ThreatFox: Unknown malware IOCs

Hunt Hypothesis

The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving previously unidentified malicious indicators, which may indicate the presence of advanced or novel threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate unknown malware before it causes significant damage.

IOC Summary

Malware Family: Unknown malware Total IOCs: 43 IOC Types: domain, ip:port, url, sha256_hash

Type	Value	Threat Type	First Seen	Confidence
ip:port	`144[.]31[.]236[.]60:443`	payload_delivery	2026-04-22	100%
domain	`ms.com-audio.cloud`	payload_delivery	2026-04-22	100%
domain	`donfreedom.com`	payload_delivery	2026-04-22	100%
domain	`trindastal.com`	botnet_cc	2026-04-22	100%
domain	`dailyhomireciple.com`	botnet_cc	2026-04-22	100%
ip:port	`213[.]139[.]77[.]228:443`	botnet_cc	2026-04-22	100%
url	`hxxps://trindastal.com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/v8`	payload_delivery	2026-04-22	100%
url	`hxxps://trindastal.com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/loc8`	payload_delivery	2026-04-22	100%
ip:port	`46[.]183[.]25[.]42:443`	botnet_cc	2026-04-22	90%
sha256_hash	`93791ebe5df8c415f10518f839ada39c88d6e93b1217f37b04ac96b9b112ed40`	payload	2026-04-22	100%
sha256_hash	`353bd65eca3e04761f823cffdda51fd0e098e23651a953fa353b3fd15bbba28d`	payload	2026-04-22	100%
sha256_hash	`60e7f9ef3d00c861fb8dbfc14b2d9a221e54fac9adb365b4c38475965be75542`	payload	2026-04-22	100%
domain	`dailyhomireciple.com`	payload_delivery	2026-04-22	85%
domain	`trindastal.com`	payload_delivery	2026-04-22	85%
sha256_hash	`8a7697678c13bd359029829564a3068802b56eb5288464c9d2d5df56a440c738`	payload	2026-04-22	85%
url	`hxxps://amanullahstorellc.com/`	payload_delivery	2026-04-22	90%
ip:port	`35[.]212[.]234[.]225:443`	botnet_cc	2026-04-22	100%
ip:port	`3[.]226[.]119[.]211:443`	botnet_cc	2026-04-22	100%
ip:port	`46[.]101[.]191[.]5:22`	botnet_cc	2026-04-22	100%
ip:port	`194[.]87[.]161[.]238:8080`	botnet_cc	2026-04-22	100%
url	`hxxp://zoom.web-interviews.online/install-guide.php`	payload_delivery	2026-04-22	100%
url	`hxxp://zoom.web-interviews.online/download.php`	payload_delivery	2026-04-22	100%
url	`hxxp://zoom.web-interviews.online/microsoft-store.php`	payload_delivery	2026-04-22	100%
url	`hxxp://zoom.web-interviews.online/invite.php`	payload_delivery	2026-04-22	100%
domain	`zoom.web-interviews.online`	payload_delivery	2026-04-22	100%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["3.226.119.211", "46.183.25.42", "144.31.236.60", "194.87.161.238", "213.139.77.228", "46.101.191.5", "35.212.234.225"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["3.226.119.211", "46.183.25.42", "144.31.236.60", "194.87.161.238", "213.139.77.228", "46.101.191.5", "35.212.234.225"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["ms.com-audio.cloud", "donfreedom.com", "trindastal.com", "dailyhomireciple.com", "dailyhomireciple.com", "trindastal.com", "zoom.web-interviews.online", "zoomweb06.us", "avijit-karmoker.top", "ar-unit.com", "webflare.beer", "web-safe.beer", "web-protection.beer", "web-safety.beer"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://trindastal.com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/v8", "https://trindastal.com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/loc8", "https://amanullahstorellc.com/", "http://zoom.web-interviews.online/install-guide.php", "http://zoom.web-interviews.online/download.php", "http://zoom.web-interviews.online/microsoft-store.php", "http://zoom.web-interviews.online/invite.php", "https://app.idanburuku.sbs/Bin/ScreenConnect.ClientSetup.msi?e=Access&y=Guest", "https://store8.gofile.io/download/direct/fb1be258-589c-4c1d-932a-1698f03b3919/ZoomWorkspace.ClientSetup.vbs", "https://zoomweb06.us/Windows/invite.php", "https://joinzoominvite.avijit-karmoker.top/Windows/invite.php", "https://avijit-karmoker.top/MSTeams/peer/Windows/invite.php", "https://ar-unit.com/Windows/download.php", "https://ar-unit.com/Windows/viewpdf.php", "https://ar-unit.com/Windows/statement.php", "https://webflare.beer/api/css.js", "https://web-safe.beer/api/css.js", "https://web-protection.beer/api/css.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

KQL: Hash Hunt

// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["93791ebe5df8c415f10518f839ada39c88d6e93b1217f37b04ac96b9b112ed40", "353bd65eca3e04761f823cffdda51fd0e098e23651a953fa353b3fd15bbba28d", "60e7f9ef3d00c861fb8dbfc14b2d9a221e54fac9adb365b4c38475965be75542", "8a7697678c13bd359029829564a3068802b56eb5288464c9d2d5df56a440c738"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DeviceFileEvents`	Ensure this data connector is enabled
`DeviceNetworkEvents`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled
`UrlClickEvents`	Ensure this data connector is enabled

References

ThreatFox — Unknown malware

False Positive Guidance

Scenario: System update or patching process using wsusoffline or Windows Update
Filter/Exclusion: Exclude IOCs related to wsusoffline, wuapi, or Windows Update components. Use a filter like:
```
(process.name != "wuauclt.exe") AND (process.name != "wsusoffline.exe")
```
Scenario: Scheduled backup or data archiving using Veeam Backup & Replication
Filter/Exclusion: Exclude IOCs related to Veeam or Veeam Backup processes. Use a filter like:
```
(process.name != "Veeam.Backup.exe") AND (process.name != "Veeam.Backup.Service.exe")
```
Scenario: Admin task involving PowerShell for system configuration or compliance checks
Filter/Exclusion: Exclude PowerShell scripts or processes associated with known admin tools. Use a filter like:
```
(process.name != "powershell.exe") OR (process.args NOT LIKE "%-File%" AND process.args NOT LIKE "%-Command%")
```
Scenario: Log collection or monitoring using Splunk or ELK Stack
Filter/Exclusion: Exclude IOCs related to Splunk, logstash, filebeat, or kibana. Use a filter like:
```
(process.name != "splunkd.exe") AND (process.name != "logstash") AND (process.name != "filebeat")
```
Scenario: Network discovery or inventory using Nmap or Masscan
Filter/Exclusion: Exclude IOCs related to nmap, masscan, or tcpdump. Use a filter like:
```
(
```