The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate emerging threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 17 IOC Types: domain, url, ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 103[.]110[.]80[.]154:7443 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 95[.]85[.]239[.]146:3000 | botnet_cc | 2026-06-17 | 75% |
| ip:port | 154[.]86[.]119[.]78:80 | botnet_cc | 2026-06-17 | 75% |
| domain | laculex.net | botnet_cc | 2026-06-17 | 100% |
| domain | kuilfgfd.cc | botnet_cc | 2026-06-17 | 100% |
| url | hxxps://livelaughfite.com/ | payload_delivery | 2026-06-17 | 90% |
| url | hxxps://webexpress.cl/ | payload_delivery | 2026-06-17 | 90% |
| url | hxxps://withyou.ma/ | payload_delivery | 2026-06-17 | 90% |
| url | hxxps://www.kushalcardiaccare.com/ | payload_delivery | 2026-06-17 | 90% |
| url | hxxps://toilettage-muzillac.fr/ | payload_delivery | 2026-06-17 | 90% |
| url | hxxps://panelmienbac.com/ | payload_delivery | 2026-06-17 | 90% |
| url | hxxps://systemlt.site/ | payload_delivery | 2026-06-17 | 90% |
| url | hxxps://www.koktengri.com/ | payload_delivery | 2026-06-17 | 90% |
| url | hxxps://valorglobe.com/ | payload_delivery | 2026-06-17 | 90% |
| domain | chinarice.asia | payload_delivery | 2026-06-17 | 100% |
| domain | code-verification-js.beer | payload_delivery | 2026-06-17 | 100% |
| ip:port | 85[.]137[.]58[.]53:7443 | botnet_cc | 2026-06-17 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["103.110.80.154", "85.137.58.53", "154.86.119.78", "95.85.239.146"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["103.110.80.154", "85.137.58.53", "154.86.119.78", "95.85.239.146"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["laculex.net", "kuilfgfd.cc", "chinarice.asia", "code-verification-js.beer"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://livelaughfite.com/", "https://webexpress.cl/", "https://withyou.ma/", "https://www.kushalcardiaccare.com/", "https://toilettage-muzillac.fr/", "https://panelmienbac.com/", "https://systemlt.site/", "https://www.koktengri.com/", "https://valorglobe.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a known repository.
Filter/Exclusion: Exclude PowerShell scripts that access known update servers (e.g., https://download.microsoft.com or https://packages.microsoft.com).
Scenario: A DevOps engineer is using Ansible to deploy a configuration management tool, which involves transferring files via SCP to a remote server.
Filter/Exclusion: Exclude SCP transfers to known internal servers used for configuration management (e.g., ansible-controller.example.com).
Scenario: A database administrator is using SQL Server Agent to run a nightly backup job that writes to a shared network drive.
Filter/Exclusion: Exclude file I/O operations to known backup directories (e.g., \\backup-server\sql_backups) associated with SQL Server.
Scenario: A security analyst is using Wireshark to capture and analyze network traffic for a penetration test, which includes connecting to a test environment.
Filter/Exclusion: Exclude connections to internal test environments (e.g., 10.10.0.0/24) used for security testing.
Scenario: A system administrator is using Windows Task Scheduler to run a script that queries internal Active Directory for user group membership.
Filter/Exclusion: Exclude LDAP queries to internal AD domains (e.g., ldap://dc01.example.com) that are part of routine user management.