The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that could signal the presence of previously unseen malware in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 25 IOC Types: domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | clhfgcomacdn.beer | payload_delivery | 2026-06-09 | 100% |
| domain | hasmeverdcdn.beer | payload_delivery | 2026-06-09 | 100% |
| domain | hftplcnsns.beer | payload_delivery | 2026-06-09 | 100% |
| domain | srtydnnc.beer | payload_delivery | 2026-06-09 | 100% |
| domain | bhfgtrns-js.beer | payload_delivery | 2026-06-09 | 100% |
| domain | claufancdn.beer | payload_delivery | 2026-06-09 | 100% |
| domain | shkcinnc.beer | payload_delivery | 2026-06-09 | 100% |
| domain | japanpatagonia.monster | payload_delivery | 2026-06-09 | 100% |
| domain | showmecoffee.monster | payload_delivery | 2026-06-09 | 100% |
| domain | coffeefrombrazil.monster | payload_delivery | 2026-06-09 | 100% |
| domain | legitmobile.monster | payload_delivery | 2026-06-09 | 100% |
| domain | tommysdemons.monster | payload_delivery | 2026-06-09 | 100% |
| domain | xdavnode.pro | payload_delivery | 2026-06-09 | 100% |
| domain | fithusbandplan.monster | payload_delivery | 2026-06-09 | 100% |
| domain | profilab.monster | payload_delivery | 2026-06-09 | 100% |
| domain | sampatiguide.monster | payload_delivery | 2026-06-09 | 100% |
| domain | xcoffeeteaandwatherx.monster | payload_delivery | 2026-06-09 | 100% |
| ip:port | 175[.]178[.]123[.]42:28443 | botnet_cc | 2026-06-09 | 75% |
| domain | fancystraits.info | payload_delivery | 2026-06-09 | 100% |
| ip:port | 101[.]200[.]234[.]195:80 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 101[.]200[.]234[.]195:8080 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 101[.]200[.]234[.]195:443 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 101[.]200[.]234[.]195:60000 | botnet_cc | 2026-06-09 | 100% |
| domain | checkphoto-bookin.com | payload_delivery | 2026-06-09 | 100% |
| domain | keysrace.info | payload_delivery | 2026-06-09 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["101.200.234.195", "175.178.123.42"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["101.200.234.195", "175.178.123.42"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["clhfgcomacdn.beer", "hasmeverdcdn.beer", "hftplcnsns.beer", "srtydnnc.beer", "bhfgtrns-js.beer", "claufancdn.beer", "shkcinnc.beer", "japanpatagonia.monster", "showmecoffee.monster", "coffeefrombrazil.monster", "legitmobile.monster", "tommysdemons.monster", "xdavnode.pro", "fithusbandplan.monster", "profilab.monster", "sampatiguide.monster", "xcoffeeteaandwatherx.monster", "fancystraits.info", "checkphoto-bookin.com", "keysrace.info"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled system integrity check using Sysinternals Process Explorer
Filter/Exclusion: Exclude processes related to Process Explorer or procmon.exe by checking the process.name field.
Scenario: Regularly executed Windows Update task via Task Scheduler
Filter/Exclusion: Exclude processes with taskeng.exe or tasks associated with Microsoft or Windows Update in the task.name field.
Scenario: PowerShell script running PowerShell ISE for administrative tasks
Filter/Exclusion: Exclude processes where process.name is powershell_ise.exe or where the process.parent.name is explorer.exe and the script path is known internal.
Scenario: Log management tool such as Splunk or ELK Stack performing data ingestion
Filter/Exclusion: Exclude processes with splunkd.exe, logstash.exe, or java.exe (if running as part of the log management stack).
Scenario: Backup job using Veeam or Commvault
Filter/Exclusion: Exclude processes with veeam.exe, cvbackup.exe, or any known backup tool executables, and filter by process.parent.name being explorer.exe or svchost.exe.