ThreatFox: Unknown malware IOCs

Hunt Hypothesis

The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving previously unidentified malicious indicators, which could signal the presence of novel or evolving threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate unknown malware before it causes significant damage.

IOC Summary

Malware Family: Unknown malware Total IOCs: 83 IOC Types: domain, ip:port, url

Type	Value	Threat Type	First Seen	Confidence
url	hxxps://www.sokolmarefy.cz/	payload_delivery	2026-06-22	90%
url	hxxps://www.seesingit.nl/	payload_delivery	2026-06-22	90%
url	hxxps://www.petektemizligifiyatlari.com/	payload_delivery	2026-06-22	90%
url	hxxps://vitimadetransito.com.br/	payload_delivery	2026-06-22	90%
url	hxxps://thesagevibe.com/	payload_delivery	2026-06-22	90%
url	hxxps://stonecraftfabrication.com/	payload_delivery	2026-06-22	90%
url	hxxps://thefaithlifeclub.org/	payload_delivery	2026-06-22	90%
url	hxxps://stichtingunityvibes.nl/	payload_delivery	2026-06-22	90%
url	hxxps://test-flight.de/	payload_delivery	2026-06-22	90%
url	hxxps://sttechnologie.com/	payload_delivery	2026-06-22	90%
url	hxxps://techco.ec/	payload_delivery	2026-06-22	90%
url	hxxps://shanghaiwangqing.com/	payload_delivery	2026-06-22	90%
url	hxxps://sskfhospital.com/	payload_delivery	2026-06-22	90%
url	hxxps://window-cleaner.uk/	payload_delivery	2026-06-22	90%
url	hxxps://silanavi.com/	payload_delivery	2026-06-22	90%
url	hxxps://www.alma2019-int.com/	payload_delivery	2026-06-22	90%
url	hxxps://server-ke436.com/	payload_delivery	2026-06-22	90%
url	hxxps://thequadtec.com/	payload_delivery	2026-06-22	90%
url	hxxps://vetenim.site/	payload_delivery	2026-06-22	90%
url	hxxps://www.pentaconsultant.co.uk/	payload_delivery	2026-06-22	90%
url	hxxps://triplords.in/	payload_delivery	2026-06-22	90%
url	hxxps://ubytovani-hlohovec.cz/	payload_delivery	2026-06-22	90%
url	hxxps://seedgoc.com/	payload_delivery	2026-06-22	90%
url	hxxps://warriorsoftorah.com/	payload_delivery	2026-06-22	90%
url	hxxps://www.andrewyoungkim.com/	payload_delivery	2026-06-22	90%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["37.60.253.62"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["37.60.253.62"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

KQL: Domain Hunt

// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["bonavol.com", "leakads.com", "idverification-code.beer", "copysofort.org", "thisisafalsepositive.st"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc

KQL: Url Hunt

// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://www.sokolmarefy.cz/", "https://www.seesingit.nl/", "https://www.petektemizligifiyatlari.com/", "https://vitimadetransito.com.br/", "https://thesagevibe.com/", "https://stonecraftfabrication.com/", "https://thefaithlifeclub.org/", "https://stichtingunityvibes.nl/", "https://test-flight.de/", "https://sttechnologie.com/", "https://techco.ec/", "https://shanghaiwangqing.com/", "https://sskfhospital.com/", "https://window-cleaner.uk/", "https://silanavi.com/", "https://www.alma2019-int.com/", "https://server-ke436.com/", "https://thequadtec.com/", "https://vetenim.site/", "https://www.pentaconsultant.co.uk/", "https://triplords.in/", "https://ubytovani-hlohovec.cz/", "https://seedgoc.com/", "https://warriorsoftorah.com/", "https://www.andrewyoungkim.com/", "https://traillecaribbean.com/", "https://wandaspeaks.com/", "https://ushiroyama-koumuten.com/", "https://ur-schlecker.de/", "https://veducationservices.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
CommonSecurityLog	Ensure this data connector is enabled
DeviceNetworkEvents	Ensure this data connector is enabled
DnsEvents	Ensure this data connector is enabled
UrlClickEvents	Ensure this data connector is enabled

References

• ThreatFox — Unknown malware

False Positive Guidance

• Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known Microsoft server.
  Filter/Exclusion: Exclude all PowerShell commands executed against Microsoft public IP ranges or domains (e.g., microsoft.com, update.microsoft.com).

• Scenario: A DevOps engineer is using Ansible to deploy a configuration management script that includes a legitimate third-party library hosted on GitHub.
  Filter/Exclusion: Exclude all IOCs originating from GitHub domains or IP ranges associated with public repositories.

• Scenario: A database administrator is using SQL Server Agent to run a backup job that connects to a remote AWS S3 bucket for storage.
  Filter/Exclusion: Exclude all connections to AWS S3 endpoints or IP ranges associated with AWS infrastructure.

• Scenario: A security analyst is using Wireshark to analyze network traffic and saves the capture file to a local drive using a Windows command prompt.
  Filter/Exclusion: Exclude all file writes to local drives initiated by Wireshark or command-line tools used for network analysis.

• Scenario: A system administrator is using Windows Task Scheduler to run a script that queries Active Directory for user information and logs it to a local log file.
  Filter/Exclusion: Exclude all IOCs related to Active Directory queries or local log file operations initiated by Task Scheduler.