The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious artifacts that may indicate the presence of previously unseen malware. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 17 IOC Types: url, domain, ip:port, sha256_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 15[.]235[.]159[.]82:56005 | botnet_cc | 2026-06-20 | 75% |
| ip:port | 107[.]172[.]232[.]71:5002 | botnet_cc | 2026-06-20 | 75% |
| url | hxxps://imgur.media/ | payload_delivery | 2026-06-20 | 90% |
| domain | elijahwgummer.baby | botnet_cc | 2026-06-20 | 75% |
| url | hxxp://www.kongographics.com/200 | payload_delivery | 2026-06-20 | 75% |
| url | hxxp://cdn.librarygrades.com/200.txt | payload_delivery | 2026-06-20 | 75% |
| url | hxxps://elijahwgummer.baby/Monkey-e669fb0-a99aeeab-5e65331880-0b06979 | botnet_cc | 2026-06-20 | 75% |
| sha256_hash | c343f53916747c5b8a60aed844b1882863f432af65867297edf1913f167c4f68 | payload | 2026-06-20 | 75% |
| sha256_hash | e8ee3e3e25e9deef039131b7e66855a2e614d36f395b582f9b7e6365ffd61484 | payload | 2026-06-20 | 75% |
| domain | dgdf.nimographic.com | payload_delivery | 2026-06-20 | 75% |
| sha256_hash | 13420d64ce091f6dc0505d5a2ca5858f6080f3d91580459c2284bd68fdcb1979 | payload | 2026-06-20 | 75% |
| url | hxxps://vigipart.fr/ | payload_delivery | 2026-06-20 | 90% |
| url | hxxps://prguru.pk/ | payload_delivery | 2026-06-20 | 90% |
| url | hxxps://bullpcn.com/ | payload_delivery | 2026-06-20 | 90% |
| domain | xeno.getslax.com | payload_delivery | 2026-06-19 | 100% |
| url | hxxps://jobs.trabajoseguro.info/ | payload_delivery | 2026-06-19 | 90% |
| domain | coraline.buzz | payload_delivery | 2026-06-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["15.235.159.82", "107.172.232.71"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["15.235.159.82", "107.172.232.71"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["elijahwgummer.baby", "dgdf.nimographic.com", "xeno.getslax.com", "coraline.buzz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://imgur.media/", "http://www.kongographics.com/200", "http://cdn.librarygrades.com/200.txt", "https://elijahwgummer.baby/Monkey-e669fb0-a99aeeab-5e65331880-0b06979", "https://vigipart.fr/", "https://prguru.pk/", "https://bullpcn.com/", "https://jobs.trabajoseguro.info/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["c343f53916747c5b8a60aed844b1882863f432af65867297edf1913f167c4f68", "e8ee3e3e25e9deef039131b7e66855a2e614d36f395b582f9b7e6365ffd61484", "13420d64ce091f6dc0505d5a2ca5858f6080f3d91580459c2284bd68fdcb1979"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using ThreatFox IOC
Description: A system update process pulls a file that is flagged by ThreatFox due to a false positive match.
Filter/Exclusion: Exclude files signed by Microsoft or known trusted vendors, e.g., file_hash IN ('hash1', 'hash2') or process_name = "WindowsUpdate.exe"
Scenario: Scheduled backup job using known malicious-looking file names
Description: A backup tool uses a file name that matches a known malicious pattern (e.g., *.tmp or *.log), triggering the rule.
Filter/Exclusion: Exclude processes associated with backup tools like VeeamBackup.exe or VSSWrite.exe, or filter by directory paths like C:\ProgramData\ or C:\Windows\Temp\
Scenario: Admin task using PowerShell to generate temporary files
Description: An admin runs a PowerShell script that creates temporary files with names resembling malicious IOCs.
Filter/Exclusion: Exclude PowerShell processes running under admin accounts or with specific command-line arguments, e.g., process_name = "powershell.exe" AND user = "Administrator" or command_line LIKE '%-Command%'
Scenario: Log file rotation using known malicious-looking file extensions
Description: Log rotation tools create files with extensions like .log or .tmp that are mistakenly flagged by the rule.
Filter/Exclusion: Exclude files in log directories such as C:\Windows\System32\LogFiles\ or filter by file extensions like .log or .tmp
Scenario: Internal tool using ThreatFox IOC for threat intelligence lookup
Description: A security tool or SIEM system queries ThreatFox for IOC validation, resulting in a false positive.
Filter/Exclusion: Exclude processes related