The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving previously unidentified malicious indicators, which could signal the presence of advanced or novel threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate unknown malware before it causes significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 29 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | hakdsiwqs281ks.com | payload_delivery | 2026-06-08 | 100% |
| domain | teraview.info | payload_delivery | 2026-06-08 | 100% |
| domain | photforhotel.info | payload_delivery | 2026-06-08 | 100% |
| domain | photo-26656.cfd | payload_delivery | 2026-06-08 | 100% |
| domain | dsjkaksfks324das.com | payload_delivery | 2026-06-08 | 100% |
| domain | photo-26653.cfd | payload_delivery | 2026-06-08 | 100% |
| domain | photo-26652.cfd | payload_delivery | 2026-06-08 | 100% |
| domain | havasssj291sld.com | payload_delivery | 2026-06-08 | 100% |
| domain | photo-27657.cfd | payload_delivery | 2026-06-08 | 100% |
| domain | jsdakksd283ksl.com | payload_delivery | 2026-06-08 | 100% |
| domain | hotelsphotosite.cloud | payload_delivery | 2026-06-08 | 100% |
| domain | photo-27757.cfd | payload_delivery | 2026-06-08 | 100% |
| domain | photo-26657.cfd | payload_delivery | 2026-06-08 | 100% |
| domain | tracerecord.info | payload_delivery | 2026-06-08 | 100% |
| domain | book-photopage.info | payload_delivery | 2026-06-08 | 100% |
| domain | haddjskak827sja.com | payload_delivery | 2026-06-08 | 100% |
| domain | haskakwo291sa.com | payload_delivery | 2026-06-08 | 100% |
| domain | photohotelcheck.cloud | payload_delivery | 2026-06-08 | 100% |
| domain | pic-imageh.info | payload_delivery | 2026-06-08 | 100% |
| domain | photo-pagebook.info | payload_delivery | 2026-06-08 | 100% |
| domain | hotelphotoadm.info | payload_delivery | 2026-06-08 | 100% |
| domain | safehub-images.info | payload_delivery | 2026-06-08 | 100% |
| domain | safepic-img.info | payload_delivery | 2026-06-08 | 100% |
| domain | safegallery.info | payload_delivery | 2026-06-08 | 100% |
| ip:port | 87[.]237[.]52[.]176:7443 | botnet_cc | 2026-06-08 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["8.130.121.65", "87.237.52.176"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["8.130.121.65", "87.237.52.176"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["hakdsiwqs281ks.com", "teraview.info", "photforhotel.info", "photo-26656.cfd", "dsjkaksfks324das.com", "photo-26653.cfd", "photo-26652.cfd", "havasssj291sld.com", "photo-27657.cfd", "jsdakksd283ksl.com", "hotelsphotosite.cloud", "photo-27757.cfd", "photo-26657.cfd", "tracerecord.info", "book-photopage.info", "haddjskak827sja.com", "haskakwo291sa.com", "photohotelcheck.cloud", "pic-imageh.info", "photo-pagebook.info", "hotelphotoadm.info", "safehub-images.info", "safepic-img.info", "safegallery.info"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known internal repository.
Filter/Exclusion: Exclude any IOCs that match internal IP ranges or known internal repositories (e.g., 10.0.0.0/8, 192.168.0.0/16, or internal-update-server.com).
Scenario: A DevOps engineer is using Ansible to deploy a configuration management script that includes a legitimate external API call to a trusted third-party service.
Filter/Exclusion: Exclude any IOCs that match known trusted API endpoints or domains (e.g., api.trusted-third-party.com, *.trusted-third-party.com).
Scenario: A database administrator is using SQL Server Agent to run a scheduled backup job that connects to a remote backup server.
Filter/Exclusion: Exclude any IOCs that match known backup server IPs or domains (e.g., backup-server.example.com, 10.10.10.10).
Scenario: A security analyst is using Wireshark to capture and analyze network traffic for a legitimate penetration test or security audit.
Filter/Exclusion: Exclude any IOCs that match internal test environments or known test domains (e.g., test-environment.example.com, 172.16.0.0/12).
Scenario: A system administrator is using Windows Task Scheduler to run a script that connects to a public cloud service (e.g., AWS S3) for log archiving.
Filter/Exclusion: Exclude any IOCs that match known cloud service endpoints or regions (e.g., s3.amazonaws.com, us-east-1.ec2.amazonaws.com).