The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that could signal the presence of previously unseen malware in the environment. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that evade traditional detection methods.
IOC Summary
Malware Family: Unknown malware Total IOCs: 31 IOC Types: sha256_hash, domain, ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 18[.]118[.]91[.]208:80 | botnet_cc | 2026-03-19 | 100% |
| ip:port | 86[.]54[.]42[.]175:5555 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 92[.]113[.]25[.]185:80 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 71[.]131[.]51[.]37:443 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 62[.]113[.]41[.]93:7443 | botnet_cc | 2026-03-18 | 100% |
| ip:port | 102[.]117[.]171[.]207:7443 | botnet_cc | 2026-03-18 | 100% |
| url | hxxps://oiliver.gr/merry | payload_delivery | 2026-03-18 | 50% |
| sha256_hash | 17661A7D0C3DECA24B2EF18F48D61326FADFBF0069D045B5D51F294526280C53 | payload | 2026-03-18 | 100% |
| sha256_hash | A0C4488B50FDD493A8652F2B5A89B7AFAF0F7EA09021719D257AEEB0ED53E1E2 | payload | 2026-03-18 | 100% |
| sha256_hash | A53B7CC73481DC89A9876638490CE86C3ECE09D9F6454B037831AAD1326C5F07 | payload | 2026-03-18 | 100% |
| url | hxxps://bestwirelessus.com/wp-includes/pomo/System.ps1 | payload_delivery | 2026-03-18 | 100% |
| url | hxxps://bestwirelessus.com/wp-includes/pomo/Service.ps1 | payload_delivery | 2026-03-18 | 100% |
| url | hxxps://bestwirelessus.com/wp-includes/pomo/Woba.exe | payload_delivery | 2026-03-18 | 100% |
| url | hxxps://bestwirelessus.com/wp-includes/pomo/Eritrea.exe | payload_delivery | 2026-03-18 | 100% |
| url | hxxps://bestwirelessus.com/wp-includes/pomo/Omise.exe | payload_delivery | 2026-03-18 | 100% |
| domain | bestwirelessus.com | payload_delivery | 2026-03-18 | 100% |
| url | hxxps://secureportal777.com/ltluegalgveghzmpfp | payload_delivery | 2026-03-18 | 100% |
| url | hxxps://secureportal777.com/vrtevpfvohxeyyonwy | payload_delivery | 2026-03-18 | 100% |
| domain | secureportal777.com | payload_delivery | 2026-03-18 | 100% |
| url | hxxps://step-secure.bibusdarken.workers.dev/api/css.js | payload_delivery | 2026-03-18 | 100% |
| domain | step-secure.bibusdarken.workers.dev | payload_delivery | 2026-03-18 | 100% |
| url | hxxps://init-static.seccheckclod.workers.dev/api/css.js | payload_delivery | 2026-03-18 | 100% |
| domain | init-static.seccheckclod.workers.dev | payload_delivery | 2026-03-18 | 100% |
| domain | airdrop.paradex-sale.lat | payload_delivery | 2026-03-18 | 100% |
| domain | waronusdt1.world | payload_delivery | 2026-03-18 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["92.113.25.185", "62.113.41.93", "71.131.51.37", "102.117.171.207", "18.118.91.208", "86.54.42.175"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["92.113.25.185", "62.113.41.93", "71.131.51.37", "102.117.171.207", "18.118.91.208", "86.54.42.175"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["bestwirelessus.com", "secureportal777.com", "step-secure.bibusdarken.workers.dev", "init-static.seccheckclod.workers.dev", "airdrop.paradex-sale.lat", "waronusdt1.world", "lucialabs.lol", "gotestcoin.digital", "housecoin.run", "elizaos16z.lol", "kimchicoin.live", "elizaos.run"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://oiliver.gr/merry", "https://bestwirelessus.com/wp-includes/pomo/System.ps1", "https://bestwirelessus.com/wp-includes/pomo/Service.ps1", "https://bestwirelessus.com/wp-includes/pomo/Woba.exe", "https://bestwirelessus.com/wp-includes/pomo/Eritrea.exe", "https://bestwirelessus.com/wp-includes/pomo/Omise.exe", "https://secureportal777.com/ltluegalgveghzmpfp", "https://secureportal777.com/vrtevpfvohxeyyonwy", "https://step-secure.bibusdarken.workers.dev/api/css.js", "https://init-static.seccheckclod.workers.dev/api/css.js"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown malware
let malicious_hashes = dynamic(["17661A7D0C3DECA24B2EF18F48D61326FADFBF0069D045B5D51F294526280C53", "A0C4488B50FDD493A8652F2B5A89B7AFAF0F7EA09021719D257AEEB0ED53E1E2", "A53B7CC73481DC89A9876638490CE86C3ECE09D9F6454B037831AAD1326C5F07"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that accesses known malicious-looking files or directories as part of routine system maintenance.
Filter/Exclusion: Exclude file paths containing C:\Windows\Tasks\ or C:\Windows\System32\ and filter by process names like schtasks.exe or taskhost.exe.
Scenario: Admin Tool Execution
Description: An administrator uses a legitimate tool like PowerShell or WMIC to query system information, which may trigger IOCs due to command-line arguments or file access patterns.
Filter/Exclusion: Exclude processes with powershell.exe or wmic.exe and filter by command-line arguments containing -Command or -Query.
Scenario: Log Collection and Analysis Job
Description: A security tool like ELK Stack or Splunk runs a scheduled job to collect and analyze logs, which may involve reading from or writing to temporary directories.
Filter/Exclusion: Exclude file paths containing C:\ProgramData\ or C:\Users\Public\ and filter by process names like splunkd.exe or logstash.exe.
Scenario: Software Update or Patch Deployment
Description: A patch management tool like Microsoft Endpoint Manager or WSUS temporarily stores or executes update files, which may match known malicious IOCs.
Filter/Exclusion: Exclude file paths containing C:\Windows\SoftwareDistribution\ or C:\Windows\Temp\ and filter by process names like msiexec.exe or setup.exe.
Scenario: Database Backup or Restore Operation
Description: A database backup tool like SQL Server Backup Utility or MySQLDump may access or generate files that resemble malicious IOCs during backup