The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious artifacts that may indicate the presence of previously unseen malware in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 10 IOC Types: ip:port, sha256_hash, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 137[.]184[.]163[.]27:5613 | botnet_cc | 2026-06-07 | 75% |
| sha256_hash | c8828efba8e167e85a1d7f4a86aa743f1bba9c19e467a4e7e50e7970d51b28a9 | payload | 2026-06-07 | 100% |
| sha256_hash | f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c | payload | 2026-06-07 | 100% |
| sha256_hash | 3eebbad99104a48977441a791829a7a442e745ee27b7ab1be7e7418b7ca3e8d9 | payload | 2026-06-07 | 100% |
| sha256_hash | df9e38ea510a595071a3263a83a15753fc1b51c29655eaa9579efc8d1dff6f29 | payload | 2026-06-07 | 100% |
| domain | bantamoro.icu | payload_delivery | 2026-06-07 | 100% |
| domain | dataramara.icu | payload_delivery | 2026-06-07 | 100% |
| domain | davalnd.top | payload_delivery | 2026-06-07 | 100% |
| domain | lastnight.info | payload_delivery | 2026-06-07 | 100% |
| domain | lightsnow.info | payload_delivery | 2026-06-07 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["137.184.163.27"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["137.184.163.27"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["bantamoro.icu", "dataramara.icu", "davalnd.top", "lastnight.info", "lightsnow.info"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["c8828efba8e167e85a1d7f4a86aa743f1bba9c19e467a4e7e50e7970d51b28a9", "f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c", "3eebbad99104a48977441a791829a7a442e745ee27b7ab1be7e7418b7ca3e8d9", "df9e38ea510a595071a3263a83a15753fc1b51c29655eaa9579efc8d1dff6f29"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known Microsoft server.
Filter/Exclusion: Exclude PowerShell scripts that originate from C:\Windows\System32\WindowsPowerShell\v1.0\ and are signed by Microsoft.
Scenario: A Windows Task Scheduler job is configured to execute a legitimate third-party tool like 7-Zip for archive management, which temporarily writes to a network share.
Filter/Exclusion: Exclude file access events where the file path contains C:\Program Files\7-Zip\ or is associated with a known trusted tool.
Scenario: A Windows Event Log collector service is configured to write logs to a remote SIEM system, which involves IOCs like logstash or elasticsearch in the network traffic.
Filter/Exclusion: Exclude network connections to known SIEM systems (e.g., IP addresses or FQDNs of your SIEM appliance) and processes associated with log collection tools.
Scenario: A System Center Configuration Manager (SCCM) client is synchronizing policies and temporarily connects to the SCCM server, which may involve unknown IOCs in the network traffic.
Filter/Exclusion: Exclude network traffic initiated by processes under C:\Windows\System32\ccm\ or associated with the SCCM service.
Scenario: A Windows Admin Center session is being used to remotely manage a server, and the connection involves IOCs like winrm or wsman in the network traffic.
Filter/Exclusion: Exclude network traffic originating from the Windows Admin Center client or involving the wsman protocol on known internal IP ranges.