The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may indicate the presence of previously unseen malware in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 11 IOC Types: domain, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | staticcloudflare.pro | payload_delivery | 2026-05-22 | 100% |
| url | hxxps://staticcloudflare.pro/api/css.js | payload_delivery | 2026-05-22 | 100% |
| ip:port | 137[.]184[.]240[.]126:9000 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 176[.]100[.]37[.]216:443 | botnet_cc | 2026-05-22 | 100% |
| ip:port | 89[.]213[.]118[.]155:8443 | botnet_cc | 2026-05-22 | 100% |
| domain | unicore.lol | payload_delivery | 2026-05-22 | 100% |
| domain | joinunicore.top | payload_delivery | 2026-05-22 | 100% |
| ip:port | 54[.]187[.]35[.]128:7443 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 46[.]224[.]144[.]82:7443 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 45[.]90[.]120[.]36:7443 | botnet_cc | 2026-05-22 | 75% |
| ip:port | 192[.]169[.]7[.]17:27443 | botnet_cc | 2026-05-22 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["137.184.240.126", "45.90.120.36", "89.213.118.155", "176.100.37.216", "46.224.144.82", "192.169.7.17", "54.187.35.128"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["137.184.240.126", "45.90.120.36", "89.213.118.155", "176.100.37.216", "46.224.144.82", "192.169.7.17", "54.187.35.128"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["staticcloudflare.pro", "unicore.lol", "joinunicore.top"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://staticcloudflare.pro/api/css.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known internal repository.
Filter/Exclusion: Exclude PowerShell scripts that originate from internal IP ranges or are signed by internal CA certificates.
Scenario: A Windows Task Scheduler job is configured to execute a script that performs routine system cleanup, which includes interacting with a known internal API endpoint.
Filter/Exclusion: Exclude activities originating from the Task Scheduler service or from internal API endpoints used by known legitimate tools.
Scenario: A Chef or Ansible automation tool is deploying configuration changes and is making outbound connections to a known internal artifact repository.
Filter/Exclusion: Exclude connections to internal artifact repositories used by configuration management tools like Chef or Ansible.
Scenario: A Logstash or ELK stack instance is sending logs to a central logging server, which involves IOCs such as IP addresses or domain names that match the rule’s criteria.
Filter/Exclusion: Exclude traffic from Logstash or Kibana instances that are part of the internal logging infrastructure.
Scenario: A Docker container is running a legitimate application and is accessing a private registry or a known internal service, which may trigger the rule due to the presence of known IOCs.
Filter/Exclusion: Exclude traffic from Docker containers that are part of the organization’s CI/CD pipeline or internal service mesh.