The ThreatFox: Unknown malware IOCs rule detects potential adversary activity involving unknown malicious indicators that may be associated with advanced persistent threats. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate unknown malware campaigns before they cause significant damage.
IOC Summary
Malware Family: Unknown malware Total IOCs: 21 IOC Types: url, ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | shssshdscn.beer | payload_delivery | 2026-06-01 | 100% |
| domain | testesclaus.beer | payload_delivery | 2026-06-01 | 100% |
| domain | smfcdnbb.beer | payload_delivery | 2026-06-01 | 100% |
| domain | snccdn-framework.beer | payload_delivery | 2026-06-01 | 100% |
| domain | nstdcs.beer | payload_delivery | 2026-06-01 | 100% |
| domain | bigcupcoffee.monster | payload_delivery | 2026-06-01 | 100% |
| domain | coffeeincup.monster | payload_delivery | 2026-06-01 | 100% |
| domain | coffeecincup.monster | payload_delivery | 2026-06-01 | 100% |
| domain | miujiang.monster | payload_delivery | 2026-06-01 | 100% |
| domain | amalgama.lat | payload_delivery | 2026-06-01 | 100% |
| url | hxxps://gauseva.life/ear/ | payload_delivery | 2026-06-01 | 75% |
| ip:port | 43[.]155[.]33[.]85:8888 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 154[.]201[.]72[.]41:8888 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 39[.]100[.]79[.]118:60000 | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://performanceadvisorygroup.com/ | payload_delivery | 2026-06-01 | 90% |
| ip:port | 39[.]100[.]79[.]118:80 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 39[.]100[.]79[.]118:8080 | botnet_cc | 2026-06-01 | 100% |
| ip:port | 47[.]120[.]61[.]155:8888 | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://proaslegal.com/ | payload_delivery | 2026-06-01 | 90% |
| ip:port | 39[.]100[.]79[.]118:443 | botnet_cc | 2026-06-01 | 100% |
| url | hxxps://moll.lanjut.in/ | payload_delivery | 2026-06-01 | 90% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown malware
let malicious_ips = dynamic(["154.201.72.41", "47.120.61.155", "43.155.33.85", "39.100.79.118"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["154.201.72.41", "47.120.61.155", "43.155.33.85", "39.100.79.118"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown malware
let malicious_domains = dynamic(["shssshdscn.beer", "testesclaus.beer", "smfcdnbb.beer", "snccdn-framework.beer", "nstdcs.beer", "bigcupcoffee.monster", "coffeeincup.monster", "coffeecincup.monster", "miujiang.monster", "amalgama.lat"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown malware
let malicious_urls = dynamic(["https://gauseva.life/ear/", "https://performanceadvisorygroup.com/", "https://proaslegal.com/", "https://moll.lanjut.in/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that downloads a known benign file from a trusted internal repository.
Filter/Exclusion: Exclude files from internal IP ranges or domains, or filter by file hashes known to be safe.
Scenario: Admin Performing Software Update
Description: An administrator uses PowerShell to download and install a legitimate software update from a company-approved source.
Filter/Exclusion: Exclude PowerShell scripts executed from known admin tools or from internal update servers.
Scenario: Log Collection and Analysis Tool
Description: A tool like Splunk or ELK Stack is configured to collect logs and temporarily stores them in a directory that matches the IOC pattern.
Filter/Exclusion: Exclude files or directories associated with log collection tools or use a file type filter (e.g., .log files).
Scenario: Backup Job Execution
Description: A backup job using Veeam or Commvault temporarily writes files to a staging directory that matches the IOC pattern.
Filter/Exclusion: Exclude files or directories related to backup processes or use a process name filter (e.g., veeam.exe, commvault.exe).
Scenario: Internal Threat Intelligence Sharing
Description: A security team shares internal threat intelligence via a tool like ThreatConnect or Mandiant, which may include benign file hashes.
Filter/Exclusion: Exclude files or domains associated with internal threat intelligence platforms or use a domain filter (e.g., threatconnect.com, mandiant.com).