The ThreatFox: Unknown Stealer IOCs rule detects potential reconnaissance and data exfiltration activities associated with an unknown stealer malware, leveraging suspicious network connections and file artifacts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by an unknown adversary targeting sensitive data.
IOC Summary
Malware Family: Unknown Stealer Total IOCs: 3 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 136[.]243[.]152[.]105:80 | botnet_cc | 2026-06-03 | 75% |
| url | hxxp://136[.]243[.]152[.]105/api/telemetry/file-chunk | botnet_cc | 2026-06-03 | 100% |
| url | hxxp://136[.]243[.]152[.]105/api/telemetry/event | botnet_cc | 2026-06-03 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Unknown Stealer
let malicious_ips = dynamic(["136.243.152.105"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["136.243.152.105"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Unknown Stealer
let malicious_urls = dynamic(["http://136.243.152.105/api/telemetry/file-chunk", "http://136.243.152.105/api/telemetry/event"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using psutil for system monitoring
Filter/Exclusion: Exclude processes where the full path contains /usr/bin/ or /opt/ and the command line includes psutil or system_monitor.
Scenario: Admin task using netsh to configure network settings
Filter/Exclusion: Exclude processes with netsh in the command line where the parent process is explorer.exe or services.exe and the command line includes interface or ipsec.
Scenario: Regular use of curl for internal API calls
Filter/Exclusion: Exclude processes where the command line includes --request GET and the URL starts with https://internal-api or http://localhost.
Scenario: Deployment of a legitimate tool like Ansible for configuration management
Filter/Exclusion: Exclude processes where the command line includes ansible-playbook and the playbook path is within a known internal directory like /opt/ansible/playbooks/.
Scenario: Use of PowerShell for routine system diagnostics
Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the command line includes Get-EventLog, Get-Service, or Get-Process.