The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that could signal the presence of previously unseen malware in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that may evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 15 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 43[.]133[.]165[.]151:7443 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 27[.]102[.]138[.]15:7443 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 172[.]236[.]142[.]17:6933 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 113[.]31[.]106[.]85:7443 | botnet_cc | 2026-05-28 | 75% |
| ip:port | 103[.]183[.]75[.]134:20443 | botnet_cc | 2026-05-28 | 75% |
| domain | ganiballektor.cfd | payload_delivery | 2026-05-28 | 100% |
| domain | b.adobepdf | payload_delivery | 2026-05-28 | 100% |
| domain | adobepdf.cc.cc | payload_delivery | 2026-05-28 | 100% |
| domain | remoto.ddins.click | payload_delivery | 2026-05-28 | 100% |
| domain | hpscdn.beer | payload_delivery | 2026-05-28 | 100% |
| domain | pusanik.shop | payload_delivery | 2026-05-28 | 100% |
| domain | lunareclipse.monster | payload_delivery | 2026-05-28 | 100% |
| domain | oraxdata.monster | payload_delivery | 2026-05-28 | 100% |
| ip:port | 37[.]114[.]205[.]134:80 | payload_delivery | 2026-05-28 | 80% |
| ip:port | 43[.]133[.]149[.]36:18443 | botnet_cc | 2026-05-27 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["27.102.138.15", "172.236.142.17", "103.183.75.134", "43.133.165.151", "113.31.106.85", "43.133.149.36", "37.114.205.134"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["27.102.138.15", "172.236.142.17", "103.183.75.134", "43.133.165.151", "113.31.106.85", "43.133.149.36", "37.114.205.134"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["ganiballektor.cfd", "b.adobepdf", "adobepdf.cc.cc", "remoto.ddins.click", "hpscdn.beer", "pusanik.shop", "lunareclipse.monster", "oraxdata.monster"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known internal repository.
Filter/Exclusion: Exclude any IOCs that match internal IP ranges or known internal repositories (e.g., 10.0.0.0/8, 192.168.0.0/16, or internal-update-server.example.com).
Scenario: A security tool like OSSEC is performing a routine log analysis and generates a file that matches an IOC in the ThreatFox database.
Filter/Exclusion: Exclude files generated by known security tools (e.g., ossec.log, ossec.log.gz, or processes related to ossec).
Scenario: A DevOps team is using Ansible to deploy a configuration management script that includes a temporary file with a hash that matches an unknown IOC.
Filter/Exclusion: Exclude files with known Ansible artifacts (e.g., *.yml, *.json, or files containing ansible in their path or content).
Scenario: A database administrator is using SQL Server Agent to run a backup job that writes to a temporary file with a hash that appears in the ThreatFox database.
Filter/Exclusion: Exclude files created by SQL Server Agent jobs (e.g., backup_*.sql, *.bak, or files with SQLServer in their name or path).
Scenario: A user is running a PowerShell script to automate system monitoring, which temporarily creates a file with a hash that is flagged as unknown.
Filter/Exclusion: Exclude files created by known PowerShell scripts (e.g., monitoring_script.ps1, *.log, or files with PowerShell in their name or content).