The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that could signal the presence of previously unseen malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 7 IOC Types: url, domain, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 94[.]26[.]90[.]216:56001 | botnet_cc | 2026-04-18 | 75% |
| domain | nisuwyyyqsafdas.com | botnet_cc | 2026-04-18 | 100% |
| url | hxxp://217[.]60[.]38[.]147/pages/login.php | botnet_cc | 2026-04-18 | 100% |
| url | hxxps://nenadopapa.cfd/log.php | payload_delivery | 2026-04-18 | 100% |
| url | hxxps://nenadopapa.cfd/api/index.php | payload_delivery | 2026-04-18 | 100% |
| url | hxxps://nenadopapa.cfd/cf.js | payload_delivery | 2026-04-18 | 100% |
| domain | nenadopapa.cfd | payload_delivery | 2026-04-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["94.26.90.216"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["94.26.90.216"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["nisuwyyyqsafdas.com", "nenadopapa.cfd"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["http://217.60.38.147/pages/login.php", "https://nenadopapa.cfd/log.php", "https://nenadopapa.cfd/api/index.php", "https://nenadopapa.cfd/cf.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System Update or Patching Process
Description: A legitimate system update or patching process may involve downloading files from known repositories (e.g., Microsoft Update, Red Hat Satellite) that are mistakenly flagged as unknown malware.
Filter/Exclusion: Exclude file hashes or URLs associated with trusted update servers (e.g., hashes from microsoft.com, urls containing "update" or "patch").
Scenario: Scheduled Backup Job
Description: A scheduled backup job may transfer files to a remote storage location (e.g., AWS S3, Azure Blob Storage) which could be flagged as suspicious due to the volume or destination.
Filter/Exclusion: Exclude file paths or destinations related to backup services (e.g., file paths containing "backup", destinations containing "aws" or "azure").
Scenario: Admin Task - PowerShell Script Execution
Description: An administrator may run a PowerShell script (e.g., Invoke-Command, Start-Process) that interacts with internal systems or external APIs, which could trigger the rule due to the script’s IOCs.
Filter/Exclusion: Exclude PowerShell scripts executed by known admin accounts (e.g., user = "Administrator", script paths containing "scripts/admin").
Scenario: Log Collection and Monitoring Tools
Description: Tools like Splunk, ELK Stack, or Graylog may collect logs and send them to remote servers, which could be flagged as unknown malware IOCs due to the data transfer.
Filter/Exclusion: Exclude traffic related to log collection tools (e.g., destinations containing "splunk" or "graylog", process names containing "logstash").
Scenario: Internal Software Development
Description: A developer may compile or package internal software (e.g., using