The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators linked to unattributed malware, suggesting possible advanced persistent threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate unknown threats before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 20 IOC Types: domain, ip:port, sha256_hash, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | xxxxxx69.cn | payload_delivery | 2026-06-03 | 75% |
| ip:port | 204[.]194[.]50[.]173:7443 | botnet_cc | 2026-06-03 | 75% |
| domain | ledger.com.ag | payload_delivery | 2026-06-03 | 100% |
| domain | ledger-shop.at | payload_delivery | 2026-06-03 | 100% |
| ip:port | 77[.]93[.]155[.]111:10039 | botnet_cc | 2026-06-03 | 100% |
| ip:port | 144[.]31[.]6[.]17:8080 | botnet_cc | 2026-06-03 | 75% |
| url | hxxp://213[.]108[.]20[.]59/api/commands/ | botnet_cc | 2026-06-03 | 100% |
| url | hxxp://213[.]108[.]20[.]59/api/results | botnet_cc | 2026-06-03 | 100% |
| url | hxxp://213[.]108[.]20[.]59/api/files/sync | botnet_cc | 2026-06-03 | 100% |
| url | hxxp://213[.]108[.]20[.]59/api/data | botnet_cc | 2026-06-03 | 100% |
| url | hxxp://213[.]108[.]20[.]59/api/register | botnet_cc | 2026-06-03 | 100% |
| ip:port | 213[.]108[.]20[.]59:8080 | botnet_cc | 2026-06-03 | 75% |
| url | hxxp://149[.]104[.]29[.]201:8111/log.sh | payload_delivery | 2026-06-03 | 75% |
| url | hxxp://149[.]104[.]29[.]201:8455/slt | payload_delivery | 2026-06-03 | 75% |
| url | hxxp://149[.]104[.]29[.]201:8111/set.sh | payload_delivery | 2026-06-03 | 75% |
| sha256_hash | e3455fb41ba8dce83b27931bacdd6596fd8b925305bedb5bdc00640a0e6a1839 | payload | 2026-06-03 | 75% |
| sha256_hash | 39fbfcccf13ab9d65d90c38b37febef37a89ad7341900ab60eee3896123ed2d1 | payload | 2026-06-03 | 75% |
| sha256_hash | 00443779c72fffed7cc6d40a6e38f32bd5559dc7382177d0866cdaa6a4fe496a | payload | 2026-06-03 | 75% |
| sha256_hash | 005161b1d1b1065b7e1621306aaa5f48fc2196f0af4b12cf7d313018101ceb7d | payload | 2026-06-03 | 75% |
| sha256_hash | ff7a32719f16ac930510f2ab8b9131fb3ae3680338d085fc182ff05ebf97de14 | payload | 2026-06-03 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["144.31.6.17", "204.194.50.173", "213.108.20.59", "77.93.155.111"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["144.31.6.17", "204.194.50.173", "213.108.20.59", "77.93.155.111"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["xxxxxx69.cn", "ledger.com.ag", "ledger-shop.at"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["http://213.108.20.59/api/commands/", "http://213.108.20.59/api/results", "http://213.108.20.59/api/files/sync", "http://213.108.20.59/api/data", "http://213.108.20.59/api/register", "http://149.104.29.201:8111/log.sh", "http://149.104.29.201:8455/slt", "http://149.104.29.201:8111/set.sh"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["e3455fb41ba8dce83b27931bacdd6596fd8b925305bedb5bdc00640a0e6a1839", "39fbfcccf13ab9d65d90c38b37febef37a89ad7341900ab60eee3896123ed2d1", "00443779c72fffed7cc6d40a6e38f32bd5559dc7382177d0866cdaa6a4fe496a", "005161b1d1b1065b7e1621306aaa5f48fc2196f0af4b12cf7d313018101ceb7d", "ff7a32719f16ac930510f2ab8b9131fb3ae3680338d085fc182ff05ebf97de14"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Regular system maintenance task using PowerShell to clean temporary files
Filter/Exclusion: Exclude processes initiated by PowerShell.exe with command lines containing Clear-Item or Remove-Item and originating from the C:\Windows\Temp directory.
Scenario: Scheduled backup job using Veeam Backup & Replication that accesses external storage locations
Filter/Exclusion: Exclude IOCs related to Veeam backup operations, specifically network paths used by Veeam Backup & Replication for temporary storage or data transfer.
Scenario: Admin task using Windows Task Scheduler to run a script for log rotation
Filter/Exclusion: Exclude IOCs associated with schtasks.exe and scripts located in the C:\Windows\System32\ directory or under C:\Windows\Temp\.
Scenario: Software update process using Chocolatey to install legitimate packages
Filter/Exclusion: Exclude IOCs related to choco.exe and package downloads from trusted repositories like chocolatey.org or internal artifact repositories.
Scenario: Network monitoring tool like Wireshark capturing traffic for analysis
Filter/Exclusion: Exclude IOCs related to Wireshark or tshark.exe and network interfaces used for packet capture, such as Loopback or eth0 in a virtualized environment.