The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious artifacts that may indicate the presence of previously unseen malware. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 13 IOC Types: ip:port, domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | xeno.getslax.com | payload_delivery | 2026-06-19 | 100% |
| url | hxxps://jobs.trabajoseguro.info/ | payload_delivery | 2026-06-19 | 90% |
| domain | coraline.buzz | payload_delivery | 2026-06-19 | 100% |
| url | hxxps://holopebamiy.bond/ | payload_delivery | 2026-06-19 | 90% |
| domain | updateyoursoft.com | payload_delivery | 2026-06-19 | 100% |
| domain | freesoftupdater.com | payload_delivery | 2026-06-19 | 100% |
| domain | holopebamiy.bond | payload_delivery | 2026-06-19 | 100% |
| domain | mamamiadomio.cfd | payload_delivery | 2026-06-19 | 100% |
| domain | kongographics.com | payload_delivery | 2026-06-19 | 100% |
| domain | cdn.librarygrades.com | payload_delivery | 2026-06-19 | 100% |
| ip:port | 103[.]153[.]254[.]32:6933 | botnet_cc | 2026-06-19 | 75% |
| url | hxxps://oldagecarefoundation.com/ | payload_delivery | 2026-06-19 | 90% |
| ip:port | 106[.]13[.]63[.]211:60000 | botnet_cc | 2026-06-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["106.13.63.211", "103.153.254.32"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["106.13.63.211", "103.153.254.32"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["xeno.getslax.com", "coraline.buzz", "updateyoursoft.com", "freesoftupdater.com", "holopebamiy.bond", "mamamiadomio.cfd", "kongographics.com", "cdn.librarygrades.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://jobs.trabajoseguro.info/", "https://holopebamiy.bond/", "https://oldagecarefoundation.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known internal repository.
Filter/Exclusion: Exclude all PowerShell scripts that originate from internal IP ranges or use known internal repositories (e.g., internal-update-server.com).
Scenario: The Windows Task Scheduler is executing a legitimate backup job that uses a third-party tool like Veeam or Acronis, which may have network IOCs that match the rule.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler and associated with known backup tools (e.g., veeam.exe, acronis.exe).
Scenario: A Windows Admin Center session is generating logs or exporting data to a remote server for monitoring purposes, which may include network traffic matching the rule.
Filter/Exclusion: Exclude traffic from the Windows Admin Center service (e.g., winrm.exe, wac.exe) or traffic to known monitoring servers.
Scenario: A Windows Update process is attempting to connect to Microsoft’s update servers, which may have IOCs that match the rule due to network activity.
Filter/Exclusion: Exclude traffic to Microsoft update servers (e.g., update.microsoft.com, wsus internal servers) or processes related to Windows Update (wuauclt.exe).
Scenario: A developer is using Docker to run a containerized application that communicates with a remote API endpoint, which may include network IOCs that match the rule.
Filter/Exclusion: Exclude traffic from Docker containers (e.g., dockerd.exe) or traffic to known development or API endpoints (e.g., api.dev.example.com).