The ThreatFox: Unknown Stealer IOCs rule detects potential reconnaissance and data exfiltration activities associated with an unknown stealer malware, leveraging suspicious network connections and file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises from advanced threats that may evade traditional detection methods.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 10 IOC Types: domain, sha1_hash, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://sites.google.com/view/clau-ver-un-v25 | payload_delivery | 2026-05-25 | 75% |
| url | hxxps://sites.google.com/view/deutchbremac | payload_delivery | 2026-05-25 | 100% |
| url | hxxp://premierrentalpurchase.com/curl/5b7250991558c1089d217b180d9418df77886996c22f8f319d7f640895e03381 | payload_delivery | 2026-05-25 | 100% |
| url | hxxps://brezxcchec.com/ | payload_delivery | 2026-05-25 | 100% |
| domain | premierrentalpurchase.com | payload_delivery | 2026-05-25 | 100% |
| domain | brezxcchec.com | payload_delivery | 2026-05-25 | 100% |
| url | hxxps://sites.google.com/view/clau-ver-un-24 | payload_delivery | 2026-05-25 | 100% |
| url | hxxps://fairpoint29.com/ | payload_delivery | 2026-05-25 | 100% |
| sha1_hash | 81deb32cde378e3886a7bfb6e0b9dff6dc34a5d0 | payload | 2026-05-25 | 100% |
| sha1_hash | f250b75677d5e944e5ab5fbba5e04b08f3ba9354 | payload | 2026-05-25 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Unknown Stealer
let malicious_domains = dynamic(["premierrentalpurchase.com", "brezxcchec.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Stealer
let malicious_urls = dynamic(["https://sites.google.com/view/clau-ver-un-v25", "https://sites.google.com/view/deutchbremac", "http://premierrentalpurchase.com/curl/5b7250991558c1089d217b180d9418df77886996c22f8f319d7f640895e03381", "https://brezxcchec.com/", "https://sites.google.com/view/clau-ver-un-24", "https://fairpoint29.com/"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc// Hunt for files matching known malicious hashes
// Source: ThreatFox - Unknown Stealer
let malicious_hashes = dynamic(["81deb32cde378e3886a7bfb6e0b9dff6dc34a5d0", "f250b75677d5e944e5ab5fbba5e04b08f3ba9354"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for System Monitoring
Description: A scheduled task runs a script that downloads a known benign tool (e.g., Sysinternals Process Explorer) from a trusted source.
Filter/Exclusion: Exclude downloads from https://download.sysinternals.com or any URL containing sysinternals.com.
Scenario: Admin Performing System Integrity Check with Microsoft Baseline Security Analyzer (MSBAS)
Description: An administrator uses MSBAS to scan for system vulnerabilities, which may involve downloading known security tools.
Filter/Exclusion: Exclude traffic to https://www.microsoft.com/en-us/download/details.aspx?id=5402 or any URL containing microsoft.com/security.
Scenario: Deployment of a Known Security Tool via PowerShell
Description: A security tool like OSQuery is deployed using PowerShell, which may trigger IOC detection due to script execution.
Filter/Exclusion: Exclude PowerShell scripts that reference osquery.org or https://osquery.org/downloads.
Scenario: User-Initiated Download of a Legitimate Software Update
Description: A user downloads a legitimate software update (e.g., Adobe Acrobat Reader) from the official website.
Filter/Exclusion: Exclude downloads from https://ardownload.adobe.com or any URL containing adobe.com.
Scenario: Use of a Legitimate Log Management Tool with External API
Description: A log management tool like Splunk or ELK Stack connects to an external API for data aggregation, which may match known IOC patterns.
Filter/Exclusion: Exclude connections to api.splunk.com or any URL containing splunk.com or elasticsearch.com.