The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate unknown malware campaigns before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 23 IOC Types: ip:port, sha256_hash, domain, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 217[.]60[.]195[.]132:4782 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 172[.]232[.]105[.]92:7443 | botnet_cc | 2026-06-16 | 75% |
| domain | finework.top | payload_delivery | 2026-06-16 | 100% |
| domain | krolikrojer.lat | payload_delivery | 2026-06-16 | 100% |
| domain | antigravity.study | payload_delivery | 2026-06-16 | 100% |
| domain | chatgpt-web.vip | payload_delivery | 2026-06-16 | 100% |
| domain | clip-stash.beer | payload_delivery | 2026-06-16 | 100% |
| domain | defi-xstocks.vip | payload_delivery | 2026-06-16 | 100% |
| ip:port | 94[.]198[.]96[.]166:62051 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 117[.]72[.]189[.]142:8080 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 132[.]243[.]225[.]15:4521 | botnet_cc | 2026-06-16 | 75% |
| ip:port | 117[.]72[.]189[.]142:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 117[.]72[.]189[.]142:443 | botnet_cc | 2026-06-16 | 100% |
| url | hxxps://smenapodik.bond/ | payload_delivery | 2026-06-16 | 90% |
| url | hxxps://plunkev.ca/ | payload_delivery | 2026-06-16 | 90% |
| ip:port | 117[.]72[.]189[.]142:60000 | botnet_cc | 2026-06-16 | 100% |
| url | hxxps://seanofficials.com/ | payload_delivery | 2026-06-15 | 90% |
| ip:port | 45[.]153[.]34[.]146:3001 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 185[.]236[.]25[.]119:3001 | botnet_cc | 2026-06-15 | 75% |
| ip:port | 85[.]90[.]197[.]26:7000 | botnet_cc | 2026-06-15 | 75% |
| sha256_hash | da8d89a25d0edc6186a9e70bca59e37a25b1f4ab84966ed1e4b9aa35d2c20601 | payload | 2026-06-15 | 100% |
| domain | moonzonet.com | botnet_cc | 2026-06-15 | 100% |
| sha256_hash | a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 | payload | 2026-06-15 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["172.232.105.92", "132.243.225.15", "185.236.25.119", "117.72.189.142", "94.198.96.166", "217.60.195.132", "85.90.197.26", "45.153.34.146"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["172.232.105.92", "132.243.225.15", "185.236.25.119", "117.72.189.142", "94.198.96.166", "217.60.195.132", "85.90.197.26", "45.153.34.146"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["finework.top", "krolikrojer.lat", "antigravity.study", "chatgpt-web.vip", "clip-stash.beer", "defi-xstocks.vip", "moonzonet.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://smenapodik.bond/", "https://plunkev.ca/", "https://seanofficials.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["da8d89a25d0edc6186a9e70bca59e37a25b1f4ab84966ed1e4b9aa35d2c20601", "a92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using Chocolatey or WSUS
Filter/Exclusion: Exclude files with hashes matching known Chocolatey or WSUS packages, or filter by file paths like C:\Windows\Temp\* or C:\ProgramData\Chocolatey\*.
Scenario: Scheduled backup or sync job using Veeam or rsync
Filter/Exclusion: Exclude files with paths containing backup, sync, or snapshot, and filter by known Veeam or rsync tool directories.
Scenario: Admin task involving PowerShell script execution for system monitoring
Filter/Exclusion: Exclude PowerShell scripts with known admin tools like Get-EventLog, Get-Service, or Get-Process, and filter by execution context (e.g., RunAs or LocalSystem).
Scenario: Log collection or monitoring tool like Splunk or ELK Stack
Filter/Exclusion: Exclude files with paths like C:\Program Files\Splunk\* or C:\elastic\*, and filter by known log collection processes or services.
Scenario: Internal tool or script for network discovery using Nmap or Masscan
Filter/Exclusion: Exclude Nmap or Masscan binaries and their associated scripts, and filter by network discovery tasks (e.g., nmap -sL or masscan --rate=1000).