The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may indicate the presence of previously unseen malware in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 7 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 103[.]118[.]42[.]123:443 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 103[.]118[.]42[.]123:80 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 103[.]118[.]42[.]123:8080 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 43[.]129[.]24[.]234:8888 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 45[.]91[.]81[.]189:8888 | botnet_cc | 2026-05-26 | 100% |
| ip:port | 103[.]118[.]42[.]123:60000 | botnet_cc | 2026-05-26 | 100% |
| domain | m.acrobat.lat | botnet_cc | 2026-05-26 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["45.91.81.189", "103.118.42.123", "43.129.24.234"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["45.91.81.189", "103.118.42.123", "43.129.24.234"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["m.acrobat.lat"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using wget to download a legitimate Microsoft update file from a known Microsoft server.
Filter/Exclusion: Exclude traffic to download.microsoft.com or files matching .*\.msu$ or .*\.msp$.
Scenario: Scheduled job running PowerShell to generate reports or export logs to a local file server.
Filter/Exclusion: Exclude PowerShell scripts executed from known trusted paths like C:\Windows\System32\WindowsPowerShell\v1.0\ or files with .ps1 extensions that are known safe.
Scenario: Admin task using certutil to import a trusted root certificate from a local file.
Filter/Exclusion: Exclude usage of certutil with file paths in the C:\Program Files\ or C:\Windows\System32\ directories.
Scenario: Log collection tool like Splunk or ELK using rsync to transfer logs to a central server.
Filter/Exclusion: Exclude rsync transfers to known log servers or files with extensions like .log, .csv, or .json.
Scenario: Backup process using Veeam or Commvault that temporarily writes to a staging directory.
Filter/Exclusion: Exclude file access to directories like C:\Backup\Staging\ or files with .bak, .vbk, or .zip extensions.