The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that could signify the presence of previously unseen malware in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 14 IOC Types: url, ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://sindppence.org.br/ | payload_delivery | 2026-06-14 | 90% |
| url | hxxps://mampodik.asia/ | payload_delivery | 2026-06-14 | 90% |
| domain | cqdprod.com | payload_delivery | 2026-06-14 | 100% |
| domain | cqdsequoia.com | payload_delivery | 2026-06-14 | 100% |
| domain | ghost-loader.com | payload_delivery | 2026-06-14 | 100% |
| domain | cryptex-core.pw | payload_delivery | 2026-06-14 | 100% |
| domain | mgo.gstats-api-contact.cc | botnet_cc | 2026-06-14 | 100% |
| ip:port | 45[.]152[.]243[.]83:80 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 45[.]152[.]243[.]83:8080 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 45[.]152[.]243[.]83:443 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 154[.]40[.]58[.]52:8888 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 45[.]152[.]243[.]83:60000 | botnet_cc | 2026-06-14 | 100% |
| ip:port | 9[.]141[.]105[.]20:7443 | botnet_cc | 2026-06-13 | 75% |
| ip:port | 85[.]121[.]176[.]239:7443 | botnet_cc | 2026-06-13 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["9.141.105.20", "45.152.243.83", "154.40.58.52", "85.121.176.239"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["9.141.105.20", "45.152.243.83", "154.40.58.52", "85.121.176.239"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["cqdprod.com", "cqdsequoia.com", "ghost-loader.com", "cryptex-core.pw", "mgo.gstats-api-contact.cc"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://sindppence.org.br/", "https://mampodik.asia/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known internal repository.
Filter/Exclusion: Exclude all PowerShell scripts that originate from internal IP ranges or are signed by a trusted certificate.
Scenario: A Windows Task Scheduler job is configured to execute a PowerShell script that performs routine system diagnostics and logs to a local file.
Filter/Exclusion: Exclude all tasks that are scheduled under the Local System account and have a known, legitimate script path.
Scenario: A Syslog server is configured to receive logs from multiple network devices, and the logs are being parsed by a SIEM tool (e.g., Splunk or ELK) for correlation.
Filter/Exclusion: Exclude all log entries that originate from the Syslog server’s IP address or are associated with known log sources.
Scenario: A backup job using Veeam or Commvault is configured to transfer data over the network, which may involve temporary file IOCs.
Filter/Exclusion: Exclude all network traffic initiated by backup tools or from known backup server IP addresses.
Scenario: A DevOps pipeline (e.g., Jenkins or GitLab CI) is executing a build job that pulls dependencies from a private artifact repository.
Filter/Exclusion: Exclude all network activity originating from the CI/CD server’s IP address or associated with known artifact repositories.