The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving previously unidentified malicious indicators, suggesting the presence of unknown malware in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 9 IOC Types: domain, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | full-brown.com | botnet_cc | 2026-05-25 | 100% |
| ip:port | 195[.]114[.]193[.]56:7443 | botnet_cc | 2026-05-25 | 75% |
| url | hxxp://85[.]239[.]151[.]41/shr | payload_delivery | 2026-05-25 | 75% |
| url | hxxp://203[.]145[.]34[.]131/wipi | payload_delivery | 2026-05-25 | 75% |
| ip:port | 89[.]23[.]108[.]134:80 | payload_delivery | 2026-05-25 | 80% |
| domain | receipt-view.com | payload_delivery | 2026-05-25 | 75% |
| domain | coinbase.receipt-view.com | payload_delivery | 2026-05-25 | 75% |
| url | hxxps://eletrosoldaitumbiara.com.br/ | payload_delivery | 2026-05-25 | 90% |
| domain | gdnssljs.beer | payload_delivery | 2026-05-24 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["89.23.108.134", "195.114.193.56"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["89.23.108.134", "195.114.193.56"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["full-brown.com", "receipt-view.com", "coinbase.receipt-view.com", "gdnssljs.beer"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["http://85.239.151.41/shr", "http://203.145.34.131/wipi", "https://eletrosoldaitumbiara.com.br/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System update or patching process using wget to download a legitimate Microsoft update package
Filter/Exclusion: Exclude traffic to Microsoft update servers (update.microsoft.com, download.microsoft.com) using the destination field.
Scenario: Scheduled job running PowerShell to generate reports using Out-File or Export-Csv
Filter/Exclusion: Exclude processes initiated by the Task Scheduler service or processes with the CommandLine containing Out-File or Export-Csv.
Scenario: Admin using Process Monitor (ProcMon) to debug a legitimate application with file system access
Filter/Exclusion: Exclude processes with the ProcessName containing ProcMon.exe or ProcessMonitor.exe.
Scenario: Backup job using rsync or robocopy to transfer files across the network
Filter/Exclusion: Exclude traffic from known backup tools (rsync, robocopy) or from the Backup service account.
Scenario: Log collection using LogParser or Splunk to aggregate logs from multiple servers
Filter/Exclusion: Exclude processes with the ProcessName containing LogParser.exe or splunkd.exe, or traffic to internal log aggregation servers.