The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate unknown malware that could evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 27 IOC Types: domain, sha256_hash, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | accordtrucking.monster | payload_delivery | 2026-05-29 | 100% |
| domain | framework-jsoncdn.beer | payload_delivery | 2026-05-29 | 100% |
| ip:port | 112[.]43[.]32[.]18:80 | payload_delivery | 2026-05-29 | 80% |
| url | hxxp://31[.]56[.]209[.]72/cat.sh | payload_delivery | 2026-05-29 | 75% |
| domain | megamegalodon.click | payload_delivery | 2026-05-29 | 75% |
| url | hxxps://megamegalodon.click/api/index.php?a=dl&token=8caaf953d89478b8a7191eb32295c117a310b53ac9059d4ad69a1e397ec3b2d4&rv=ab62effa5c33ec478e5f054b773a4ee7&src=majesticlubricants.com&mode=cloudflare | payload_delivery | 2026-05-29 | 75% |
| domain | farhan.safeverify.com.ng | payload_delivery | 2026-05-29 | 75% |
| url | hxxps://farhan.safeverify.com.ng/ | payload_delivery | 2026-05-29 | 75% |
| url | hxxps://farhan.safeverify.com.ng/login.php | payload_delivery | 2026-05-29 | 75% |
| url | hxxps://farhan.safeverify.com.ng/register.php | payload_delivery | 2026-05-29 | 75% |
| url | hxxps://farhan.safeverify.com.ng/admin/admin_register.php | payload_delivery | 2026-05-29 | 75% |
| url | hxxps://farhan.safeverify.com.ng/forget_password.php | payload_delivery | 2026-05-29 | 75% |
| url | hxxps://farhan.safeverify.com.ng/admin/index.php | payload_delivery | 2026-05-29 | 75% |
| url | hxxps://farhan.safeverify.com.ng/safe-verify.apk | payload_delivery | 2026-05-29 | 75% |
| sha256_hash | 014e3b0450e294c7917c7986d3b19c2aaaac9d13609d6fbe230bd83168ae4437 | payload | 2026-05-29 | 75% |
| sha256_hash | 20d25e6bc246c9fb401e41ae8ab09e7976b92317ef97532ff07c163af6c823dd | payload | 2026-05-29 | 75% |
| sha256_hash | 30e720476e4eb57742d1c61b8127e29e3bd2dedb884e3595aba41888cf15b106 | payload | 2026-05-29 | 75% |
| sha256_hash | 6a9249a2019e415f0e13a185fcb411f7f8816d477de5c2e94e5ab61fb06a7aa3 | payload | 2026-05-29 | 75% |
| sha256_hash | b8cfbeda4565712da8ffe1cfb365c1701ab85239e5d43822f83fbc962b205409 | payload | 2026-05-29 | 75% |
| ip:port | 171[.]243[.]148[.]230:80 | payload_delivery | 2026-05-29 | 80% |
| domain | www.secure-accounts-verify.com | payload_delivery | 2026-05-29 | 75% |
| url | hxxps://www.secure-accounts-verify.com/submit-task | payload_delivery | 2026-05-29 | 75% |
| url | hxxps://www.secure-accounts-verify.com/get-status | payload_delivery | 2026-05-29 | 75% |
| sha256_hash | a502120e5056f6cb4cf5aacb143e1f7c7468a82fea9714e9675ad32f106857a0 | payload | 2026-05-29 | 75% |
| sha256_hash | 8562a87f3096711e06456205f15fc62009398fc97315d1ce82389475c306d4f6 | payload | 2026-05-29 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["35.158.219.35", "171.243.148.230", "13.209.95.4", "112.43.32.18"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["35.158.219.35", "171.243.148.230", "13.209.95.4", "112.43.32.18"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["accordtrucking.monster", "framework-jsoncdn.beer", "megamegalodon.click", "farhan.safeverify.com.ng", "www.secure-accounts-verify.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["http://31.56.209.72/cat.sh", "https://megamegalodon.click/api/index.php?a=dl&token=8caaf953d89478b8a7191eb32295c117a310b53ac9059d4ad69a1e397ec3b2d4&rv=ab62effa5c33ec478e5f054b773a4ee7&src=majesticlubricants.com&mode=cloudflare", "https://farhan.safeverify.com.ng/", "https://farhan.safeverify.com.ng/login.php", "https://farhan.safeverify.com.ng/register.php", "https://farhan.safeverify.com.ng/admin/admin_register.php", "https://farhan.safeverify.com.ng/forget_password.php", "https://farhan.safeverify.com.ng/admin/index.php", "https://farhan.safeverify.com.ng/safe-verify.apk", "https://www.secure-accounts-verify.com/submit-task", "https://www.secure-accounts-verify.com/get-status"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["014e3b0450e294c7917c7986d3b19c2aaaac9d13609d6fbe230bd83168ae4437", "20d25e6bc246c9fb401e41ae8ab09e7976b92317ef97532ff07c163af6c823dd", "30e720476e4eb57742d1c61b8127e29e3bd2dedb884e3595aba41888cf15b106", "6a9249a2019e415f0e13a185fcb411f7f8816d477de5c2e94e5ab61fb06a7aa3", "b8cfbeda4565712da8ffe1cfb365c1701ab85239e5d43822f83fbc962b205409", "a502120e5056f6cb4cf5aacb143e1f7c7468a82fea9714e9675ad32f106857a0", "8562a87f3096711e06456205f15fc62009398fc97315d1ce82389475c306d4f6"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System backup process using wbadmin
Filter/Exclusion: Exclude processes initiated by wbadmin or with command-line arguments containing backup or restore.
Scenario: Scheduled system maintenance task using schtasks
Filter/Exclusion: Exclude tasks scheduled via schtasks with names containing Maintenance, Cleanup, or Update.
Scenario: Log file rotation using logrotate on Linux
Filter/Exclusion: Exclude processes related to logrotate or file paths in /var/log/ with timestamps in the past 24 hours.
Scenario: Admin using PowerShell to generate reports
Filter/Exclusion: Exclude PowerShell scripts executed by administrators with execution policies set to RemoteSigned or Unrestricted.
Scenario: Database backup using mysqldump or pg_dump
Filter/Exclusion: Exclude processes with command-line arguments containing --single-transaction, --quick, or paths to database backup directories.