The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate unknown malware campaigns before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 25 IOC Types: sha256_hash, domain, ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha256_hash | 99cfd8d9b8ebba0d7cf8527eb0b63eb920fa6898f6971c53df833a85415714f6 | payload | 2026-06-10 | 50% |
| sha256_hash | 4a4c286c2ee27df4c0ca597b2568986689f8fb5d0b325fdc2cf45af560b80c97 | payload | 2026-06-10 | 50% |
| sha256_hash | 7b2314d6af6b3df7723dbd88439b29fb990e8133cba441c76b9683b68a5adfd1 | payload | 2026-06-10 | 50% |
| sha256_hash | 5a3953fc874c19e45eb8ae6479e1bca3214f8c3e828d38681b68ed4652a6fa83 | payload | 2026-06-10 | 50% |
| sha256_hash | e96dc227d4e82d1c261eff41081e1ec8de4bbcbb7e26f989f4ab10c955b93312 | payload | 2026-06-10 | 50% |
| sha256_hash | 21ec3bd2644b08eb5dfea8718c98a786f11aaceb041bfa29fa550b70dc763e02 | payload | 2026-06-10 | 50% |
| sha256_hash | 336cee203c92efe8a8067f9c3ad71e3d7fd2d7231e6bce8381d5ec0243bf1e60 | payload | 2026-06-10 | 50% |
| sha256_hash | 6c6d2bc2d895c9e0b8946c0d1ad5611632e479eecb481031e5f3744e1a6f65b0 | payload | 2026-06-10 | 50% |
| sha256_hash | 04a93feba4c974ab3c7fe203d68f78bc3b8b395492fdecc0b3fefadfd74dcac4 | payload | 2026-06-10 | 50% |
| sha256_hash | 86ad203b4dfcd43bdc93bea91e9fc01b613e4fa755fcf3b298e8d1e74e168009 | payload | 2026-06-10 | 50% |
| sha256_hash | af4bf0887368a86ea9b3efc1c215c1e59c663de1288777b67246c4b641897bd3 | payload | 2026-06-10 | 50% |
| sha256_hash | 54202d955f19f8d721408471a906211833843624ecdca03ace14824c2b041d82 | payload | 2026-06-10 | 50% |
| sha256_hash | 5903092322871269cb4c72fd4bc706a7d7c6a12c4422e92d7729cb082a6013f8 | payload | 2026-06-10 | 50% |
| sha256_hash | 4183648bf9b7677843bb02cbdd90602b0708e3f76bc2f8e3d0bd805df3bedeeb | payload | 2026-06-10 | 50% |
| sha256_hash | 2c4c16052c800b957945ac94afcab893e52924fc8e348154a106a3f8a31ed490 | payload | 2026-06-10 | 50% |
| sha256_hash | e2e85ffb029036a3449da8f65275ccfb9e77832a6085c5c26d6726dfda47a048 | payload | 2026-06-10 | 50% |
| sha256_hash | d5d0a96a77f93ba4dc8dc468efee0fcd99a065f665307ecc750ef36258680b39 | payload | 2026-06-10 | 50% |
| sha256_hash | 0f7448bc71f420f7b696550a46541b9b2c9fb3808fd6dfe9b18b456a9f0cfed4 | payload | 2026-06-10 | 50% |
| ip:port | 64[.]89[.]162[.]117:7443 | botnet_cc | 2026-06-10 | 75% |
| ip:port | 154[.]83[.]186[.]106:30159 | botnet_cc | 2026-06-10 | 75% |
| url | hxxps://mylovedomen.asia/ | payload_delivery | 2026-06-10 | 90% |
| domain | ethercdnns.beer | payload_delivery | 2026-06-10 | 100% |
| domain | soqtorent.monster | payload_delivery | 2026-06-10 | 100% |
| domain | ledeuil.monster | payload_delivery | 2026-06-10 | 100% |
| domain | mylovedomen.asia | payload_delivery | 2026-06-10 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["64.89.162.117", "154.83.186.106"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["64.89.162.117", "154.83.186.106"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["ethercdnns.beer", "soqtorent.monster", "ledeuil.monster", "mylovedomen.asia"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://mylovedomen.asia/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["99cfd8d9b8ebba0d7cf8527eb0b63eb920fa6898f6971c53df833a85415714f6", "4a4c286c2ee27df4c0ca597b2568986689f8fb5d0b325fdc2cf45af560b80c97", "7b2314d6af6b3df7723dbd88439b29fb990e8133cba441c76b9683b68a5adfd1", "5a3953fc874c19e45eb8ae6479e1bca3214f8c3e828d38681b68ed4652a6fa83", "e96dc227d4e82d1c261eff41081e1ec8de4bbcbb7e26f989f4ab10c955b93312", "21ec3bd2644b08eb5dfea8718c98a786f11aaceb041bfa29fa550b70dc763e02", "336cee203c92efe8a8067f9c3ad71e3d7fd2d7231e6bce8381d5ec0243bf1e60", "6c6d2bc2d895c9e0b8946c0d1ad5611632e479eecb481031e5f3744e1a6f65b0", "04a93feba4c974ab3c7fe203d68f78bc3b8b395492fdecc0b3fefadfd74dcac4", "86ad203b4dfcd43bdc93bea91e9fc01b613e4fa755fcf3b298e8d1e74e168009", "af4bf0887368a86ea9b3efc1c215c1e59c663de1288777b67246c4b641897bd3", "54202d955f19f8d721408471a906211833843624ecdca03ace14824c2b041d82", "5903092322871269cb4c72fd4bc706a7d7c6a12c4422e92d7729cb082a6013f8", "4183648bf9b7677843bb02cbdd90602b0708e3f76bc2f8e3d0bd805df3bedeeb", "2c4c16052c800b957945ac94afcab893e52924fc8e348154a106a3f8a31ed490", "e2e85ffb029036a3449da8f65275ccfb9e77832a6085c5c26d6726dfda47a048", "d5d0a96a77f93ba4dc8dc468efee0fcd99a065f665307ecc750ef36258680b39", "0f7448bc71f420f7b696550a46541b9b2c9fb3808fd6dfe9b18b456a9f0cfed4"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: System backup process using rsync to transfer files to a remote server
Filter/Exclusion: Exclude traffic involving rsync commands with destination IPs in the organization’s backup infrastructure.
Scenario: Scheduled job running logrotate to manage log files
Filter/Exclusion: Exclude processes with logrotate in their command line and associated with the system logging service.
Scenario: Admin task using tcpdump to capture network traffic for analysis
Filter/Exclusion: Exclude processes with tcpdump running with elevated privileges and associated with the network analysis team’s tools.
Scenario: Regular system update using yum or apt to install packages
Filter/Exclusion: Exclude processes involving package managers like yum or apt during scheduled update windows.
Scenario: Database backup using mysqldump to export data to a remote storage location
Filter/Exclusion: Exclude processes with mysqldump and destination IPs matching the organization’s backup storage systems.