The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious artifacts that may indicate the presence of previously unseen malware. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 15 IOC Types: domain, ip:port, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 82[.]156[.]224[.]203:12618 | botnet_cc | 2026-05-27 | 75% |
| domain | lenders.digital | payload_delivery | 2026-05-27 | 100% |
| domain | nshtjscdn.beer | payload_delivery | 2026-05-27 | 100% |
| domain | lnfcdnclad.beer | payload_delivery | 2026-05-27 | 100% |
| domain | nvbfcdnclaud.beer | payload_delivery | 2026-05-27 | 100% |
| domain | devynly.monster | payload_delivery | 2026-05-27 | 100% |
| domain | yhvzldixqbmi.lol | botnet_cc | 2026-05-27 | 85% |
| domain | rbdncyyrpu.club | botnet_cc | 2026-05-27 | 85% |
| domain | zktfzfxua.club | botnet_cc | 2026-05-27 | 85% |
| sha256_hash | f5f496ebc1de17421aa89f2a1160d30901b7b8cbfe475c3f5a7cb1e508d68356 | payload | 2026-05-27 | 85% |
| sha256_hash | 3b330a6ec000ea461732e484a61eb9eda1ece5b0a9b2458c222c5714ba6790ec | payload | 2026-05-27 | 85% |
| sha256_hash | bab74573404fc44b6e012fda3f7a8b00fe5a80565557ab78c9c1f0a8727afecf | payload | 2026-05-27 | 85% |
| sha256_hash | 5cd46cb8ffa6092aad21337df0c10881ba012dad4d63f7ffac98eb6c8463d63d | payload | 2026-05-27 | 85% |
| sha256_hash | cdfae9f1d9702545972c1aee9e349cd3df4e6be8550f5d35ca3c508c6c9a7dc7 | payload | 2026-05-27 | 85% |
| ip:port | 8[.]138[.]180[.]67:8888 | botnet_cc | 2026-05-27 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["82.156.224.203", "8.138.180.67"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["82.156.224.203", "8.138.180.67"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["lenders.digital", "nshtjscdn.beer", "lnfcdnclad.beer", "nvbfcdnclaud.beer", "devynly.monster", "yhvzldixqbmi.lol", "rbdncyyrpu.club", "zktfzfxua.club"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["f5f496ebc1de17421aa89f2a1160d30901b7b8cbfe475c3f5a7cb1e508d68356", "3b330a6ec000ea461732e484a61eb9eda1ece5b0a9b2458c222c5714ba6790ec", "bab74573404fc44b6e012fda3f7a8b00fe5a80565557ab78c9c1f0a8727afecf", "5cd46cb8ffa6092aad21337df0c10881ba012dad4d63f7ffac98eb6c8463d63d", "cdfae9f1d9702545972c1aee9e349cd3df4e6be8550f5d35ca3c508c6c9a7dc7"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known Microsoft server.
Filter/Exclusion: Exclude all PowerShell commands executed against update.microsoft.com or download.microsoft.com.
Scenario: A DevOps engineer is using Ansible to deploy a new application, which involves copying files from a local repository to a remote server.
Filter/Exclusion: Exclude all file transfers involving local repositories or known CI/CD tooling paths like /var/lib/ansible or /home/ansible.
Scenario: A database administrator is using SQL Server Agent to run a backup job that writes to a network share.
Filter/Exclusion: Exclude all file system access to network shares used by SQL Server backups or known backup directories.
Scenario: A security analyst is using Wireshark to capture and analyze network traffic for a penetration test.
Filter/Exclusion: Exclude all network traffic originating from or destined to the security analysis workstation or test environments.
Scenario: A system administrator is using LogParser to analyze IIS logs for performance tuning.
Filter/Exclusion: Exclude all log parsing activities involving IIS log files or known log analysis tools.