The ThreatFox: Amadey IOCs rule detects potential adversary activity linked to the Amadey malware, which is associated with advanced persistent threats and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise and prevent data loss.
IOC Summary
Malware Family: Amadey Total IOCs: 3 IOC Types: sha256_hash, md5_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 1d3a5e780488095d6174bcdc49ee16c0ea802a6a | payload | 2026-06-13 | 95% |
| md5_hash | 347187dc7824a887b8f6a3272b3baf12 | payload | 2026-06-13 | 95% |
| sha256_hash | 49999f257686cfba6fe9504ff99a7776f998e3ba4887d28d2957f040ac346306 | payload | 2026-06-13 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - Amadey
let malicious_hashes = dynamic(["1d3a5e780488095d6174bcdc49ee16c0ea802a6a", "347187dc7824a887b8f6a3272b3baf12", "49999f257686cfba6fe9504ff99a7776f998e3ba4887d28d2957f040ac346306"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using rsync
Description: A scheduled backup job uses rsync to transfer files across the network, which may match the network IOC associated with Amadey.
Filter/Exclusion: Check for process.name = rsync and process.args containing --backup or --exclude patterns.
Scenario: System update via yum or apt
Description: A system update process using yum or apt may trigger the IOC related to package management tools, which could be falsely flagged.
Filter/Exclusion: Filter by process.name = yum or process.name = apt and check for command_line containing update or upgrade.
Scenario: Admin task using scp for file transfer
Description: An administrator uses scp to transfer files between servers, which may match the file transfer IOC associated with Amadey.
Filter/Exclusion: Filter by process.name = scp and check for command_line containing admin or backup in the destination path.
Scenario: Log collection using logrotate
Description: The logrotate utility is used to manage log files, which may trigger the IOC related to log handling tools.
Filter/Exclusion: Filter by process.name = logrotate and check for command_line containing rotate or compress.
Scenario: Legitimate use of tar for archiving
Description: A user or admin uses tar to archive files, which may match the IOC related to compression tools.
Filter/Exclusion: Filter by process.name = tar and check for command_line containing `