |
| domain | 3fg2gfwrdks46drwvejpgpak5klrflclsjjo35dxtqfk3poeez6oezad.onion | botnet_cc | 2026-06-04 | 100% |
| domain | emdnfl2fv32jhssxcbxlo6dzg2at4d7qbw2md6inz63qzdfgyln5cwyd.onion | botnet_cc | 2026-06-04 | 100% |
| domain | a4vbe7yp4kluped6khuhpr5nmzshiimx2jt5j22ozriiq6ngsm3fcpyd.onion | botnet_cc | 2026-06-04 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["135.181.2.236", "206.238.68.33"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["135.181.2.236", "206.238.68.33"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["coffeefromarabica.monster", "lskannsserv.beer", "tfx-test-1780560802405.xyz", "numerosoftware.click", "cloud.white-monster.xyz", "human2nd-confirm.top", "regularizarcadastral.online", "5qynbyjl4u6vbtnmpokslaxaknyicdvty7vn2qgxmaty3lb7wwxpkbid.onion", "diyr2bnty7iktyxfd4kz65uigcfappjvux73dpgkkeocp3fmlgnuzyyd.onion", "e7a6zgqfijn2ko6lzkz53tysjpnf22fxj4h2f3saufrmsts5pbul5eid.onion", "yxwomyfmexm3bfcuumnugrzwluol5qwsw6pmne7jklgmzthkp35l2jqd.onion", "etus2tmakckdlkyjpevoyciuao7er5fj3qm26aev3nch4fusptefiayd.onion", "csxilwnl7orv6rwfjen5ye3tefk5shjtr4tysuykgxjsyngpvoqrvbid.onion", "psvrn6ahevi6dgf55bzc26q3gjc7s6n7vcth34rmkl2y7e7dijhjfiqd.onion", "xsomiaq5awxh3zkzn334s3dgwuvngy6z2to7265exgovnkwk66hjypid.onion", "m3wwhkus4dxbnxbtihexlyd2cv63qrvex6jiebc4vqe22kg2z3udebid.onion", "glheoet37vdimgho57tqj76v7fnebnbqxn65bounxyt6hduilkso4yyd.onion", "aw6wb6lmqbtp5po7qrmvmujulbxw4eeeolpg3byva2bgoj44psdugmid.onion", "mejouwrwja4iou7myj34rqi7cixyhn7vsa42e2n2dhxzc5mmkiaki3yd.onion", "ltxnzpfvmr3c3rcbw5x4q2ejy6fmbp7kc35oql3gooyydg7belfmnyad.onion", "3fg2gfwrdks46drwvejpgpak5klrflclsjjo35dxtqfk3poeez6oezad.onion", "emdnfl2fv32jhssxcbxlo6dzg2at4d7qbw2md6inz63qzdfgyln5cwyd.onion", "a4vbe7yp4kluped6khuhpr5nmzshiimx2jt5j22ozriiq6ngsm3fcpyd.onion", "x3nb7qcygpem2j5xzstyzdtgzofzkwkx4eko3ug4r73i6uhcgvyffjyd.onion", "3frnhzcnlkjnw5q3tm6elzizinm2k3bmrtf2xwqjzpcxzeqwn2tv6wyd.onion", "6ft2dfh26wm3w44orpjcgviutvfp25ez2iyh5ego5egvfmifrws7vvqd.onion", "zijgmuqjzb6dc7pofxhtaiz36qqyg35lhutybmzaz6whzgei2casjgid.onion", "inzk64xcf3sm6qzkehmio7piwhkslhnab3rlviniyg7alcgsxvy7kcyd.onion", "upiqcdsgvh6v5owteasjzyxbj2xug574dj4fctthehd7zjq7wmuxbwqd.onion", "psv5ejeysrncs6ltu4pkjyazswcmw3atmxi4eg44a6luudin5ufchcqd.onion", "757ylxaeemidrhrmmuz6rkxw5jlk65oqou3lvi6evxtrr2nhm5ytmrqd.onion", "xq5m6ofel63h57by46algju25g37zkdwoxxt7ij45b6obo4mxzc3h6id.onion", "q2bg7ljsrpmy6736qqmpwsnqqm3w6d3hhrokohytnmldbom7sthp4sad.onion", "peargxn3oki34c4savcbcfqofjjwjnnyrlrbszfv6ujlx36mhrh57did.onion", "pearsmob5sn44ismokiusuld34pnfwi6ctgin3qbvonpoob4lh3rmtqd.onion", "jfbrxii.enf90.app", "biddulphmuseum.com", "90g90.com", "uuti.biddulphmuseum.com", "asiudasoidu.90g90.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["http://185.228.26.16/azsxd.arm6", "http://185.228.26.16/azsxd.arm7", "http://185.228.26.16/azsxd.arm5", "http://185.228.26.16/azsxd.mips", "http://185.228.26.16/azsxd.x86", "http://185.228.26.16/azsxd.mpsl"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["523c501118ef5d7957ce54aee86d9b1d", "40279ce4de656aada27374a03062264c", "e30a11906aadffc1682a1b07934301c6b68b854c9979bc64fd65152a349ed59f", "bf5eea26587860faa25bbff99fb0a02e434d561a28a9675c29494653ade366b0", "601f4ae850e192bc76300f3851f4b421ba2e05313cb3f1ace0a0c98301e237bb", "4af29f1dc5cacc56d2e84ba3538cb54983b71d4fe27af44c8c00dddcbd45be49", "9291df53e16c7351e275c0e0b4a8a9ba"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known Microsoft server.
Filter/Exclusion: Exclude IOCs that match known Microsoft update servers (e.g., download.microsoft.com, windowsupdate.microsoft.com).
Scenario: A DevOps engineer is using Ansible to deploy a configuration management script that includes a legitimate third-party tool (e.g., Nginx or Docker) via a remote repository.
Filter/Exclusion: Exclude IOCs related to known CI/CD platforms and repositories (e.g., github.com, gitlab.com, docker.io).
Scenario: A database administrator is using SQL Server Agent to run a nightly backup job that connects to a remote storage service (e.g., AWS S3 or Azure Blob Storage).
Filter/Exclusion: Exclude IOCs associated with cloud storage endpoints and known backup tools (e.g., s3.amazonaws.com, blob.core.windows.net).
Scenario: A security analyst is using Wireshark to analyze network traffic and saves the capture file to a local drive using a tool like tcpdump.
Filter/Exclusion: Exclude IOCs related to network analysis tools and common file paths used by security tools (e.g., tcpdump, wireshark, /var/log/).
Scenario: A system administrator is using Windows Task Scheduler to run a script that performs log rotation and compresses logs using 7-Zip.
Filter/Exclusion: Exclude IOCs related to log management tools and common compression utilities (e.g., 7z.exe, logs/, C:\Windows\System32\taskhost.exe).