The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators linked to malware that may evade traditional detection methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that could compromise critical assets.
IOC Summary
Malware Family: Unknown malware Total IOCs: 9 IOC Types: domain, sha256_hash, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | voltrix.tv | payload_delivery | 2026-06-06 | 100% |
| ip:port | 95[.]179[.]252[.]135:3334 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 95[.]179[.]252[.]135:3333 | botnet_cc | 2026-06-06 | 75% |
| sha256_hash | a4225ad00fbe2123e27d25bca0988586164e2467762d2d1db304300b2d24d04b | payload | 2026-06-06 | 75% |
| domain | temp.logicfrontier.cc | botnet_cc | 2026-06-06 | 75% |
| sha256_hash | ea2bb5ebd6482e87f25949e792c976dfeaddc1bcb36e2c62476854e4aa22d3a7 | payload | 2026-06-06 | 75% |
| sha256_hash | 7340167a765d3d005af93fd10dbd6af48abfd50055fd6b8fca987b7c1363e5d4 | payload | 2026-06-06 | 75% |
| ip:port | 185[.]102[.]115[.]93:56001 | botnet_cc | 2026-06-06 | 75% |
| ip:port | 181[.]214[.]48[.]111:443 | botnet_cc | 2026-06-06 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["95.179.252.135", "185.102.115.93", "181.214.48.111"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["95.179.252.135", "185.102.115.93", "181.214.48.111"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["voltrix.tv", "temp.logicfrontier.cc"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["a4225ad00fbe2123e27d25bca0988586164e2467762d2d1db304300b2d24d04b", "ea2bb5ebd6482e87f25949e792c976dfeaddc1bcb36e2c62476854e4aa22d3a7", "7340167a765d3d005af93fd10dbd6af48abfd50055fd6b8fca987b7c1363e5d4"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using wsusoffline or Windows Update
Filter/Exclusion: Exclude IOCs related to wsusoffline.exe, wuauclt.exe, or WindowsUpdate.log
Rationale: Legitimate system updates may trigger IOCs associated with unknown malware due to similar network behavior or file hashes.
Scenario: Scheduled backup using Veeam Backup & Replication or Commvault
Filter/Exclusion: Exclude IOCs related to veeambackup.exe, cvbackup.exe, or backup job directories
Rationale: Backup tools may generate network traffic or file access patterns that resemble malicious activity.
Scenario: Admin task using PowerShell for log management or configuration
Filter/Exclusion: Exclude IOCs related to powershell.exe with specific command-line arguments or execution paths like C:\Windows\System32\WindowsPowerShell\v1.0\
Rationale: PowerShell scripts used for legitimate admin tasks may trigger IOCs if they interact with similar systems or files as malware.
Scenario: Network monitoring tool like Wireshark or tcpdump capturing traffic
Filter/Exclusion: Exclude IOCs related to wireshark.exe, tcpdump.exe, or network capture files (e.g., .pcap)
Rationale: Network analysis tools may generate traffic patterns that match known malicious behavior.
Scenario: Log collection using Splunk or ELK Stack (Elasticsearch, Logstash, Kibana)
Filter/Exclusion: Exclude IOCs related to splunkd.exe, logstash.exe, or log directories like C:\ProgramData\logstash
Rationale: Log collection tools may interact with system files or network resources that could be flagged