The ThreatFox: Amadey IOCs rule detects potential adversary activity linked to the Amadey malware, which is associated with advanced persistent threats and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises before significant data loss occurs.
IOC Summary
Malware Family: Amadey Total IOCs: 2 IOC Types: ip:port, url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 89[.]124[.]78[.]101:80 | botnet_cc | 2026-06-05 | 50% |
| url | hxxp://89[.]124[.]78[.]101/Lsge63sd3/index.php | botnet_cc | 2026-06-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Amadey
let malicious_ips = dynamic(["89.124.78.101"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["89.124.78.101"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for access to known malicious URLs
// Source: ThreatFox - Amadey
let malicious_urls = dynamic(["http://89.124.78.101/Lsge63sd3/index.php"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using Amadey-related tools
Description: A system administrator schedules a job using amadey as part of a legitimate script or tool for system diagnostics.
Filter/Exclusion: Exclude processes where the command line includes amadey and the process is associated with a known system maintenance or diagnostic tool (e.g., systemd, crontab, or task scheduler).
Scenario: Admin task involving Amadey for network analysis
Description: A network security team uses Amadey as part of a network traffic analysis tool to monitor internal traffic.
Filter/Exclusion: Exclude processes where the user is a network admin and the command line includes amadey with a known network analysis tool (e.g., Wireshark, tcpdump, or nmap).
Scenario: False positive from a third-party software update
Description: A software update from a third-party vendor includes a file named amadey.exe as part of a legitimate update package.
Filter/Exclusion: Exclude processes where the file path includes a known software update directory (e.g., C:\Program Files\Vendor\Updates\) or where the process is initiated by a known update manager (e.g., Windows Update, Chocolatey, or Scoop).
Scenario: Legitimate use of Amadey in a development environment
Description: A developer uses Amadey as part of a development toolchain for testing or debugging.
Filter/Exclusion: Exclude processes where the user is a developer and the command line includes amadey with a known development tool (e.g., Visual Studio, Docker, or Kubernetes).
Scenario: False positive from a system log parsing tool
*