ThreatFox: Unknown malware IOCs

Hunt Hypothesis

The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators linked to malware that may evade traditional detection methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise critical assets.

IOC Summary

Malware Family: Unknown malware Total IOCs: 44 IOC Types: sha256_hash, url, md5_hash, ip:port, domain

Type	Value	Threat Type	First Seen	Confidence
domain	`varmil9.digital`	payload_delivery	2026-04-23	100%
url	`hxxps://varmil9.digital/script.sh`	payload_delivery	2026-04-23	100%
url	`hxxps://consider-dorasti.digital/script.sh`	payload_delivery	2026-04-23	100%
domain	`consider-dorasti.digital`	payload_delivery	2026-04-23	100%
url	`hxxps://zorex4.digital/script.sh`	payload_delivery	2026-04-23	100%
domain	`zorex4.digital`	payload_delivery	2026-04-23	100%
url	`hxxps://overdoin8seven.digital/script.sh`	payload_delivery	2026-04-23	100%
domain	`overdoin8seven.digital`	payload_delivery	2026-04-23	100%
url	`hxxps://invite.jalallinux.ir/Windows/download.php`	payload_delivery	2026-04-23	100%
url	`hxxps://invite.jalallinux.ir/Windows/install-guide.php`	payload_delivery	2026-04-23	100%
url	`hxxps://invite.jalallinux.ir/Windows/microsoft-store.php`	payload_delivery	2026-04-23	100%
url	`hxxps://invite.jalallinux.ir/Windows/invite.php`	payload_delivery	2026-04-23	100%
domain	`invite.jalallinux.ir`	payload_delivery	2026-04-23	100%
url	`hxxps://pohuimne.lol/log.php`	payload_delivery	2026-04-23	100%
url	`hxxps://pohuimne.lol/api/index.php`	payload_delivery	2026-04-23	100%
url	`hxxps://pohuimne.lol/cf.js`	payload_delivery	2026-04-23	100%
domain	`pohuimne.lol`	payload_delivery	2026-04-23	100%
ip:port	`143[.]198[.]237[.]25:443`	botnet_cc	2026-04-23	75%
domain	`cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io`	botnet_cc	2026-04-23	50%
domain	`telemetry.api-monitor.com`	botnet_cc	2026-04-23	50%
domain	`109876543210.com`	payload_delivery	2026-04-23	75%
domain	`desktop-version.com`	payload_delivery	2026-04-23	75%
ip:port	`47[.]98[.]202[.]186:443`	payload_delivery	2026-04-23	75%
ip:port	`145[.]6[.]15[.]222:443`	payload_delivery	2026-04-23	75%
md5_hash	`19b2d94f9390904610fead9581f8c065`	payload	2026-04-23	75%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["65.109.108.183", "143.198.237.25", "89.124.95.161", "47.98.202.186", "145.6.15.222"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["65.109.108.183", "143.198.237.25", "89.124.95.161", "47.98.202.186", "145.6.15.222"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["varmil9.digital", "consider-dorasti.digital", "zorex4.digital", "overdoin8seven.digital", "invite.jalallinux.ir", "pohuimne.lol", "cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io", "telemetry.api-monitor.com", "109876543210.com", "desktop-version.com", "joselin-whitson-on-movie.com", "devilxclusive.lol"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://varmil9.digital/script.sh", "https://consider-dorasti.digital/script.sh", "https://zorex4.digital/script.sh", "https://overdoin8seven.digital/script.sh", "https://invite.jalallinux.ir/Windows/download.php", "https://invite.jalallinux.ir/Windows/install-guide.php", "https://invite.jalallinux.ir/Windows/microsoft-store.php", "https://invite.jalallinux.ir/Windows/invite.php", "https://pohuimne.lol/log.php", "https://pohuimne.lol/api/index.php", "https://pohuimne.lol/cf.js", "https://link.storjshare.io/raw/ju3mgrkmdre5do5q2oylvashfqpq/blue/Setup64.exe", "http://167.235.253.218:6062/", "http://150.241.92.37:5021/getlog/x/08oFdi40aT0t", "http://150.241.92.37:5021/getlog/x/", "http://150.241.92.37:5021/getlog", "http://joselin-whitson-on-movie.com:5632/", "http://150.241.92.37:5021/", "https://devilxclusive.lol/api_config.php", "https://devilxclusive.lol/api_sms.php", "https://devilxclusive.lol/api_bank.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

KQL: Hash Hunt

// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["19b2d94f9390904610fead9581f8c065", "5e8ad983129f6771d186f60379dca30d208374cac45bac75d5459aaf0fabc8ad", "a9c2d8abdb621875493269ce87d8805c1023017d0b94330359e08f39b182b0de", "a877d1f43281ccfd0b1150d18fe698b777034720f8a98c1e0b647ced4d1b2410", "642ebd83ac8f7863f8b0d47d99c614acc42c89e134b0e332de85f60550139ca5"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DeviceFileEvents`	Ensure this data connector is enabled
`DeviceNetworkEvents`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled
`UrlClickEvents`	Ensure this data connector is enabled

References

ThreatFox — Unknown malware

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that temporarily writes to a known system directory, triggering an IOC match.
Filter/Exclusion: Exclude files with paths containing C:\Windows\Tasks\ or C:\Windows\Sched\.
Scenario: Admin Performing Disk Cleanup
Description: An administrator uses the built-in Disk Cleanup tool, which may temporarily access or delete files that match known IOCs.
Filter/Exclusion: Exclude processes with explorer.exe or cleanmgr.exe and paths containing C:\Windows\Temp\.
Scenario: Log File Rotation by Windows Event Log Service
Description: The Windows Event Log service rotates log files, which may involve moving or renaming files that match IOC patterns.
Filter/Exclusion: Exclude files with paths containing C:\Windows\System32\winevt\Logs\ and process names like eventlog.exe.
Scenario: Antivirus Quarantine Operations
Description: A legitimate antivirus tool quarantines files, which may involve moving files to a quarantine directory that matches an IOC.
Filter/Exclusion: Exclude processes with avgnt.exe, mcafee.exe, or bitdefender.exe and paths containing C:\ProgramData\.
Scenario: Database Backup Job Using SQL Server Agent
Description: A SQL Server Agent job performs a backup, which may involve temporary file creation in a directory that matches an IOC.
Filter/Exclusion: Exclude processes with sqlservr.exe or sqlagent.exe and paths containing C:\Program Files\Microsoft SQL Server\.